Firewall commands - vpdn

---

Implement the L2TP or PPTP feature. (Configuration mode.)

vpdn enable if_name

vpdn group name accept dialin pptp|l2tp

vpdn group name l2tp tunnel hello <hello_timeout>

vpdn group group_name ppp authentication PAP | CHAP | MSCHAP

vpdn group group_name ppp encryption mppe 40 | 128 | auto [required]

vpdn group group_name client configuration address local address_pool_name

vpdn group group_name client configuration dns dns_server_ip1 [dns_server_ip2]

vpdn group group_name client configuration wins wins_server_ip1 [wins_server_ip2]

vpdn group group_name client authentication aaa aaa_server_group

vpdn group group_name client authentication local

vpdn group group_name client accounting aaa_server_group

vpdn username username password password

vpdn group group_name pptp echo echo_timeout

show vpdn tunnel [l2tp | pptp] [id tunnel_id | packets | state | summary | transport]

show vpdn username [username]

show vpdn session [l2tp | pptp] [id session_id | packets | state | window]

show vpdn pppinterface [id intf_id]

clear vpdn [group | username | tunnel [all | [id tunnel_id]]]

---

Syntax

enable if_name	Enable the VPDN function on a firewall interface. Specify the interface in if_name where L2TP or PPTP traffic is received. Only inbound connections are supported.
group group_name	Specify the VPDN group name. The VPDN group_name is an ASCII string to denote a VPDN group. You can make up the name. The maximum length of the name is 128 bytes.
accept dialin pptp|l2tp pptp	Accept a dial-in request using PPTP or L2TP.
ppp authentication PAP | CHAP | MSCHAP	Specify the Point-to-Point Protocol (PPP) authentication protocol. The Windows client dial-up networking settings allows you to specify what authentication protocol to use (PAP, CHAP, or MS-CHAP). Whatever you specify on the client must match the setting you use on the firewall. Password Authentication Protocol (PAP) lets PPP peers authenticate each other. PAP passes the host name or username in clear text. Challenge Handshake Authentication Protocol (CHAP) lets PPP peers prevent unauthorized access through interaction with an access server. MS-CHAP is a Microsoft derivation of CHAP. firewall supports MS-CHAP version 1 only (not version 2.0). If an authentication protocol is not specified on the host, do not specify the ppp authentication option in the configuration.
ppp encryption mppe 40 | 128 | auto [required]	Specify the number of session key bits used for MPPE (Microsoft Point-to-Point Encryption) negotiation. The domestic version of the Windows client can support 40- and 128-bit session keys, but international version of the Windows client only supports 40-bit session keys. On the firewall, use auto to accommodate both. Use required to indicate that MPPE must be negotiated or the connection will be terminated.
client configuration address local address_pool_name	Specify the local address pool used to allocate an IP address to a client. Use the ip local pool command to specify the IP addresses for use by the clients.
client configuration dns dns_server_ip1 [dns_server_ip2]	Specify up to two DNS server IP addresses. If set, the firewall sends this information to the Windows client during the IPCP phase of PPP negotiation.
client configuration wins wins_server_ip1 [wins_server_ip2]	Specify up to two WINS server IP addresses.
client authentication aaa aaa_server_group	Specify the AAA server group for user authentication.
client authentication local	Authenticate using the local username and password entries you specify in the firewall configuration.
client accounting aaa-server-group	Specify the AAA server group for accounting. The accounting aaa server group can be different from the aaa server group for user authentication.
password	Specify local user password.
pptp echo echo_timeout	Specify the PPTP keep-alive echo timeout value in seconds. firewall terminates a tunnel if an echo reply is not received within the timeout period you specify.
l2tp tunnel hello <hello_timeout>	Specify L2TP tunnel keep-alive hello timeout value in seconds. Default is 60 seconds if not specified. The value can be between10 to 300 seconds.
show vpdn tunnel	Display tunnel information.
show vpdn session	Display session information.
l2tp | pptp	Select either l2tp or pptp to display that tunnel information. The firewall shows both tunnel protocols if this option is not specified.
id	Identify tunnel or session.
id tunnel_id	Unique tunnel identifier.
id session_id	Unique session identifier.
pppinterface id intf_id	A PPP virtual interface is created for each PPTP tunnel. Use the show vpdn session command to display the interface identification value.
username	Enter or display local username.
packets	Packet and byte count.
state	Session state.
summary	Tunnel summary information.
transport	Tunnel transport information.
window	Window information.
group	[clear command only]—Removes all vpdn group commands from the configuration.
username	[clear command only]—Removes all vpdn username commands from the configuration.
tunnel	[clear command only]—Removes one or more L2TP or PPTP tunnels from the configuration.
all	[clear command only]—Removes all L2TP or PPTP tunnels from the configuration.
id tunnel_id	[clear command only]—Removes PPTP tunnels from the configuration that match tunnel_id. You can view the tunnel IDs with the show vpdn tunnel command.

---

Usage Guidelines

The vpdn command implements the L2TP and PPTP feature for the inbound connection.

