PPTP routing

Blaster99

I have a remote site with a PPTP VPN and a Windows XP client at the other end and I'm using Microsoft's built-in PPTP client. At the client I want to route the traffic to/from the remote site through the PPTP VPN and let all other traffic go the usual path. Pretty basic stuff you'd think. I can't see any option at the Windows end to make this happen. Am I missing something? The server side serves IP addresses from a pool so I don't think I can setup a static route as I could get a different IP address every time I connect.

Capt'n Midnight

http://www.sans.org/resources/malwarefaq/pptp-vpn.php?portal=5b8369098b792725d060547f5151c74a

Overview of Protocol: PPTP (Point to Point Tunneling Protocol)

There are three key parts to the PPTP protocol.

1. The Control Connection over TCP (destination port is 1723, source port can be any available port). THIS IS NOT AUTHENTICATED IN ANY WAY.
2. The IP tunnel used to transport GRE encapsulated packets (protocol 47 (note, this is not TCP or UDP PORT 47, but a specific, unique protocol).
3. The PPP packets that are encapsulated inside of the GRE tunnel carried by IP. Note that only the DATA packets are encrypted (when encryption is actually used, which is left open to the implementer and not actually part of the PPTP RFC, only protocol numbers 0x21 through 0xFA (just the data usually) would then be encrypted, this means all the other PPP traffic (for example LCP) would not be encrypted.

How to protect against it:

Though the improved versions of MS-CHAP and PPTP make compromising the hashes slightly more difficult when using Version 2 instead of 1, it is still far too simple to compromise this information. Strong passwords that are not dictionary based will be much more resistant to such attacks, if even one user password is dictionary based, then it is likely an attacker will crack it in time, and possibly fast enough to compromise the infrastructure.

Also, according to several resources (Counterpane Labs MS PPTP Version 2 article Section 5.1 "Version Rollback Attacks" http://www.counterpane.com/pptpv2-paper.html ) even following the MS recommendations, the server and clients can still be fooled into downgrading to MS-CHAP version 1.
PPTP is handy but


One option, if using PPTP, is not to use any MS product for the PPTP client or server. The Linux and other *Nix & *BSD variants allow more control of the PPTP client and server, and can be kept from doing version rollbacks from MS Chap V2 to V1, this combined with very strong passwords appears to be a more robust solution, though most companies that are "Windows shops" are not likely to take this approach.

The best option would be to migrate away from PPTP to one of the other protocols such as IPSec

liamo

Blaster99 wrote:

I have a remote site with a PPTP VPN and a Windows XP client at the other end and I'm using Microsoft's built-in PPTP client. At the client I want to route the traffic to/from the remote site through the PPTP VPN and let all other traffic go the usual path. Pretty basic stuff you'd think. I can't see any option at the Windows end to make this happen. Am I missing something? The server side serves IP addresses from a pool so I don't think I can setup a static route as I could get a different IP address every time I connect.

You haven't actually specified a problem. What you're describing should take place automatically. Are you saying that this is not the case?

When you connect to a PPTP server with the MS client, a route should be set up for you automatically, such that your outlined requirement should be met.

You can check this by issuing "route print" in a DOS prompt. If you issue a "route print" before and after establishing the VPN, you'll see the new routes.

What internal IP addressing is in place on each site? If it's the same, then you've got a problem.

More info please.

Regards,

Liam

Capt'n Midnight

What do you get from ipconfig to verify you see both interfaces and both have a gateway, and (as suggested above) route print to see the metrics ?

dialup connections are annoying the way they will bump a 28Kb connection to the top of the list even if you have a gigabit NIC in as well.

Does the PPTP server ( gateway address of the PPTP connection) use fixed address so you could setup a permenant route (not the address at your end) ?

Blaster99

I've solved it now. In essence I've setup a client IP pool at the remote end that takes IP addresses from the remote network and I have disabled "Use default gateway on remote network" in the client. This fixes the problem as the client is assigned an IP address from the remote network and doesn't need default routing to sort it out. This is a pretty ugly solution as one normally sets up an IP pool from an arbitrary network at the remote end to avoid taking addresses from the physical network, but with Microsoft's client it appears to be the only way.

liamo

Blaster99 wrote:

I've solved it now. In essence I've setup a client IP pool at the remote end that takes IP addresses from the remote network and I have disabled "Use default gateway on remote network" in the client.

Ah yes, the old "Use default gateway on remote network" crap. Yes, you must untick that checkbox each and every time you set up and save a PPTP VPN connection with the MS client. Why on earth that is *set* by default just boggles the mind.

This fixes the problem as the client is assigned an IP address from the remote network and doesn't need default routing to sort it out. This is a pretty ugly solution as one normally sets up an IP pool from an arbitrary network at the remote end to avoid taking addresses from the physical network, but with Microsoft's client it appears to be the only way.

Well, in order to communicate with the remote network you *must* have an IP Address in the range that's used at the remote site. It's not ugly, that's just the way it works.

Glad to hear that you got sorted.

Regards,

Liam

Blaster99

liamo wrote:

Well, in order to communicate with the remote network you *must* have an IP Address in the range that's used at the remote site. It's not ugly, that's just the way it works.

The norm is for the client to draw an address from a virtual pool of IP addresses and setup a temporary route to the remote network through this virtual IP address. This is the first VPN client I've come across that can't do this. I have PPTP-capable VPN routers that can do this correctly, but I need to support roaming laptops that use Microsoft's client.

liamo

Blaster99 wrote:

The norm is for the client to draw an address from a virtual pool of IP addresses and setup a temporary route to the remote network through this virtual IP address. This is the first VPN client I've come across that can't do this. I have PPTP-capable VPN routers that can do this correctly, but I need to support roaming laptops that use Microsoft's client.

That is not my experience.

My understanding is that the PPTP server supplies an IP address to the PPTP client. It's not up to the client to decide what IP address it should use and this is not MS specific behaviour. You've never come across this before? This is standard behaviour as far as I'm concerned.

Perhaps your routers are providing an additional layer of functionality and my limited experience (limited to MS and Linux servers and clients) of VPN servers and clients is preventing me from appreciating where you're coming from.

I'm completely open to correction (and preferably education). So, if you would be kind enough to provide a URL to documentation for a router (or client) that provides this functionality, I would be delighted to read about it and come away knowing a bit more.

Regards,

Liam