I wanted the ability to access resources such as my LAN POP3, SMTP and files from another location.
I was getting tired of setting up SSH port forwards and thought about using VPN, given I have both a Linux server and a Cisco router that both can easily fulfill the function, I decided to see what the Cisco would be like to setup for PPTP VPN.
I was expecting to have to use a Radius server for authentication, but found that the local usernames on the router are good.
IP ranges on a VPN don’t need to be different, it can work with the same IP range, however traffic for that specific IP must be explicitly routed to the router, else it won’t work – it’ll attempt to find the host via Broadcast address.
Rather than doing that, I have a second LAN subnet used primarily for the ADSL modem’s web interface, this works fine – so I used that.
Unless you really are using a radius server, I wouldn’t bother with ‘aaa new-model’ as suggested elsewhere.
Commands to setup a Cisco 871W for PPTP VPN:
! Default PPTP VPDN group
username (username) password 0 (password)
ip unnumbered BVI1
ip nat inside
peer default ip address pool vpn
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
I use BVI1 as this is a bridge between my wireless LAN and wired LAN.
I created a pool of IP addresses specifically for VPN:
ip local pool vpn 192.168.1.5 192.168.1.10
Then I added that IP range to the access-list (well it was already there, but you need it for accessing the extenal connection)
access-list 1 permit 192.168.1.0 0.0.0.255
You can then connect to it (using Windows or Ubuntu PPTP VPN).
sh users gives:
Interface User Mode Idle Peer Address
Vi5 (username) PPPoVPDN 00:04:40 192.168.1.5
You can of course apply access lists to limit the access of users.
When setting up the VPN client, I first always, unselect the box that states to use the default gateway on the remote network.
After all, we don’t want to use the remote network for all traffic – just the traffic that matters to that network.
This creates a problem though, since we aren’t using the default gateway on the remote network, our traffic for the IPs in the LAN range i.e. 192.168.0.1 (and not the VPN IP Range – i.e. 192.168.1.1) would be sent to the default gateway of the PPTP Client.
To fix that, you need to add a static route on the machine you are connecting from (the PPTP client).
route add 192.168.0.0 mask 255.255.255.0 192.168.1.5
.. will give routing to the 192.168.0.1 IP via the VPN 192.168.1.5
Ubuntu is far more friendly, allowing you to create routes in the connection definition to save having to do it at each time to the VPN connection is lost. This is in VPN connection properties under IPv4 Settings, then click Routes.
Specify Address, Netmask, and Gateway.
Obviously, you cannot have both networks in the same LAN IP range and be successful at routing across both networks.