How To | Configure An Allied Telesis Router For Multiple Microsoft® Point-to-Point Tunnelling Protocol (PPTP) Clients Introduction Point-to-Point Tunnelling Protocol (PPTP) is a networking protocol that allows you to securely transfer data from your travelling staff to your office network using a Virtual Private Network (VPN) across TCP/IP-based data networks. PPTP is provided on a variety of Microsoft® Windows® platforms. Which products and software version does it apply to? This How To Note applies to the following products, running software version 2.7.1 or later: z AR400 and AR700 series routers z Rapier, Rapier i, AT-8800 and AT-9800 series switches Scenario A PPTP session is initiated by a TCP connection from the client to port 1723 on the server. Then, the actual data transfer is performed on an unrelated GRE connection. The AlliedWare firewall includes a PPTP proxy agent. This allows the firewall to manipulate, and keep track of, the ‘session ID’ fields in the packets belonging to different GRE sessions. The proxy agent supports multiple PPTP clients on the private side of the firewall, even if they are all connecting to a single PPTP server. In this How To Note, we present the minimum configuration required to support the scenario illustrated in the following figure. Private Public PPTP client A eth1 192.168.1.254 eth0 56.23.149.10 PPTP server AR700 PPTP client B pptp1.eps C613-16012-00 REV B www.alliedtelesis.com Configuration The simple fact is that no specific configuration is required on the firewall to support multiple PPTP clients. So, a basic firewall NAT configuration is all that is required. 1. Configure IP enable ip add ip interface=eth0 ip=56.23.149.10 mask=255.255.255.248 add ip interface=eth1 ip=192.168.1.254 mask=255.255.255.0 2. Configure the firewall enable firewall create firewall policy=name add firewall policy=name interface=eth0 type=public add firewall policy=name interface=eth1 type=private enable firewall policy=name icmp_forwarding=all add firewall policy=name nat=enhanced interface=eth1 gblinterface=eth0 Client connections from the public side If you have a PPTP server on your private network, and you wish to allow external PPTP clients to establish connections to it from the public side, you need to configure a firewall rule to allow the PPTP sessions in through the firewall. For example, if you had a PPTP server at 192.168.1.10 then you would need to configure rules like: add firewall policy=name rule=1 interface=eth0 protocol=gre ip=192.168.1.10 gblip=56.23.149.10 action=allow add firewall policy=name rule=2 interface=eth0 protocol=tcp port=1723 ip=192.168.1.10 gblip=56.23.149.10 gblport=1723 action=allow USA Headquarters | 19800 North Creek Parkway | Suite 200 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 European Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11 Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830 www.alliedtelesis.com © 2007 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. C613-16012-00 REV B