Firewall commands - vpdn
Implement the L2TP or PPTP feature. (Configuration mode.)
vpdn enable if_name
vpdn group name accept dialin pptp|l2tp
vpdn group name l2tp tunnel hello <hello_timeout>
vpdn group group_name ppp authentication PAP | CHAP | MSCHAP
vpdn group group_name ppp encryption mppe 40 | 128 | auto [required]
vpdn group group_name client configuration address local address_pool_name
vpdn group group_name client configuration dns dns_server_ip1 [dns_server_ip2]
vpdn group group_name client configuration wins wins_server_ip1 [wins_server_ip2]
vpdn group group_name client authentication aaa aaa_server_group
vpdn group group_name client authentication local
vpdn group group_name client accounting aaa_server_group
vpdn username username password password
vpdn group group_name pptp echo echo_timeout
show vpdn tunnel [l2tp | pptp] [id tunnel_id | packets | state | summary | transport]
show vpdn username [username]
show vpdn session [l2tp | pptp] [id session_id | packets | state | window]
show vpdn pppinterface [id intf_id]
clear vpdn [group | username | tunnel [all | [id tunnel_id]]]
Syntax
enable if_name Enable the VPDN function on a firewall interface. Specify the interface in if_name where L2TP or PPTP traffic is received. Only inbound connections are supported. group group_name Specify the VPDN group name. The VPDN group_name is an ASCII string to denote a VPDN group. You can make up the name. The maximum length of the name is 128 bytes. accept dialin pptp|l2tp pptp
Accept a dial-in request using PPTP or L2TP. ppp authentication PAP | CHAP | MSCHAP Specify the Point-to-Point Protocol (PPP) authentication protocol. The Windows client dial-up networking settings allows you to specify what authentication protocol to use (PAP, CHAP, or MS-CHAP). Whatever you specify on the client must match the setting you use on the firewall. Password Authentication Protocol (PAP) lets PPP peers authenticate each other. PAP passes the host name or username in clear text. Challenge Handshake Authentication Protocol (CHAP) lets PPP peers prevent unauthorized access through interaction with an access server. MS-CHAP is a Microsoft derivation of CHAP. firewall supports MS-CHAP version 1 only (not version 2.0). If an authentication protocol is not specified on the host, do not specify the ppp authentication option in the configuration.
ppp encryption mppe 40 | 128 | auto [required] Specify the number of session key bits used for MPPE (Microsoft Point-to-Point Encryption) negotiation. The domestic version of the Windows client can support 40- and 128-bit session keys, but international version of the Windows client only supports 40-bit session keys. On the firewall, use auto to accommodate both. Use required to indicate that MPPE must be negotiated or the connection will be terminated. client configuration address local address_pool_name Specify the local address pool used to allocate an IP address to a client. Use the ip local pool command to specify the IP addresses for use by the clients. client configuration dns dns_server_ip1 [dns_server_ip2] Specify up to two DNS server IP addresses. If set, the firewall sends this information to the Windows client during the IPCP phase of PPP negotiation. client configuration wins wins_server_ip1 [wins_server_ip2] Specify up to two WINS server IP addresses. client authentication aaa aaa_server_group Specify the AAA server group for user authentication. client authentication local Authenticate using the local username and password entries you specify in the firewall configuration. client accounting aaa-server-group Specify the AAA server group for accounting. The accounting aaa server group can be different from the aaa server group for user authentication. password Specify local user password. pptp echo echo_timeout Specify the PPTP keep-alive echo timeout value in seconds. firewall terminates a tunnel if an echo reply is not received within the timeout period you specify. l2tp tunnel hello <hello_timeout> Specify L2TP tunnel keep-alive hello timeout value in seconds. Default is 60 seconds if not specified. The value can be between10 to 300 seconds. show vpdn tunnel Display tunnel information. show vpdn session Display session information. l2tp | pptp Select either l2tp or pptp to display that tunnel information. The firewall shows both tunnel protocols if this option is not specified. id Identify tunnel or session. id tunnel_id Unique tunnel identifier. id session_id Unique session identifier. pppinterface id intf_id A PPP virtual interface is created for each PPTP tunnel. Use the show vpdn session command to display the interface identification value. username Enter or display local username. packets Packet and byte count. state Session state. summary Tunnel summary information. transport Tunnel transport information. window Window information. group [clear command only]Removes all vpdn group commands from the configuration. username [clear command only]Removes all vpdn username commands from the configuration. tunnel [clear command only]Removes one or more L2TP or PPTP tunnels from the configuration. all [clear command only]Removes all L2TP or PPTP tunnels from the configuration. id tunnel_id [clear command only]Removes PPTP tunnels from the configuration that match tunnel_id. You can view the tunnel IDs with the show vpdn tunnel command.
