Cisco ISR: Setting up pptp VPN + Router Interface Q's

Posted on 2010-11-27
Medium Priority
Last Modified: 2012-06-27
I recently purchased a cisco router to replace my watchguard x700 firebox that acted as my firewall, router and NAT device.  Now it has taken me some time but I have set the router up and have even it got it functioning as a firewall.  Here is my next problem VPN.  Prior  to the cisco router we used the watchguard firebox and SBS2003 builtin IAS to do radius authentication with the firewall terminating the VPN connection.  Basically the firewall would provide the VPN connection but would use the SBS2003 server as a radius authentication server.

Now I have been trying to set this up on my cisco route but am having trouble.  In an effort to trouble shoot this issue I have tried to instead use local user authentication and am still having trouble.  I think the problem lies with the use of the Virtual-Template interface.  In all the tutorials I have found on the subject there comes a point where you create a Virtual-Template for the vpdn connection like so:

interface Virtual-Template1
  ip unnumbered GigabitEthernet0/0
  peer default ip address pool vpnpool
  no keepalive
  ppp encrypt mppe auto required
  ppp authentication ms-chap ms-chap-v2

This should be just fine accept for the issue with my GigabitEthernet0/0 which is configured like so:

interface GigabitEthernet0/0
  description External Interface - Public IP's
  ip address x.x.x.23 secondary
  ip address x.x.x.3 secondary
  ip address x.x.x.4 secondary
  ip address x.x.x.5 secondary
  ip address x.x.x.30 secondary
  ip address x.x.x.22

So as you can see my external interface has multiple public ip addresses.  Which  address do I use to connect to with my windows vpn client?  I want it to be the x.x.x.22 address but that one is also setup to have static nat to our server as the server also functions as our OWA, exchange, and iis server.  Is this too much to ask and am I misconfiguring the router by atttaching multiple public IP's to one interface?  i know I cant use sub-interfaces as those are meant for VLAN's and different subnets I believe.  Someone suggested in another forum that I use loopback interfaces but I dont know how you would do that and I am not sure if I confused that with something else.  

Anyhow some insight as to where to go and how to do this would be greatly appreciated.  
Question by:Prolumina
  • 5
  • 3
LVL 15

Accepted Solution

greg ward earned 2000 total points
ID: 34221862
Here is my workign config from a 1760 with only 1 external ip

interface Virtual-Template1
 ip unnumbered FastEthernet0/0  <--this is my internet interface
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp header-compression
 peer default ip address pool DIAL-IN
 no keepalive
 compress stac
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2

ip local pool DIAL-IN  << ip's in the range of the local interface.

I guess the vpn will work on any interface.


Author Comment

ID: 34222957
I was able to get VPN working but only partially.  Here is what I have setup.  I have PPTP vpn setup on the router using RADIUS to authenticate against my windows sbs2003 server running IAS.  It works beautifully in that it authenticates and allows me in and even gives me an IP address from the VPN pool.  However that is all I get.  I am unable to ping the the address it gives me from the router or from the internal network.  Also on the computer I use to connect to vpn with I cant ping anything at all using the local addresses i.e. I can ping the router using the public IP of it but not the private ip of the router.  

Any ideas?  Do I have to provide special permissions or something like that?

My vpn pool of addresses is: -
the network address range is: -

Let me know if you need more info.
LVL 15

Expert Comment

by:greg ward
ID: 34223257
I have to set my computer making the vpn connection use the following settings.
remove the tick from enable software compression( properties >>networking >>settings)
remove the tick from use default gateway on remote network.
(tcp/ip settings>properties>advanced)
After those changes my vpn works and i can also access the internet while on the vpn..

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.


Author Comment

ID: 34223558
All of those options are already applied.  It is very strange I mean I am connecting the router can even see it but for some damn reason I cant ping anything so even though I have been give an IP address its like im not online.  

Is there some type of ACL i need to create for the traffic?  I created one and applied it to the virtual-template1 interface that contains "permit ip any any" iin both directions but it has not helped.  Any more ideas?
LVL 15

Assisted Solution

by:greg ward
greg ward earned 2000 total points
ID: 34224396
What do you see when you type show ip route when the connection is established.
Just to check you need the things below.
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
  protocol pptp
  virtual-template 1

async-bootp gateway
async-bootp dns-server

ip access-list extended inboundDSL
 permit tcp any any established
permit gre any any log
permit tcp any any eq 1723 log

Can you paste a show run if the above does not help.


Author Comment

ID: 34225971
Thanks for the help;  I am headed into the office today so that I can work directly with the router.  I will post the SHOW info in about an hour.


Author Comment

ID: 34226562
Thank you all for your help.  As it turned out last night I was having lots of trouble with the router so I decided to come in this mornign and do a cold start.  I rebooted to factory default and rebuilt all options on the router.  I got VPN working beautifully using widows IAS for authentication and was very happy.  However halfway through I encountered the same error.  I finally narrowed it down to ONE LINE in the config file.

When setting up the virtual-template I entered the following:
interface Virtual-Template1
 description ==[PPTP Radius VPN]==
 ip unnumbered GigabitEthernet0/0
 peer default ip address pool vpnpool
 ppp encrypt mppe 40
 ppp authentication ms-chap
HOWEVER if I entered:

ppp encrypt mppe auto (which uses both 40bit and 128bit)
I received the dreaded error.  

Thank you all for the help with this.  

Author Closing Comment

ID: 34226567
Thank you all for your help.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question