PPTP and Cisco Routers

I have soem customers that are using PPTP and Cisco routers to do a VPN to thier network.  None of them want to pay for the Cisco VPN client, which i'm told they either have to smartnet contact on thier equipment to get, or pay the $50.00 from Cisco.  Numerous cisco sles people and techs have tole me this, so I don't want to hear "use the Cisco VPN Client".  I want to know the best way to setup the PPTP on these router to make them as secure as possible.  My feeling is i've had to open up port 1723 and GRE on these routers and people can try all day long to get authenticated on the network, and I want to see if there is anything I can do to limit this risk.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There's more to it than just the VPN client piece. The router must also have the IPSEC feature set. If they buy the feature set they can get the VPN client for free. You mean they have Cisco routers and they don't have SmartNet? Why pay for Cisco routers if you're too cheap to pay for the last 10% of a solid solution?

A Windows server for PPTP is a lot more expensive than the little extra cash for a proper Cisco VPN client solution.

If they setup a PPTP vpn server behind the router and you have to pass 1723/GRE from "any" then there is little you can do to limit how many people will be trying (and they will try). Best you can do is log the attempts and then perhaps start blocking out blocks of IP's like from parts of the world that you know don't do business with this company.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rshooper76Author Commented:
The Cisco routers do have the IPSEC feature set and the router itself is acting as the PPTP server, so GRE and port 1732 are open to the router itself.  Maybe i'm mising something, but even is I use a Cisco client using IPSEC won't I still have to have something open to the world on these routers right?  Is there a way to use IPSEC using the Microsoft client?  I already log all activity on the 1732 port and on GRE.  I just feel that there is something more I can do to make this router more secure.

Is there a good docuement that can detail the differences wetween PPTP and IPSEC?

On the SmartNet issue, most of these customers have had this equipment for a year or two without any issues, so it's been a hard sell to get any of them to purchase the Smartnet contract, it is something that i'm working with them on though.  
There's plenty of good references on PPTP vs IPSEC a quick Google brought me these:

Some general comments:
PPTP client is inherently client-operated. Users control the routing behavior and split-tunneling.
IPSEC Client is 100% administrator operated. Software clients get their configuration from the Cisco gear and the user cannot affect the behavior no matter how badly they want to.

Windows 2000/XP does have an IPSEC client that could be used. Just use SECPOL.MSC to setup the policies and setup the router as if it was talking to a Cisco VPN client. Should be easy to find an example for this on CCO.

PPTP is proprietary to Microsoft and is a kludge of multiple protocols.
IPSEC is an open standard that ensures interoperability and was designed from ground up to protect data packets.

Good luck. It's hard to convince someone they are not secure if they've been running this way for years with no known breaches (yet!).

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.