Applies To:
Show VersionsBIG-IP LTM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Creating a Secure VPN Tunnel with PPTP
Overview: Creating a secure VPN tunnel with PPTP
The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP® system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections. You can create a secure VPN tunnel by configuring a PPTP Profile, and then assigning the PPTP profile to a virtual server. The PPTP protocol is described in RFC 2637.
About the PPTP profile
The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP® system to support a secure virtual private network (VPN) tunnel. A PPTP application layer gateway (ALG) forwards PPTP client (also known as PPTP Access Concentrator [PAC]) control and data connections through the BIG-IP system to PPTP servers (also known as PPTP Network Servers [PNSs]), while providing source address translation that allows multiple clients to share a single translation address.
The PPTP profile defines a Transmission Control Protocol (TCP) control connection and a data channel through a PPTP Generic Routing Encapsulation (GRE) tunnel, which manages the PPTP tunnels through CGNAT for NAT44 and DS-Lite, as well as all translation modes, including Network Address Port Translation (NAPT) or Deterministic modes.
PPTP control channels
The BIG-IP system proxies PPTP control channels as normal TCP connections. The PPTP profile translates outbound control messages, which contain Call Identification numbers (Call IDs) that match the port that is selected on the outbound side. Subsequently, for inbound control messages containing translated Call IDs, the BIG-IP system restores the original client Call ID. You can use a packet tracer to observe this translation on the subscriber side or on the Internet side. You can also use iRules® to evaluate and manage any headers in the PPTP control channel.
PPTP GRE data channels
Log messages
The PPTP profile enables you to configure Log Settings, specifically the Publisher Name setting, which logs the name of the log publisher, and the Include Destination IP setting, which logs the host IP address of the PPTP server, for each call establishment, call failure, and call teardown.
PPTP profile log example
This topic includes examples of the elements that comprise a typical log entry.
Description of PPTP log messages
PPTP log messages include several elements of interest. The following examples describe typical log messages.
"Mar 1 18:46:11:PPTP CALL-REQUEST id;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456" "Mar 1 18:46:11:PPTP CALL-START id;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456" "Mar 1 18:46:11:PPTP CALL-END id;0 reason;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456"
Information Type | Example Value | Description |
---|---|---|
Timestamp | Mar 1 18:46:11 | The time and date that the system logged the event message. |
Transformation mode | PPTP | The logged transformation mode. |
Command | CALL-REQUEST, CALL-START, CALL-END | The type of command that is logged. |
Client Call ID | id;0 | The client Call ID received from a subscriber. |
Client IP address | from;10.10.10.1 | The IP address of the client that initiated the connection. |
Reason | reason;0 | A code number that correlates the reason for terminating the connection. The
following reason codes apply:
|
Server IP address | to;20.20.20.1 | The IP address of the server that established the connection.
Note: If
Include Destination IP is set to Disabled, then the Server IP address uses the value of
0.0.0.0.
|
NAT | nat;30.30.30.1 | The translated IP address. |
Translated client Call ID | ext-id;32456 | The translated client Call ID from the GRE header of the PPTP call. |
Task summary
Creating an LSN pool
Creating a PPTP profile
Adding a static route to manage GRE traffic
Perform this task when you want to explicitly add a route for a destination client that is not on the directly-connected network. Depending on the settings you choose, the BIG-IP system can forward packets to a specified network device, or the system can drop packets altogether.