PPTP and Cisco Routers

Posted on 2006-03-25
Last Modified: 2010-04-17
I have soem customers that are using PPTP and Cisco routers to do a VPN to thier network.  None of them want to pay for the Cisco VPN client, which i'm told they either have to smartnet contact on thier equipment to get, or pay the $50.00 from Cisco.  Numerous cisco sles people and techs have tole me this, so I don't want to hear "use the Cisco VPN Client".  I want to know the best way to setup the PPTP on these router to make them as secure as possible.  My feeling is i've had to open up port 1723 and GRE on these routers and people can try all day long to get authenticated on the network, and I want to see if there is anything I can do to limit this risk.
Question by:rshooper76
    LVL 79

    Accepted Solution

    There's more to it than just the VPN client piece. The router must also have the IPSEC feature set. If they buy the feature set they can get the VPN client for free. You mean they have Cisco routers and they don't have SmartNet? Why pay for Cisco routers if you're too cheap to pay for the last 10% of a solid solution?

    A Windows server for PPTP is a lot more expensive than the little extra cash for a proper Cisco VPN client solution.

    If they setup a PPTP vpn server behind the router and you have to pass 1723/GRE from "any" then there is little you can do to limit how many people will be trying (and they will try). Best you can do is log the attempts and then perhaps start blocking out blocks of IP's like from parts of the world that you know don't do business with this company.

    LVL 9

    Author Comment

    The Cisco routers do have the IPSEC feature set and the router itself is acting as the PPTP server, so GRE and port 1732 are open to the router itself.  Maybe i'm mising something, but even is I use a Cisco client using IPSEC won't I still have to have something open to the world on these routers right?  Is there a way to use IPSEC using the Microsoft client?  I already log all activity on the 1732 port and on GRE.  I just feel that there is something more I can do to make this router more secure.

    Is there a good docuement that can detail the differences wetween PPTP and IPSEC?

    On the SmartNet issue, most of these customers have had this equipment for a year or two without any issues, so it's been a hard sell to get any of them to purchase the Smartnet contract, it is something that i'm working with them on though.  
    LVL 79

    Expert Comment

    There's plenty of good references on PPTP vs IPSEC a quick Google brought me these:

    Some general comments:
    PPTP client is inherently client-operated. Users control the routing behavior and split-tunneling.
    IPSEC Client is 100% administrator operated. Software clients get their configuration from the Cisco gear and the user cannot affect the behavior no matter how badly they want to.

    Windows 2000/XP does have an IPSEC client that could be used. Just use SECPOL.MSC to setup the policies and setup the router as if it was talking to a Cisco VPN client. Should be easy to find an example for this on CCO.

    PPTP is proprietary to Microsoft and is a kludge of multiple protocols.
    IPSEC is an open standard that ensures interoperability and was designed from ground up to protect data packets.

    Good luck. It's hard to convince someone they are not secure if they've been running this way for years with no known breaches (yet!).


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Suggested Solutions

    The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now