Manual Chapter : Creating a Secure VPN Tunnel with PPTP

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Creating a Secure VPN Tunnel with PPTP

Overview: Creating a secure VPN tunnel with PPTP

The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP® system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections. You can create a secure VPN tunnel by configuring a PPTP Profile, and then assigning the PPTP profile to a virtual server. The PPTP protocol is described in RFC 2637.

Important: You cannot combine or use the PPTP Profile with another profile other than a TCP Profile. The PPTP Profile must be used separately and independently.

About the PPTP profile

The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP® system to support a secure virtual private network (VPN) tunnel. A PPTP application layer gateway (ALG) forwards PPTP client (also known as PPTP Access Concentrator [PAC]) control and data connections through the BIG-IP system to PPTP servers (also known as PPTP Network Servers [PNSs]), while providing source address translation that allows multiple clients to share a single translation address.

The PPTP profile defines a Transmission Control Protocol (TCP) control connection and a data channel through a PPTP Generic Routing Encapsulation (GRE) tunnel, which manages the PPTP tunnels through CGNAT for NAT44 and DS-Lite, as well as all translation modes, including Network Address Port Translation (NAPT) or Deterministic modes.

PPTP control channels

The BIG-IP system proxies PPTP control channels as normal TCP connections. The PPTP profile translates outbound control messages, which contain Call Identification numbers (Call IDs) that match the port that is selected on the outbound side. Subsequently, for inbound control messages containing translated Call IDs, the BIG-IP system restores the original client Call ID. You can use a packet tracer to observe this translation on the subscriber side or on the Internet side. You can also use iRules® to evaluate and manage any headers in the PPTP control channel.

PPTP GRE data channels

The BIG-IP system manages the translation for PPTP GRE data channels in a manner similar to that of control channels. The BIG-IP system replaces the translated Call ID from the Key field of the GRE header with the inbound client's Call ID. You can use a packet tracer to observe this translation, as well.
Important: A PPTP ALG configuration requires a route to the PPTP client in order to return GRE traffic to the PPTP client. A route to the PPTP client is required because GRE traffic (in both directions) is forwarded based on standard IP routing, unlike TCP control connections, which are automatically routed because of the default auto-lasthop=enabled setting.

Log messages

The PPTP profile enables you to configure Log Settings, specifically the Publisher Name setting, which logs the name of the log publisher, and the Include Destination IP setting, which logs the host IP address of the PPTP server, for each call establishment, call failure, and call teardown.

Note: If a client, for example, a personal computer (PC) or mobile phone, attempts to create a second concurrent call, then an error message is logged and sent to the client.

PPTP profile log example

This topic includes examples of the elements that comprise a typical log entry.

Description of PPTP log messages

PPTP log messages include several elements of interest. The following examples describe typical log messages.

"Mar 1 18:46:11:PPTP CALL-REQUEST id;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456"
"Mar 1 18:46:11:PPTP CALL-START id;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456"
"Mar 1 18:46:11:PPTP CALL-END id;0 reason;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456"      
Information Type Example Value Description
Timestamp Mar 1 18:46:11 The time and date that the system logged the event message.
Transformation mode PPTP The logged transformation mode.
Command CALL-REQUEST, CALL-START, CALL-END The type of command that is logged.
Client Call ID id;0 The client Call ID received from a subscriber.
Client IP address from;10.10.10.1 The IP address of the client that initiated the connection.
Reason reason;0 A code number that correlates the reason for terminating the connection. The following reason codes apply:
  • 0. The client requested termination, a normal termination.
  • 1. The server requested termination, a normal termination.
  • 2. The client unexpectedly disconnected, where TCP shut down or reset the connection.
  • 3. The server unexpectedly disconnected, where TCP shut down or reset the connection.
  • 4. The client timed out.
  • 5. The server timed out.
Server IP address to;20.20.20.1 The IP address of the server that established the connection.
Note: If Include Destination IP is set to Disabled, then the Server IP address uses the value of 0.0.0.0.
NAT nat;30.30.30.1 The translated IP address.
Translated client Call ID ext-id;32456 The translated client Call ID from the GRE header of the PPTP call.

Task summary

Creating an LSN pool

The CGNAT module must be enabled through the System > Resource Provisioning screen before you can create LSN pools.
Large Scale NAT (LSN) pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Configuration area, for the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  5. Click Finished.
Your LSN pool is now ready, and you can continue to configure your CGNAT.

Creating a PPTP profile

You can configure a point-to-point tunneling protocol (PPTP) profile on the BIG-IP® system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections, and logs related messages.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > PPTP .
    The PPTP screen opens and displays a list of available PPTP ALG profiles.
  2. Click Create.
  3. Type a name for the profile.
  4. From the Parent Profile list, select a parent profile.
  5. Select the Custom check box.
  6. From the Publisher Name list, select a log publisher for high-speed logging of messages.
    If None is selected, the BIG-IP system uses the default syslog.
  7. Optional: From the Include Destination IP list, select whether to include the PPTP server's IP address in log messages.
    Option Description
    Enabled Includes the PPTP server's IP address in log messages for call establishment or call disconnect.
    Disabled Default. Includes 0.0.0.0 as the PPTP server's IP address in log messages for call establishment or call disconnect.
  8. Click Finished.
The PPTP profile displays in the ALG Profiles list on the PPTP screen.

Adding a static route to manage GRE traffic

Perform this task when you want to explicitly add a route for a destination client that is not on the directly-connected network. Depending on the settings you choose, the BIG-IP system can forward packets to a specified network device, or the system can drop packets altogether.

  1. On the Main tab, click Network > Routes .
  2. Click Add.
    The New Route screen opens.
  3. In the Name field, type a unique user name.
    This name can be any combination of alphanumeric characters, including an IP address.
  4. In the Description field, type a description for this route entry.
    This setting is optional.
  5. In the Destination field, type the destination IP address for the route.
  6. In the Netmask field, type the network mask for the destination IP address.
  7. From the Resource list, specify the method through which the system forwards packets:
    Option Description
    Use Gateway Select this option when you want the next hop in the route to be a network IP address. This choice works well when the destination is a pool member on the same internal network as this gateway address.
    Use Pool Select this option when you want the next hop in the route to be a pool of routers instead of a single next-hop router. If you select this option, verify that you have created a pool on the BIG-IP system, with the routers as pool members.
    Use VLAN/Tunnel Select this option when you want the next hop in the route to be a VLAN or tunnel. This option works well when the destination address you specify in the routing entry is a network address. Selecting a VLAN/tunnel name as the resource implies that the specified network is directly connected to the BIG-IP system. In this case, the BIG-IP system can find the destination host simply by sending an ARP request to the hosts in the specified VLAN, thereby obtaining the destination host’s MAC address.
    Reject Select this option when you want the BIG-IP system to reject packets sent to the specified destination.
  8. In the MTU field, specify in bytes a maximum transmission unit (MTU) for this route.
  9. At the bottom of the screen, click Finished.
A static route is defined to manage GRE traffic to a client.

Creating a virtual server using a PPTP ALG profile

Be sure to disable both translate-address and translate-port before creating a PPTP virtual server.
Virtual servers are matched based on source (client) addresses. You define a virtual server that references the CGNAT profile and the LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Servers screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Standard.
  5. For the Destination setting, in the Address field, type 0.0.0.0 to allow all traffic to be translated.
  6. In the Service Port field, type 1723 or select PPTP from the list.
  7. From the PPTP Profile list, select a PPTP ALG profile for the virtual server to use.
  8. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  9. For the LSN Pool setting, select the pool that this server will draw on for translation addresses.
  10. Click Finished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.