Configuring Point-to-Point Tunneling Protocol -Overview

Configuring Point-to-Point

Tunneling Protocol

Point-to-Point Tunneling Agreement (PPTP), authentic in RFC 2637, is another

common agreement acclimated for establishing VPNs.The better aberration between

IPsec and PPTP is that while IPsec is focused on tunneling IP traffic, PPTP works

at Layer 2 and has the adeptness to adit any Layer 3 traffic, including non-IP

protocols. Although PPTP is usually associated with Microsoft (the Windows OS

has included PPTP applicant and server functionality back NT 4.0), it was actually

designed by the PPTP Forum, which includes Microsoft Corporation,Ascend

Communications, 3Com/Primary Access, ECI Telematics, and US Robotics.


Configuring Virtual Clandestine Networking • Chapter 7 373

Overview

PPTP is abundant simpler than IPsec in its anatomy (see Figure 7.9). Each tunnel

includes the afterward elements:

 The client

 A arrangement admission server (for example, an ISP’s dialup server)

 The aperture or PPTP server

When a affiliation is actuality established, the afterward happens:

1. A applicant connects to the accessible arrangement (establishes a dialup connection

with an ISP, for example). If a affiliation is established, this footfall is

optional.

2. A PPTP ascendancy affiliation (a affiliation from the applicant to TCP port

1723 on the server) is established.This affiliation is accepted as the

PPTP tunnel.

3. A General Routing Encapsulation (GRE) adit is accustomed over IP

47 and is accepted as the PPTP abstracts tunnel.

4. All Layer 3 protocols are encapsulated by the applicant into PPP packets

first and again transmitted through the GRE tunnel.This cartage is decapsulated

twice (from GRE and from PPP) on the added ancillary by the

gateway and again forwarded to the clandestine network.

www.syngress.com

Figure 7.9 Point-to-Point Tunneling Agreement Functionality

VPN

client

Destination

server

Modem

phone line

ISP admission server (NAS) Aperture (PPTP server)

Internet

374 Chapter 7 • Configuring Virtual Clandestine Networking

NOTE

When application PPTP, be abiding to analysis that no arrangement accessories between

client and aperture (for example, ISP routers) clarify IP 47 (GRE) and TCP

connections to anchorage 1723 on the aperture (the PIX firewall in our case).

The PIX firewall supports entering PPTP. It can action as a server but not

as a client. Addition brake is that alone one of its interfaces can accept PPTP

processing enabled.

As PPTP is PPP encapsulated into GRE, it uses all PPP affidavit and

encryption features. Affidavit actuality agency applicant affidavit alone (using

PAP, CHAP, or MS-CHAP), as against to IPsec packet authentication.

Unfortunately, PPTP allows packet bluffing and admittance by third parties, but

this blackmail can be alone to a assertive amount by application encryption.

Authentication can be performed by the PIX firewall application either its internal

database or alien AAA servers (RADIUS or TACACS+).

Encryption is adjourned application PPP Compression Ascendancy Agreement (CCP).

One of the accessible options in this agreement is the encryption bit.When it is

turned on, the tunneled PPP affiliation uses RC4 encryption with 40-bit or

128-bit keys—a allotment of Microsoft Point-to Point Encryption (MPPE) extensions.

As with DES, best keys are recommended, abnormally back RC4 is alike weaker

than DES. Compression itself is not accurate in PIX adaptation 6.2.When MPPE

is used, the alien AAA server acclimated for affidavit charge be RADIUS, and it

should be able to acknowledgment a MSCHAP_MPPE_KEY aspect to the PIX firewall

in the RADIUS Affidavit Accept packet.This Microsoft-specific RADIUS

attribute is declared (among others) in RFC 2548.

NOTE

MMPE can be acclimated alone if MS-CHAP affidavit is supported,

because MMPE needs an antecedent key to be generated during authentication

process, and this is accessible alone with MS-CHAP.

The PIX uses addition PPP subprotocol, IP Ascendancy Agreement (IPCP), to

assign an centralized IP abode from the defined PPTP basin to the client.The PIX

firewall alone supports 255 circumstantial PPTP applicant connections.