Point-to-Point Tunneling Protocol (PPTP) is a layer 2 tunneling protocol, which lets a remote client use a public IP network to communicate securely with servers at a private corporate network. PPTP tunnels the IP protocol. RFC 2637 describes the PPTP protocol.

Only inbound PPTP connections are supported and only one firewall interface can have the vpdn command enabled.

PPTP is an alternative to IPSec handling for VPN clients. While PPTP is less secure than IPSec, PPTP is easier to implement and maintain.

Supported authentication protocols include: PAP, CHAP, and MS-CHAP using external AAA RADIUS(or TACACS+) servers or the firewall local username and password database. Through the PPP IPCP protocol negotiation, firewall assigns a dynamic internal IP address to the PPTP client allocated from a locally defined IP address pool.

The firewall PPTP VPN supports standard PPP CCP negotiations with Microsoft Point-To-Point Encryption (MPPE) extensions using RSA/RC4 algorithm. MPPE currently supports 40-bit and 128-bit session keys. MPPE generates an initial key during user authentication and refreshes the key regularly. In this release, compression is not supported.

When you specify MPPE, use the MS-CHAP PPP authentication protocol. If you are using an external AAA server, the protocol must be RADIUS and the external RADIUS server must be able to return the Microsoft MSCHAP_MPPE_KEY attribute to the firewall in the RADIUS Authentication Accept packet. See RFC 2548, "Microsoft Vendor Specific RADIUS Attributes," for more information on the MSCHAP_MPPE_KEY attribute.

Cisco Secure ACS 2.5 and later release support the MSCHAP/MPPE encryption.

The firewall PPTP VPN has been tested with the following Microsoft Windows products: Windows 95 with DUN 1.3, Windows 98, Windows NT 4.0 with Service Pack (SP) 6, and Windows 2000.

If you configure firewall for 128-bit encryption and if a Windows 95 or Windows 98 client does not support 128-bit or greater encryption, then the connection to the firewall is refused. When this occurs, the Windows client moves the dial-up connection menu down to the screen corner while the PPP negotiation is in progress. This gives the appearance that the connection is accepted when it is not. When the PPP negotiation completes, the tunnel terminates and firewall ends the connection. The Windows client eventually times out and disconnects.

You can troubleshoot PPTP traffic with the debug ppp and debug vpdn commands.

Use the vpdn command with the sysopt connection permit-pptp to allow PPTP traffic to bypass checking of conduit or access-list command statements.

The show vpdn commands list tunnel and session information.

The clear vpdn command removes all vpdn commands from the configurations and stops all the active PPTP tunnels. The clear vpdn all command allows you to remove all tunnels, and the clear vpdn id tunnel_id command allows you to remove tunnels associated with tunnel_id. (You can view the tunnel_id with the show vpdn command.) The clear vpdn group command removes all the vpdn group commands from the configuration. The clear vpdn username command removes all the vpdn username commands from the configuration. The clear vpdn command removes all vpdn commands from the configuration.

---

Examples

The following example is sample output from the show vpdn tunnel l2tp command:

    pix# show vpdn tunnel l2tp

     L2TP Tunnel Information (Total tunnels=1 sessions=1)
    Tunnel id 1 is up, remote id is 7, 1 active sessions
     Tunnel state is  established time since change 12 secs
      Remote Internet Address 171.69.39.85, port 1701
      Local Internet Address 172.23.58.48, port 1701
      15 packets sent, 48 received, 377 bytes sent, 4368 received
      Control Ns 3, Nr 4
      Local RWS 16, Remote RWS 8
      Retransmission time 1, max 1 seconds
      Unsent queuesize 0, max 0
      Resend queuesize 0, max 1
      Total resends 0, ZLB ACKs 2
      Retransmit time distribution: 0 0 0 0 0 0 0 0 0 

    pix#

The following example is sample output from the show vpdn tunnel command:

    pix# show vpdn tunnel 

     L2TP Tunnel Information (Total tunnels=1 sessions=1)
    Tunnel id 1 is up, remote id is 7, 1 active sessions
      Tunnel state is  established time since change 12 secs
     Remote Internet Address 171.69.39.85, port 1701
     Local Internet Address 172.23.58.48, port 1701
     15 packets sent, 48 received, 377 bytes sent, 4368 received
     Control Ns 3, Nr 4
     Local RWS 16, Remote RWS 8
     Retransmission time 1, max 1 seconds
     Unsent queuesize 0, max 0
     Resend queuesize 0, max 1
     Total resends 0, ZLB ACKs 2
     Retransmit time distribution: 0 0 0 0 0 0 0 0 0 
    % No active PPTP tunnels

    pix#

The following is sample output from the show vpdn tunnel packet command:

    show vpdn tunnel packet

    PPTP Tunnel Information (Total tunnels=1 sessions=1)
    LocIDPkts-InPkts-OutBytes-InBytes-Out
        1      1196        13    113910420

