Setting up a user for PPTP
5.4.2 Configuring PPTP on an Ascend MAX 4004
On the Ascend MAX 4000 line, PPTP was first released on the firmware revision 4.6Bi12. The typical Ascend MAX 4004 configuration supports four T1 or PRI lines and 48 digital modems. Unlike the U.S. Robotics switch, the only way to specify PPTP servers is on a per- line basis, where each line is a WAN interface. On a MAX 1800, these will be BRI ISDN lines, while on a MAX 4004, theyll be T1 or PRI lines. This can be a serious limitation for ISPs that want to provide PPTP services to clients from various companies, all of whom will have different RAS servers. We expect Ascend to change this in the future to support these ISPs. For a company providing dial-up services to a single NT domain, however, this should pose no problem. Note that the MAX forwards all authentication on a PPTP-configured line to the RAS server, so a PPTP user wont have to be entered in a configuration profile or RADIUS profile on a MAX. Here are the steps for configuring PPTP on the Ascend MAX 4004: 1. From the main Edit menu, select Ethernet Mod Config PPTP options. 2. Under the PPTP options menu, turn PPTP on by changing the PPTP Enable option to Yes with the Enter key. Enter a PPTP host for at least one of the Route line parameters. If you only want a certain line to handle PPTP calls, just enter an IP address for that line. The other lines, left as the default of 0.0.0.0, will handle calls normally. However, if you enable PPTP and leave all lines at 0.0.0.0, the MAX will treat all calls as PPTP calls and the MAX will no longer accept any incoming calls—it will stop routing and be functionally disabled. For our example, all four of our PRI lines will use the same PPTP host of 1.1.1.60 see Figure 5-11 . Figure 5-11. The PPTP line configuration screen on an Ascend MAX 4004 3. Press the Escape key and select to accept the changes and exit in order to save the new PPTP information to the MAXs nonvolatile RAM.5.5 Making the Calls
When calling into an ISP that supports PPTP, all of the VPN work is done for you by the ISP on their remote access switch. You just have to configure your client as if youre dialing directly into your RAS server; the ISPs switch will pass all the authentication information to that RAS server. 84 When dialing into an ISP that doesnt support PPTP, youll need to initiate a PPP call to the ISP using the Dial-Up Networking dialog box. Once the call has been connected, leave your PPP session up, select the PPTP entry you made in our case, its called Central Office VPN, and click the Dial button. This will initiate the PPTP call to the corporate RAS server over your PPP Internet connection.5.6 Troubleshooting Problems
What do you do if your system doesnt connect? Is the trouble with your remote users ISP, the Central Offices ISP, with the Internet itself, or with the configuration on the RAS client or server? Because of all the factors involved, problems with VPN connections are some of the most difficult to track down.5.6.1 Login problems
For dial-up RAS users, the most common problem in getting connected is working with the modem. In that case, all troubleshooting can be done on the client side. Authentication problems bad usernames or passwords, or incorrect authentication type follow shortly thereafter, and often require that someone look through the logs or watch the connection attempt at the destination RAS server. Windows NTs Event Viewer and Dial-Up Networking Monitor help you isolate such login problems.5.6.1.1 The Event Viewer
The Event Viewer is the common logging system on all Windows NT machines. It can be found from the Start menu under Programs Administrative Tools. Lets say that Sara N. is having trouble dialing in—she seems to be having negotiation problems and isnt sure why. When you bring up the Event Viewer, look at the Source column for any RemoteAccess messages that occurred at the approximate time she was attempting to dial in. In the left-hand column, there are icons that distinguish informational messages an i encircled in blue, from warning messages an exclamation mark encircled in yellow, and from error messages a red STOP sign. You see a red STOP sign with the Source of RemoteAccess at the time Sara N. was attempting to dial in. Double-clicking on it will reveal the full error message see Figure 5-12 . The error appears to stem from a DHCP negotiation problem. The next logical step would be to make sure Sara N. is set up to obtain an IP address using DHCP, and to ensure that your DHCP server is configured correctly.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more