Usage Guidelines
The vpdn command implements the L2TP and PPTP feature for the inbound connection.
Point-to-Point Tunneling Protocol (PPTP) is a layer 2 tunneling protocol, which lets a remote client use a public IP network to communicate securely with servers at a private corporate network. PPTP tunnels the IP protocol. RFC 2637 describes the PPTP protocol.
Only inbound PPTP connections are supported and only one firewall interface can have the vpdn command enabled.
PPTP is an alternative to IPSec handling for VPN clients. While PPTP is less secure than IPSec, PPTP is easier to implement and maintain.
Supported authentication protocols include: PAP, CHAP, and MS-CHAP using external AAA RADIUS(or TACACS+) servers or the firewall local username and password database. Through the PPP IPCP protocol negotiation, firewall assigns a dynamic internal IP address to the PPTP client allocated from a locally defined IP address pool.
The firewall PPTP VPN supports standard PPP CCP negotiations with Microsoft Point-To-Point Encryption (MPPE) extensions using RSA/RC4 algorithm. MPPE currently supports 40-bit and 128-bit session keys. MPPE generates an initial key during user authentication and refreshes the key regularly. In this release, compression is not supported.
When you specify MPPE, use the MS-CHAP PPP authentication protocol. If you are using an external AAA server, the protocol must be RADIUS and the external RADIUS server must be able to return the Microsoft MSCHAP_MPPE_KEY attribute to the firewall in the RADIUS Authentication Accept packet. See RFC 2548, "Microsoft Vendor Specific RADIUS Attributes," for more information on the MSCHAP_MPPE_KEY attribute.
Cisco Secure ACS 2.5 and later release support the MSCHAP/MPPE encryption.
The firewall PPTP VPN has been tested with the following Microsoft Windows products: Windows 95 with DUN 1.3, Windows 98, Windows NT 4.0 with Service Pack (SP) 6, and Windows 2000.
If you configure firewall for 128-bit encryption and if a Windows 95 or Windows 98 client does not support 128-bit or greater encryption, then the connection to the firewall is refused. When this occurs, the Windows client moves the dial-up connection menu down to the screen corner while the PPP negotiation is in progress. This gives the appearance that the connection is accepted when it is not. When the PPP negotiation completes, the tunnel terminates and firewall ends the connection. The Windows client eventually times out and disconnects.
You can troubleshoot PPTP traffic with the debug ppp and debug vpdn commands.
Use the vpdn command with the sysopt connection permit-pptp to allow PPTP traffic to bypass checking of conduit or access-list command statements.
The show vpdn commands list tunnel and session information.
The clear vpdn command removes all vpdn commands from the configurations and stops all the active PPTP tunnels. The clear vpdn all command allows you to remove all tunnels, and the clear vpdn id tunnel_id command allows you to remove tunnels associated with tunnel_id. (You can view the tunnel_id with the show vpdn command.) The clear vpdn group command removes all the vpdn group commands from the configuration. The clear vpdn username command removes all the vpdn username commands from the configuration. The clear vpdn command removes all vpdn commands from the configuration.