The following is sample output from the show vpdn tunnel state command:

    show vpdn tunnel state

    PPTP Tunnel Information (Total tunnels=1 sessions=1)
    LocIDRemIDStateTime-Since-Event-Chg
        1     1   estabd       6 secs

The following is sample output from the show vpdn tunnel summary command:

    show vpdn tunnel summary

    PPTP Tunnel Information (Total tunnels=1 sessions=1)
    LocIDRemIDStateRemote AddressPortSessions
    11estabd172.16.38.19417231

The following is sample output from the show vpdn tunnel transport command:

    show vpdn tunnel transport

    PPTP Tunnel Information (Total tunnels=1 sessions=1)
    LocID Type Local Address   Port  Remote AddressPort
    1IP 172.16.1.2091723172.16.38.1941723

The following is sample output from the show vpdn session command:

    pix# show vpdn session

     L2TP Session Information (Total tunnels=1 sessions=1)
    Call id 1 is up on tunnel id 1
    Remote tunnel name is abc-win2ke2
      Internet Address is 171.69.39.85
      Session username is guest, state is established
        Time since change 158 secs,  interface outside
        Remote call id is 1
        PPP  interface id is 1
        15 packets sent, 83 received, 377 bytes sent, 8412 received
          Sequencing is off
    % No active PPTP tunnels

The following is sample output of a simple configuration that allows Windows PPTP clients to dial in without any authentication (not recommended). The Windows client can Telnet to internal host 192.168.0.2 through the static global address 209.165.201.2.

     ip local pool my-addr-pool 10.1.1.1-10.1.1.254
    vpdn group 1 accept dialin pptp
    vpdn group 1 client configuration address local my-addr-pool
    vpdn  enable outside
     static (inside, outside) 209.165.201.2 192.168.0.2 
     access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 209.165.201.2 eq telnet
     access-group acl_out in  interface outside

In the next example, PPTP clients authenticate using MS-CHAP and negotiate MPPE encryption with the firewall. The PPTP client can Telnet to host 192.168.0.2 through the static global 209.165.201.2. The Telnet session will be encrypted.

     ip local pool my-addr-pool 10.1.1.1-10.1.1.254
     aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 
     aaa-server my- aaa-server-group protocol radius
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication mschap
    vpdn group 1 client authentication  aaa my- aaa-server-group
    vpdn group 1 ppp encryption mppe auto required
    vpdn group 1 client configuration address local my-addr-pool
    vpdn  enable outside
     static (inside, outside) 209.165.201.2 192.168.0.2 
     access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 209.165.201.2 eq telnet
     access-group acl_out in  interface outside

In the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command statement.

     ip local pool my-addr-pool 10.1.1.1-10.1.1.254
     aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 
     aaa-server my- aaa-server-group protocol radius
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto required
    vpdn group 1 client configuration address local my-addr-pool
    vpdn group 1 client authentication  aaa my- aaa-server-group
    vpdn group 1 client configuration dns 10.2.2.99
    vpdn group 1 client configuration wins 10.2.2.100
    vpdn  enable outside
     access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0
     access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0
     access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0
     nat (inside) 0  access-list no nat
     access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 192.168.0.2 eq telnet
     access-list acl_out permit udp 10.1.1.0 255.255.255.0 host 10.2.2.99 eq domain
     access-list acl_out permit udp 10.1.1.0 255.255.255.0 host 10.2.2.100 eq netbios-ns
     access-group acl_out in  interface outside

In the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command statement. An access-group command statement is not present because the sysopt connection permit-pptp command statement allows all the PPTP traffic through the tunnel.

     ip local pool my-addr-pool 10.1.1.1-10.1.1.254
     aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 
     aaa-server my- aaa-server-group protocol radius
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto required
    vpdn group 1 client configuration address local my-addr-pool
    vpdn group 1 client authentication  aaa my- aaa-server-group
    vpdn group 1 client configuration dns 10.2.2.99
    vpdn group 1 client configuration wins 10.2.2.100
    vpdn  enable outside
     access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0 
     access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0
     access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0
     nat (inside) 0  access-list no nat
     sysopt connection permit-pptp

In the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command. The PPTP authenticates using the firewall local username and password database you create with the vpdn username command. Users are reauthenticated again by the aaa command when they start a Telnet session. An access-group command statement is not present because the sysopt connection permit-pptp command statement allows all the PPTP traffic through the tunnel.

     ip local pool my-addr-pool 10.1.1.1-10.1.1.254
     aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 
     aaa-server my- aaa-server-group protocol radius
    vpdn username usrname1 password password1
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto required
    vpdn group 1 client configuration address local my-addr-pool
    vpdn group 1 client authentication local
    vpdn group 1 client configuration dns 10.2.2.99
    vpdn group 1 client configuration wins 10.2.2.100
    vpdn  enable outside
     access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0 
     access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0
     access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0
     nat (inside) 0  access-list no nat
     sysopt connection permit-pptp
     aaa authentication include  telnet inbound 192.168.0.2 255.255.255.255 10.1.1.0 
    255.255.255.0 

---