PPTP VPN (Vyatta)

From vwiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Instructions on how to set-up a client/user PPTP VPN solution using a Vyatta router. For anymore than a handful of users, its best to use centralised user account management, eg RADIUS running on a Win2008 DC.

Prerequisites

  • Range of internal addresses to be assigned to users when they connect
  • IP of RADIUS server and shared secret (if using RADIUS authentication)
  • DNS server IP's for VPN clients
  • VPN address (external IP of router)

Even if you expect to use RADIUS configuration, its probably best to configure using local authentication and a test account, so that you can test its basically working. Then add the two lines for RADIUS authentication.

Firewall Configuration

Create a rule to allow the initial connection... 

set firewall name eth0-local rule 10 description "PPTP access - Initial"
set firewall name eth0-local rule 10 destination port 1723
set firewall name eth0-local rule 10 protocol tcp
set firewall name eth0-local rule 10 action accept

There should be an existing rule to allow established and related connections. Show the config and look for 

rule 10 {
   action accept
   description ESTABLISHED
   state {
     established enable
     related enable
    }
}

You can either add missing rule above, o0r create on specifically for PPTP Data traffic... 

set firewall name eth0-local rule 60 description "PPTP access - Data"
set firewall name eth0-local rule 60 protocol gre (or "protocol 47")
set firewall name eth0-local rule 60 action accept

PPTP Configuration

Local Authentication

Example using local accounts for authentication. 

set vpn pptp
set vpn pptp remote-access client-ip-pool start 192.168.11.100
set vpn pptp remote-access client-ip-pool stop 192.168.11.149
set vpn pptp remote-access authentication mode local
set vpn pptp remote-access authentication local-users username user1 password pass1
set vpn pptp remote-access dns-servers server-1 192.168.11.10
set vpn pptp remote-access dns-servers server-2 192.168.11.20
set vpn pptp remote-access outside-address 88.164.78.54
commit

Repeat the set vpn pptp remote-access authentication local-users line for each required user.

RADIUS Authentication

Example using centrally managed RADIUS for authentication. 

set vpn pptp
set vpn pptp remote-access client-ip-pool start 192.168.11.100
set vpn pptp remote-access client-ip-pool stop 192.168.11.149
set vpn pptp remote-access authentication mode radius
set vpn pptp remote-access authentication radius-server 10.255.96.5 key 456479vrf
set vpn pptp remote-access dns-servers server-1 192.168.11.10
set vpn pptp remote-access dns-servers server-2 192.168.11.20
set vpn pptp remote-access outside-address 88.164.78.54
commit


MS NPS Setup

Microsoft Network Policy Server setup guidance. Use the following as a guide...

Make sure you remove the following attributes

  • Framed-Protocol PPP
  • Service-Type Framed

Ensure that the only Network Policy | Settings encryption option ticked is

  • Strongest encryption (MPPE 128-Bit)


Troubleshooting

If connections are not completing properly use show log to see the Vyatta activity log.

  • MPPE required, but keys are not available. Possible plugin problem?
    • Make sure that only 128 bit MPPE Encryption is configured in the connection profile on the RADIUS server.
Retrieved from ‘https://vwiki.co.uk/index.php?title=PPTP_VPN_(Vyatta)&oldid=2408