[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Cisco ISR: Setting up pptp VPN + Router Interface Q's

Posted on 2010-11-27
Medium Priority
Last Modified: 2012-06-27
I recently purchased a cisco router to replace my watchguard x700 firebox that acted as my firewall, router and NAT device.  Now it has taken me some time but I have set the router up and have even it got it functioning as a firewall.  Here is my next problem VPN.  Prior  to the cisco router we used the watchguard firebox and SBS2003 builtin IAS to do radius authentication with the firewall terminating the VPN connection.  Basically the firewall would provide the VPN connection but would use the SBS2003 server as a radius authentication server.

Now I have been trying to set this up on my cisco route but am having trouble.  In an effort to trouble shoot this issue I have tried to instead use local user authentication and am still having trouble.  I think the problem lies with the use of the Virtual-Template interface.  In all the tutorials I have found on the subject there comes a point where you create a Virtual-Template for the vpdn connection like so:

interface Virtual-Template1
  ip unnumbered GigabitEthernet0/0
  peer default ip address pool vpnpool
  no keepalive
  ppp encrypt mppe auto required
  ppp authentication ms-chap ms-chap-v2

This should be just fine accept for the issue with my GigabitEthernet0/0 which is configured like so:

interface GigabitEthernet0/0
  description External Interface - Public IP's
  ip address x.x.x.23 secondary
  ip address x.x.x.3 secondary
  ip address x.x.x.4 secondary
  ip address x.x.x.5 secondary
  ip address x.x.x.30 secondary
  ip address x.x.x.22

So as you can see my external interface has multiple public ip addresses.  Which  address do I use to connect to with my windows vpn client?  I want it to be the x.x.x.22 address but that one is also setup to have static nat to our server as the server also functions as our OWA, exchange, and iis server.  Is this too much to ask and am I misconfiguring the router by atttaching multiple public IP's to one interface?  i know I cant use sub-interfaces as those are meant for VLAN's and different subnets I believe.  Someone suggested in another forum that I use loopback interfaces but I dont know how you would do that and I am not sure if I confused that with something else.  

Anyhow some insight as to where to go and how to do this would be greatly appreciated.  
Question by:Prolumina
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 15

Accepted Solution

greg ward earned 2000 total points
ID: 34221862
Here is my workign config from a 1760 with only 1 external ip

interface Virtual-Template1
 ip unnumbered FastEthernet0/0  <--this is my internet interface
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp header-compression
 peer default ip address pool DIAL-IN
 no keepalive
 compress stac
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2

ip local pool DIAL-IN  << ip's in the range of the local interface.

I guess the vpn will work on any interface.


Author Comment

ID: 34222957
I was able to get VPN working but only partially.  Here is what I have setup.  I have PPTP vpn setup on the router using RADIUS to authenticate against my windows sbs2003 server running IAS.  It works beautifully in that it authenticates and allows me in and even gives me an IP address from the VPN pool.  However that is all I get.  I am unable to ping the the address it gives me from the router or from the internal network.  Also on the computer I use to connect to vpn with I cant ping anything at all using the local addresses i.e. I can ping the router using the public IP of it but not the private ip of the router.  

Any ideas?  Do I have to provide special permissions or something like that?

My vpn pool of addresses is: -
the network address range is: -

Let me know if you need more info.
LVL 15

Expert Comment

by:greg ward
ID: 34223257
I have to set my computer making the vpn connection use the following settings.
remove the tick from enable software compression( properties >>networking >>settings)
remove the tick from use default gateway on remote network.
(tcp/ip settings>properties>advanced)
After those changes my vpn works and i can also access the internet while on the vpn..

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 34223558
All of those options are already applied.  It is very strange I mean I am connecting the router can even see it but for some damn reason I cant ping anything so even though I have been give an IP address its like im not online.  

Is there some type of ACL i need to create for the traffic?  I created one and applied it to the virtual-template1 interface that contains "permit ip any any" iin both directions but it has not helped.  Any more ideas?
LVL 15

Assisted Solution

by:greg ward
greg ward earned 2000 total points
ID: 34224396
What do you see when you type show ip route when the connection is established.
Just to check you need the things below.
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
  protocol pptp
  virtual-template 1

async-bootp gateway
async-bootp dns-server

ip access-list extended inboundDSL
 permit tcp any any established
permit gre any any log
permit tcp any any eq 1723 log

Can you paste a show run if the above does not help.


Author Comment

ID: 34225971
Thanks for the help;  I am headed into the office today so that I can work directly with the router.  I will post the SHOW info in about an hour.


Author Comment

ID: 34226562
Thank you all for your help.  As it turned out last night I was having lots of trouble with the router so I decided to come in this mornign and do a cold start.  I rebooted to factory default and rebuilt all options on the router.  I got VPN working beautifully using widows IAS for authentication and was very happy.  However halfway through I encountered the same error.  I finally narrowed it down to ONE LINE in the config file.

When setting up the virtual-template I entered the following:
interface Virtual-Template1
 description ==[PPTP Radius VPN]==
 ip unnumbered GigabitEthernet0/0
 peer default ip address pool vpnpool
 ppp encrypt mppe 40
 ppp authentication ms-chap
HOWEVER if I entered:

ppp encrypt mppe auto (which uses both 40bit and 128bit)
I received the dreaded error.  

Thank you all for the help with this.  

Author Closing Comment

ID: 34226567
Thank you all for your help.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question