Chapter 3. Troubleshooting Point-to-Point Tunneling Protocol VPNs

The Point-to-Point Tunneling Protocol (PPTP) is described in RFC 2637 and allows the tunneling of Point-to-Point Protocol (PPP) frames across an IP backbone from a PPTP Access Concentrator (PAC) to a PPTP Network Server (PNS). PPTP was the result of work carried out by a consortium of vendors, the most prominent of which was Microsoft.

RFC 2637 describes how PPTP separates the functionality of the traditional Network Access Server (NAS). The PAC is responsible for remote access client call termination, Link Control Protocol (LCP) termination, and possibly PPP authentication. The PNS is responsible for PPP authentication, Multilink PPP (MP) channel aggregation, and Network Control Protocol (NCP) negotiation. In this scenario, the remote access client does not participate in and is not aware of PPTP. Remote access client PPP frames are simply forwarded (tunneled) from the PAC to the PNS transparently. This division of functionality is known as compulsory tunnel mode.

Note that the PAC in compulsory tunnel mode is typically located at the service provider point-of-presence (POP), and the PNS is located at the enterprise network edge.

Figure 3-1 illustrates this mode of operation.

Figure 3-1. PPTP Compulsory Tunnel Mode

[View full size image]

Another mode of operation offered by PPTP is known as voluntary tunnel mode. In this mode, instead of the PPTP tunnel being established between a dial access platform (the PAC) and a PNS, it is established directly from the remote access client itself to the PAC. PPP frames are then forwarded over this tunnel between the remote access client and the PAC.

In this scenario, the client workstation functions as a PNS. Figure 3-2 illustrates voluntary tunnel mode operation.

Because PPTP functionality is built into most Microsoft client operating systems, voluntary tunnel mode has become by far the most common mode of operation. Cisco routers support the voluntary mode of PPTP operation and function as the PAC within this model.

After reading this introduction, if you have the feeling that this all seems rather familiar, you would be right. PPTP in compulsory mode is designed to perform the same job as the Layer 2 Forwarding Protocol (L2F), although there are one or two differences. It also performs the same job as the Layer 2 Tunneling Protocol (L2TP), which is discussed in Chapter 4, "Troubleshooting the Layer 2 Tunneling Protocol Version 2 VPNs."

Some of the main differences between PPTP and L2F are as follows:

• PPTP tunnels PPP, whereas L2F can tunnel both PPP and Serial Line Internet Protocol (SLIP).

• In PPTP, the control connection uses Transmission Control Protocol (TCP), and PPP frames are transported over Enhanced Generic Routing Encapsulation (GRE). In L2F, both control messages and PPP/SLIP frames are transported (in an IP network) over UDP.

• The PPTP includes support for outgoing calls, whereas L2F does not.

• L2F operates only in compulsory tunnel mode, whereas PPTP can operate in both compulsory and voluntary tunnel modes.

• In compulsory tunnel mode, the L2F NAS has the capability to negotiate the LCP and to authenticate the remote access client. This LCP and authentication information is then passed to the Home Gateway. The PAC (the functional equivalent of the L2F NAS) has no capability to pass LCP and authentication information to the PNS (the functional equivalent of the L2F Home Gateway).

• PPTP provides flow and congestion control, whereas L2F does not.

• The L2F NAS and Home Gateway authenticate each other during tunnel setup, whereas the PAC and PNS do not. In PPTP, security is provided via the authentication of PPP peers, which in voluntary tunnel mode are also the PAC and the PNS.

When troubleshooting PPTP, it is important to have a firm grasp both of its underlying operation and basic configuration. The next two sections examine the operation and configuration of PPTP.