PPTP VPN (Vyatta)

From vwiki
Revision as of 14:16, 26 November 2013 by Sstrutt (talk | contribs) (Initial creation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Instructions on how to set-up a client/user PPTP VPN solution using a Vyatta router. For anymore than a handful of users, its best to use centralised user account management, eg RADIUS running on a Win2008 DC.

Prerequisites

  • Range of internal addresses to be assigned to users when they connect
  • IP of RADIUS server and shared secret (if using RADIUS authentication)
  • DNS server IP's for VPN clients
  • VPN address (external IP of router)

Even if you expect to use RADIUS configuration, its probably best to configure using local authentication and a test account, so that you can test its basically working. Then add the two lines for RADIUS authentication.

Firewall Configuration

Create a rule to allow the initial connection...

set firewall name eth0-local rule 10 description "PPTP access - Initial"
set firewall name eth0-local rule 10 destination port 1723
set firewall name eth0-local rule 10 protocol tcp
set firewall name eth0-local rule 10 action accept

There should be an existing rule to allow established and related connections. Show the config and look for

rule 10 {
   action accept
   description ESTABLISHED
   state {
     established enable
     related enable
    }
}

You can either add missing rule above, o0r create on specifically for PPTP Data traffic...

set firewall name eth0-local rule 60 description "PPTP access - Data"
set firewall name eth0-local rule 60 protocol gre (or "protocol 47")
set firewall name eth0-local rule 60 action accept

PPTP Configuration

Local Authentication

Example using local accounts for authentication.

set vpn pptp
set vpn pptp remote-access client-ip-pool start 192.168.11.100
set vpn pptp remote-access client-ip-pool stop 192.168.11.149
set vpn pptp remote-access authentication mode local
set vpn pptp remote-access authentication local-users username user1 password pass1
set vpn pptp remote-access dns-servers server-1 192.168.11.10
set vpn pptp remote-access dns-servers server-2 192.168.11.20
set vpn pptp remote-access outside-address 88.164.78.54
commit

Repeat the set vpn pptp remote-access authentication local-users line for each required user.

RADIUS Authentication

Example using centrally managed RADIUS for authentication.

set vpn pptp
set vpn pptp remote-access client-ip-pool start 192.168.11.100
set vpn pptp remote-access client-ip-pool stop 192.168.11.149
set vpn pptp remote-access authentication mode radius
set vpn pptp remote-access authentication radius-server 10.255.96.5 key 456479vrf
set vpn pptp remote-access dns-servers server-1 192.168.11.10
set vpn pptp remote-access dns-servers server-2 192.168.11.20
set vpn pptp remote-access outside-address 88.164.78.54
commit


MS NPS Setup

Microsoft Network Policy Server setup guidance. Use the following as a guide...

Make sure you remove the following attributes

  • Framed-Protocol PPP
  • Service-Type Framed

Ensure that the only Network Policy | Settings encryption option ticked is

  • Strongest encryption (MPPE 128-Bit)


Troubleshooting

If connections are not completing properly use show log to see the Vyatta activity log.

  • MPPE required, but keys are not available. Possible plugin problem?
    • Make sure that only 128 bit MPPE Encryption is configured in the connection profile on the RADIUS server.