Cisco ISR: Setting up pptp VPN + Router Interface Q's

Posted on 2010-11-27
Last Modified: 2012-06-27
I recently purchased a cisco router to replace my watchguard x700 firebox that acted as my firewall, router and NAT device.  Now it has taken me some time but I have set the router up and have even it got it functioning as a firewall.  Here is my next problem VPN.  Prior  to the cisco router we used the watchguard firebox and SBS2003 builtin IAS to do radius authentication with the firewall terminating the VPN connection.  Basically the firewall would provide the VPN connection but would use the SBS2003 server as a radius authentication server.

Now I have been trying to set this up on my cisco route but am having trouble.  In an effort to trouble shoot this issue I have tried to instead use local user authentication and am still having trouble.  I think the problem lies with the use of the Virtual-Template interface.  In all the tutorials I have found on the subject there comes a point where you create a Virtual-Template for the vpdn connection like so:

interface Virtual-Template1
  ip unnumbered GigabitEthernet0/0
  peer default ip address pool vpnpool
  no keepalive
  ppp encrypt mppe auto required
  ppp authentication ms-chap ms-chap-v2

This should be just fine accept for the issue with my GigabitEthernet0/0 which is configured like so:

interface GigabitEthernet0/0
  description External Interface - Public IP's
  ip address x.x.x.23 secondary
  ip address x.x.x.3 secondary
  ip address x.x.x.4 secondary
  ip address x.x.x.5 secondary
  ip address x.x.x.30 secondary
  ip address x.x.x.22

So as you can see my external interface has multiple public ip addresses.  Which  address do I use to connect to with my windows vpn client?  I want it to be the x.x.x.22 address but that one is also setup to have static nat to our server as the server also functions as our OWA, exchange, and iis server.  Is this too much to ask and am I misconfiguring the router by atttaching multiple public IP's to one interface?  i know I cant use sub-interfaces as those are meant for VLAN's and different subnets I believe.  Someone suggested in another forum that I use loopback interfaces but I dont know how you would do that and I am not sure if I confused that with something else.  

Anyhow some insight as to where to go and how to do this would be greatly appreciated.  
Question by:Prolumina
  • 5
  • 3
LVL 15

Accepted Solution

greg ward earned 500 total points
ID: 34221862
Here is my workign config from a 1760 with only 1 external ip

interface Virtual-Template1
 ip unnumbered FastEthernet0/0  <--this is my internet interface
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp header-compression
 peer default ip address pool DIAL-IN
 no keepalive
 compress stac
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2

ip local pool DIAL-IN  << ip's in the range of the local interface.

I guess the vpn will work on any interface.


Author Comment

ID: 34222957
I was able to get VPN working but only partially.  Here is what I have setup.  I have PPTP vpn setup on the router using RADIUS to authenticate against my windows sbs2003 server running IAS.  It works beautifully in that it authenticates and allows me in and even gives me an IP address from the VPN pool.  However that is all I get.  I am unable to ping the the address it gives me from the router or from the internal network.  Also on the computer I use to connect to vpn with I cant ping anything at all using the local addresses i.e. I can ping the router using the public IP of it but not the private ip of the router.  

Any ideas?  Do I have to provide special permissions or something like that?

My vpn pool of addresses is: -
the network address range is: -

Let me know if you need more info.
LVL 15

Expert Comment

by:greg ward
ID: 34223257
I have to set my computer making the vpn connection use the following settings.
remove the tick from enable software compression( properties >>networking >>settings)
remove the tick from use default gateway on remote network.
(tcp/ip settings>properties>advanced)
After those changes my vpn works and i can also access the internet while on the vpn..

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 34223558
All of those options are already applied.  It is very strange I mean I am connecting the router can even see it but for some damn reason I cant ping anything so even though I have been give an IP address its like im not online.  

Is there some type of ACL i need to create for the traffic?  I created one and applied it to the virtual-template1 interface that contains "permit ip any any" iin both directions but it has not helped.  Any more ideas?
LVL 15

Assisted Solution

by:greg ward
greg ward earned 500 total points
ID: 34224396
What do you see when you type show ip route when the connection is established.
Just to check you need the things below.
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
  protocol pptp
  virtual-template 1

async-bootp gateway
async-bootp dns-server

ip access-list extended inboundDSL
 permit tcp any any established
permit gre any any log
permit tcp any any eq 1723 log

Can you paste a show run if the above does not help.


Author Comment

ID: 34225971
Thanks for the help;  I am headed into the office today so that I can work directly with the router.  I will post the SHOW info in about an hour.


Author Comment

ID: 34226562
Thank you all for your help.  As it turned out last night I was having lots of trouble with the router so I decided to come in this mornign and do a cold start.  I rebooted to factory default and rebuilt all options on the router.  I got VPN working beautifully using widows IAS for authentication and was very happy.  However halfway through I encountered the same error.  I finally narrowed it down to ONE LINE in the config file.

When setting up the virtual-template I entered the following:
interface Virtual-Template1
 description ==[PPTP Radius VPN]==
 ip unnumbered GigabitEthernet0/0
 peer default ip address pool vpnpool
 ppp encrypt mppe 40
 ppp authentication ms-chap
HOWEVER if I entered:

ppp encrypt mppe auto (which uses both 40bit and 128bit)
I received the dreaded error.  

Thank you all for the help with this.  

Author Closing Comment

ID: 34226567
Thank you all for your help.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question