Examples
The following example is sample output from the show vpdn tunnel l2tp command:
pix# show vpdn tunnel l2tp L2TP Tunnel Information (Total tunnels=1 sessions=1) Tunnel id 1 is up, remote id is 7, 1 active sessions Tunnel state is established time since change 12 secs Remote Internet Address 171.69.39.85, port 1701 Local Internet Address 172.23.58.48, port 1701 15 packets sent, 48 received, 377 bytes sent, 4368 received Control Ns 3, Nr 4 Local RWS 16, Remote RWS 8 Retransmission time 1, max 1 seconds Unsent queuesize 0, max 0 Resend queuesize 0, max 1 Total resends 0, ZLB ACKs 2 Retransmit time distribution: 0 0 0 0 0 0 0 0 0 pix#The following example is sample output from the show vpdn tunnel command:
pix# show vpdn tunnel L2TP Tunnel Information (Total tunnels=1 sessions=1) Tunnel id 1 is up, remote id is 7, 1 active sessions Tunnel state is established time since change 12 secs Remote Internet Address 171.69.39.85, port 1701 Local Internet Address 172.23.58.48, port 1701 15 packets sent, 48 received, 377 bytes sent, 4368 received Control Ns 3, Nr 4 Local RWS 16, Remote RWS 8 Retransmission time 1, max 1 seconds Unsent queuesize 0, max 0 Resend queuesize 0, max 1 Total resends 0, ZLB ACKs 2 Retransmit time distribution: 0 0 0 0 0 0 0 0 0 % No active PPTP tunnels pix#The following is sample output from the show vpdn tunnel packet command:
show vpdn tunnel packet PPTP Tunnel Information (Total tunnels=1 sessions=1) LocIDPkts-InPkts-OutBytes-InBytes-Out 1 1196 13 113910420The following is sample output from the show vpdn tunnel state command:
show vpdn tunnel state PPTP Tunnel Information (Total tunnels=1 sessions=1) LocIDRemIDStateTime-Since-Event-Chg 1 1 estabd 6 secsThe following is sample output from the show vpdn tunnel summary command:
show vpdn tunnel summary PPTP Tunnel Information (Total tunnels=1 sessions=1) LocIDRemIDStateRemote AddressPortSessions 11estabd172.16.38.19417231The following is sample output from the show vpdn tunnel transport command:
show vpdn tunnel transport PPTP Tunnel Information (Total tunnels=1 sessions=1) LocID Type Local Address Port Remote AddressPort 1IP 172.16.1.2091723172.16.38.1941723The following is sample output from the show vpdn session command:
pix# show vpdn session L2TP Session Information (Total tunnels=1 sessions=1) Call id 1 is up on tunnel id 1 Remote tunnel name is abc-win2ke2 Internet Address is 171.69.39.85 Session username is guest, state is established Time since change 158 secs, interface outside Remote call id is 1 PPP interface id is 1 15 packets sent, 83 received, 377 bytes sent, 8412 received Sequencing is off % No active PPTP tunnelsThe following is sample output of a simple configuration that allows Windows PPTP clients to dial in without any authentication (not recommended). The Windows client can Telnet to internal host 192.168.0.2 through the static global address 209.165.201.2.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 vpdn group 1 accept dialin pptp vpdn group 1 client configuration address local my-addr-pool vpdn enable outside static (inside, outside) 209.165.201.2 192.168.0.2 access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 209.165.201.2 eq telnet access-group acl_out in interface outsideIn the next example, PPTP clients authenticate using MS-CHAP and negotiate MPPE encryption with the firewall. The PPTP client can Telnet to host 192.168.0.2 through the static global 209.165.201.2. The Telnet session will be encrypted.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my- aaa-server-group protocol radius vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 client authentication aaa my- aaa-server-group vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn enable outside static (inside, outside) 209.165.201.2 192.168.0.2 access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 209.165.201.2 eq telnet access-group acl_out in interface outsideIn the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command statement.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my- aaa-server-group protocol radius vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn group 1 client authentication aaa my- aaa-server-group vpdn group 1 client configuration dns 10.2.2.99 vpdn group 1 client configuration wins 10.2.2.100 vpdn enable outside access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0 nat (inside) 0 access-list no nat access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 192.168.0.2 eq telnet access-list acl_out permit udp 10.1.1.0 255.255.255.0 host 10.2.2.99 eq domain access-list acl_out permit udp 10.1.1.0 255.255.255.0 host 10.2.2.100 eq netbios-ns access-group acl_out in interface outsideIn the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command statement. An access-group command statement is not present because the sysopt connection permit-pptp command statement allows all the PPTP traffic through the tunnel.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my- aaa-server-group protocol radius vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn group 1 client authentication aaa my- aaa-server-group vpdn group 1 client configuration dns 10.2.2.99 vpdn group 1 client configuration wins 10.2.2.100 vpdn enable outside access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0 nat (inside) 0 access-list no nat sysopt connection permit-pptpIn the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command. The PPTP authenticates using the firewall local username and password database you create with the vpdn username command. Users are reauthenticated again by the aaa command when they start a Telnet session. An access-group command statement is not present because the sysopt connection permit-pptp command statement allows all the PPTP traffic through the tunnel.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my- aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my- aaa-server-group protocol radius vpdn username usrname1 password password1 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn group 1 client authentication local vpdn group 1 client configuration dns 10.2.2.99 vpdn group 1 client configuration wins 10.2.2.100 vpdn enable outside access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0 nat (inside) 0 access-list no nat sysopt connection permit-pptp aaa authentication include telnet inbound 192.168.0.2 255.255.255.255 10.1.1.0 255.255.255.0