Cisco ISR: Setting up pptp VPN + Router Interface Q's

Posted on 2010-11-27
Medium Priority
Last Modified: 2012-06-27
I recently purchased a cisco router to replace my watchguard x700 firebox that acted as my firewall, router and NAT device.  Now it has taken me some time but I have set the router up and have even it got it functioning as a firewall.  Here is my next problem VPN.  Prior  to the cisco router we used the watchguard firebox and SBS2003 builtin IAS to do radius authentication with the firewall terminating the VPN connection.  Basically the firewall would provide the VPN connection but would use the SBS2003 server as a radius authentication server.

Now I have been trying to set this up on my cisco route but am having trouble.  In an effort to trouble shoot this issue I have tried to instead use local user authentication and am still having trouble.  I think the problem lies with the use of the Virtual-Template interface.  In all the tutorials I have found on the subject there comes a point where you create a Virtual-Template for the vpdn connection like so:

interface Virtual-Template1
  ip unnumbered GigabitEthernet0/0
  peer default ip address pool vpnpool
  no keepalive
  ppp encrypt mppe auto required
  ppp authentication ms-chap ms-chap-v2

This should be just fine accept for the issue with my GigabitEthernet0/0 which is configured like so:

interface GigabitEthernet0/0
  description External Interface - Public IP's
  ip address x.x.x.23 secondary
  ip address x.x.x.3 secondary
  ip address x.x.x.4 secondary
  ip address x.x.x.5 secondary
  ip address x.x.x.30 secondary
  ip address x.x.x.22

So as you can see my external interface has multiple public ip addresses.  Which  address do I use to connect to with my windows vpn client?  I want it to be the x.x.x.22 address but that one is also setup to have static nat to our server as the server also functions as our OWA, exchange, and iis server.  Is this too much to ask and am I misconfiguring the router by atttaching multiple public IP's to one interface?  i know I cant use sub-interfaces as those are meant for VLAN's and different subnets I believe.  Someone suggested in another forum that I use loopback interfaces but I dont know how you would do that and I am not sure if I confused that with something else.  

Anyhow some insight as to where to go and how to do this would be greatly appreciated.  
Question by:Prolumina
  • 5
  • 3
LVL 15

Accepted Solution

greg ward earned 2000 total points
ID: 34221862
Here is my workign config from a 1760 with only 1 external ip

interface Virtual-Template1
 ip unnumbered FastEthernet0/0  <--this is my internet interface
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp header-compression
 peer default ip address pool DIAL-IN
 no keepalive
 compress stac
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2

ip local pool DIAL-IN  << ip's in the range of the local interface.

I guess the vpn will work on any interface.


Author Comment

ID: 34222957
I was able to get VPN working but only partially.  Here is what I have setup.  I have PPTP vpn setup on the router using RADIUS to authenticate against my windows sbs2003 server running IAS.  It works beautifully in that it authenticates and allows me in and even gives me an IP address from the VPN pool.  However that is all I get.  I am unable to ping the the address it gives me from the router or from the internal network.  Also on the computer I use to connect to vpn with I cant ping anything at all using the local addresses i.e. I can ping the router using the public IP of it but not the private ip of the router.  

Any ideas?  Do I have to provide special permissions or something like that?

My vpn pool of addresses is: -
the network address range is: -

Let me know if you need more info.
LVL 15

Expert Comment

by:greg ward
ID: 34223257
I have to set my computer making the vpn connection use the following settings.
remove the tick from enable software compression( properties >>networking >>settings)
remove the tick from use default gateway on remote network.
(tcp/ip settings>properties>advanced)
After those changes my vpn works and i can also access the internet while on the vpn..

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.


Author Comment

ID: 34223558
All of those options are already applied.  It is very strange I mean I am connecting the router can even see it but for some damn reason I cant ping anything so even though I have been give an IP address its like im not online.  

Is there some type of ACL i need to create for the traffic?  I created one and applied it to the virtual-template1 interface that contains "permit ip any any" iin both directions but it has not helped.  Any more ideas?
LVL 15

Assisted Solution

by:greg ward
greg ward earned 2000 total points
ID: 34224396
What do you see when you type show ip route when the connection is established.
Just to check you need the things below.
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
  protocol pptp
  virtual-template 1

async-bootp gateway
async-bootp dns-server

ip access-list extended inboundDSL
 permit tcp any any established
permit gre any any log
permit tcp any any eq 1723 log

Can you paste a show run if the above does not help.


Author Comment

ID: 34225971
Thanks for the help;  I am headed into the office today so that I can work directly with the router.  I will post the SHOW info in about an hour.


Author Comment

ID: 34226562
Thank you all for your help.  As it turned out last night I was having lots of trouble with the router so I decided to come in this mornign and do a cold start.  I rebooted to factory default and rebuilt all options on the router.  I got VPN working beautifully using widows IAS for authentication and was very happy.  However halfway through I encountered the same error.  I finally narrowed it down to ONE LINE in the config file.

When setting up the virtual-template I entered the following:
interface Virtual-Template1
 description ==[PPTP Radius VPN]==
 ip unnumbered GigabitEthernet0/0
 peer default ip address pool vpnpool
 ppp encrypt mppe 40
 ppp authentication ms-chap
HOWEVER if I entered:

ppp encrypt mppe auto (which uses both 40bit and 128bit)
I received the dreaded error.  

Thank you all for the help with this.  

Author Closing Comment

ID: 34226567
Thank you all for your help.

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question