[c-nsp] Cisco pptp server

Arie Vayner ariev at vayner.net
Sun Feb 28 11:26:31 EST 2016 

Pavel,

I am still not convinced...
Can you please share your config and maybe a sniffer trace on the client?

Tnx, Arie

On Sat, Feb 27, 2016, 23:27 Pavel Dimow <paveldimow at gmail.com> wrote:

> Hi Arie,
>
> no, that's not the case since I use local policy routing to force traffic
> to go via correct provider and I can confirm that this works. Let me try to
> be more precise.
>
> My PPTP server has to uplinks, Gi1/1 with ISP 1 and ip address 1.1.1.1 and
> Gi2/2 with ISP2 and ip address 2.2.2.2. It has a default route to ISP1 and
> default route with higher metric to ISP2. I do have a correct local policy
> routing to force all traffic generated by router with source 1.1.1.1 to
> ISP1 next-hop and with source 2.2.2.2 to ISP2 next-hop.
>
> My PPTP server has a local ip pool and it will assign a PPTP client an
> address 3.3.3.3.
>
> My PPTP client has public ip address from his ISP let't it be 9.9.9.9.
>
> My PPTP client will successfully establish PPTP session when he use
> 1.1.1.1 as the address of PPTP server and everything works.
>
> My PPTP client will successfully establish PPTP session when he use
> 2.2.2.2 as the address of PPTP server but it can't do anything (he can ping
> and address on the PPTP server itself but it can't ping anything behind,
> and from the PPTP server I can ping PPTP client). To be more precise, the
> traffic from client will reach destination, and destination will reply and
> that packet will reach the PPTP server but it will not forward traffic to
> the client. When I add the static route on PPTP server to 9.9.9.9/32 and
> next-hop to be 2.2.2.2 (ISP2) it will start working.
>
> To me it looks like a bug  or this is not a valid setup what I am trying
> to do but I could not find anyone with similar problem.
>
>
>
>
> On Sat, Feb 27, 2016 at 5:58 AM, Arie Vayner <ariev at vayner.net> wrote:
>
>> What most likely happens is that ISP1 is using uRPF on their side, so
>> when you source traffic to the Internet with the source IP of ISP2's
>> assignment through ISP1's interface, they drop your upstream traffic.
>> (I am not 100% sure which direction you meant as receive and trasmit...
>> From the point of view of the router or the vpn user, but what I described
>> would cause traffic from the user to reach the router, but return traffic
>> would fail...)
>>
>> Arie
>>
>> On Fri, Feb 26, 2016 at 8:32 AM Matthew Huff <mhuff at ox.com> wrote:
>>
>>> First,
>>>
>>> Why are you using PPTP and not either SSL VPN or IPSEC VPN? PPTP using
>>> ancient crypto and has been severely deprecated. Policy routing also has a
>>> lot of issues, including punting from CEF into CPU routing. Avoid it if you
>>> can. If you have higher metrics, why do you need it?
>>>
>>>
>>>
>>> ----
>>> Matthew Huff             | 1 Manhattanville Rd
>>> Director of Operations   | Purchase, NY 10577
>>> OTA Management LLC       | Phone: 914-460-4039
>>> aim: matthewbhuff        | Fax:   914-694-5669
>>>
>>>
>>> > -----Original Message-----
>>> > From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf
>>> Of
>>> > Pavel Dimow
>>> > Sent: Friday, February 26, 2016 11:02 AM
>>> > To: cisco-nsp at puck.nether.net
>>> > Subject: Re: [c-nsp] Cisco pptp server
>>> >
>>> > Anyone? :)
>>> >
>>> > On Thu, Feb 25, 2016 at 11:32 PM, Pavel Dimow <paveldimow at gmail.com>
>>> > wrote:
>>> >
>>> > > Hi,
>>> > >
>>> > > I have a very strange problem (well at least to me).
>>> > >
>>> > > I have a cisco 1921 which serves as PPTP server. On server I have two
>>> > > different ISP's connections, ISP1 and ISP2. I have a default route to
>>> > > ISP1 and default route to ISP2 with tracking and higher metric. I
>>> have
>>> > > configured local policy routing so I always send PPTP packets to the
>>> > > correct ISP.
>>> > >
>>> > > Now when I connect from client to PPTP server and in server address I
>>> > > enter the ip address of interface where ISP1 is terminated everything
>>> > > works. But when I connect from client to PPTP server and in server
>>> > > address I enter the ip address of interface where ISP2 is terminated
>>> > > the session is established but I can't do anything as I see only my
>>> > > outgoing traffic and no incoming traffic via PPTP tunnel. The funny
>>> > > part is that, when I enter the static route on PPTP server (the
>>> public
>>> > > ip address of  PPTP client) everything works. Is this normal
>>> > behaviour?
>>> > >
>>> > > If anyone can shed a light on this I would be very grateful ;)
>>> > >
>>> > >
>>> > >
>>> > >
>>> > _______________________________________________
>>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>

More information about the cisco-nsp mailing list