[c-nsp] Cisco pptp server
Pavel Dimow
paveldimow at gmail.com
Sun Feb 28 02:27:27 EST 2016
Hi Arie,
no, that's not the case since I use local policy routing to force traffic
to go via correct provider and I can confirm that this works. Let me try to
be more precise.
My PPTP server has to uplinks, Gi1/1 with ISP 1 and ip address 1.1.1.1 and
Gi2/2 with ISP2 and ip address 2.2.2.2. It has a default route to ISP1 and
default route with higher metric to ISP2. I do have a correct local policy
routing to force all traffic generated by router with source 1.1.1.1 to
ISP1 next-hop and with source 2.2.2.2 to ISP2 next-hop.
My PPTP server has a local ip pool and it will assign a PPTP client an
address 3.3.3.3.
My PPTP client has public ip address from his ISP let't it be 9.9.9.9.
My PPTP client will successfully establish PPTP session when he use 1.1.1.1
as the address of PPTP server and everything works.
My PPTP client will successfully establish PPTP session when he use 2.2.2.2
as the address of PPTP server but it can't do anything (he can ping and
address on the PPTP server itself but it can't ping anything behind, and
from the PPTP server I can ping PPTP client). To be more precise, the
traffic from client will reach destination, and destination will reply and
that packet will reach the PPTP server but it will not forward traffic to
the client. When I add the static route on PPTP server to 9.9.9.9/32 and
next-hop to be 2.2.2.2 (ISP2) it will start working.
To me it looks like a bug or this is not a valid setup what I am trying to
do but I could not find anyone with similar problem.
On Sat, Feb 27, 2016 at 5:58 AM, Arie Vayner <ariev at vayner.net> wrote:
> What most likely happens is that ISP1 is using uRPF on their side, so when
> you source traffic to the Internet with the source IP of ISP2's assignment
> through ISP1's interface, they drop your upstream traffic.
> (I am not 100% sure which direction you meant as receive and trasmit...
> From the point of view of the router or the vpn user, but what I described
> would cause traffic from the user to reach the router, but return traffic
> would fail...)
>
> Arie
>
> On Fri, Feb 26, 2016 at 8:32 AM Matthew Huff <mhuff at ox.com> wrote:
>
>> First,
>>
>> Why are you using PPTP and not either SSL VPN or IPSEC VPN? PPTP using
>> ancient crypto and has been severely deprecated. Policy routing also has a
>> lot of issues, including punting from CEF into CPU routing. Avoid it if you
>> can. If you have higher metrics, why do you need it?
>>
>>
>>
>> ----
>> Matthew Huff | 1 Manhattanville Rd
>> Director of Operations | Purchase, NY 10577
>> OTA Management LLC | Phone: 914-460-4039
>> aim: matthewbhuff | Fax: 914-694-5669
>>
>>
>> > -----Original Message-----
>> > From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>> > Pavel Dimow
>> > Sent: Friday, February 26, 2016 11:02 AM
>> > To: cisco-nsp at puck.nether.net
>> > Subject: Re: [c-nsp] Cisco pptp server
>> >
>> > Anyone? :)
>> >
>> > On Thu, Feb 25, 2016 at 11:32 PM, Pavel Dimow <paveldimow at gmail.com>
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > I have a very strange problem (well at least to me).
>> > >
>> > > I have a cisco 1921 which serves as PPTP server. On server I have two
>> > > different ISP's connections, ISP1 and ISP2. I have a default route to
>> > > ISP1 and default route to ISP2 with tracking and higher metric. I have
>> > > configured local policy routing so I always send PPTP packets to the
>> > > correct ISP.
>> > >
>> > > Now when I connect from client to PPTP server and in server address I
>> > > enter the ip address of interface where ISP1 is terminated everything
>> > > works. But when I connect from client to PPTP server and in server
>> > > address I enter the ip address of interface where ISP2 is terminated
>> > > the session is established but I can't do anything as I see only my
>> > > outgoing traffic and no incoming traffic via PPTP tunnel. The funny
>> > > part is that, when I enter the static route on PPTP server (the public
>> > > ip address of PPTP client) everything works. Is this normal
>> > behaviour?
>> > >
>> > > If anyone can shed a light on this I would be very grateful ;)
>> > >
>> > >
>> > >
>> > >
>> > _______________________________________________
>> > cisco-nsp mailing list cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
More information about the cisco-nsp
mailing list