CCNA Exploration: Accessing the WAN Chapter 6 Case Study · !--- in the case the client doesn’t support mppe encryption R1(config-if)# ppp authentication pap chap ms-chap !--- once
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CCNA Exploration: Accessing the WAN Chapter 6 Case Study
Panda Inc. needs your help to implement a Teleworker environment.
The Scenario:
As shown in the relevant portion of Panda’s topology below, they need to prepare their router R1 to accept VPN connections.
Panda needs its workers to be able to access its network resources as they were in the office even when they are not. Since Panda employees could be using any internet connection (from a coffee shop, library or home) to establish a VPN from their laptops to R1, it is vital to encrypt the traffic flowing within the tunnel.
Because Panda laptops run Windows XP, the tunnel terminated at R1 must use Point-to-Point Tunnelling Protocol (PPTP) and Microsoft Point-to-Point Encryption Protocol (MPPE) as this is the combination found in most Windows PCs, including Panda provided laptops.
Topology:
CCNA Exploration: Accessing the WAN Chapter 6 Case Study
You get to Panda office and connect your own laptop to R1’s console port. Once you gained console access, you issue the commands listed below. You also add comments to the configuration file to better document the changes as shown below:
R1(config)#username client1 password 0 testclient !--- Creates the user and defines a password for it. R1(config)#vpdn enable !--- Enters VPDN group configuration mode for the specified VPDN group. R1(config)#vpdn-group 1 !--- Enters VPDN accept-dialin configuration mode !--- and enables the router to accept dial-in requests. R1(config-vpdn)#accept-dialin !--- Specifies which PPTP protocol is used. R1(config-vpdn-acc-in)#protocol pptp !--- Specifies the virtual template that is used !--- in order to clone the virtual access interface. R1(config-vpdn-acc-in)#virtual-template 1 R1(config-vpdn-acc-in)#exit R1(config)#ip local pool RemoteAddrs 192.168.1.1 192.168.1.250 !--- Create virtual-template interface used for cloning !--- virtual-access interfaces with the use of address pool test !--- with Challenge Authentication Protocol (CHAP) authentication, PAP, and MS-CHAP. R1(config)#interface virtual-template 1 R1(config-if)#encapsulation ppp R1(config-if)#peer default ip address pool RemoteAddrs !--- Assign IP addresses to the remote peers (VPN clients) !--- from the just defined address pool named RemoteAddrs R1(config-if)#ip unnumbered FastEthernet0/0 !--- Uses the ip address from the fa0/0 in order to save addresses R1(config-if)#no keepalive R1(config-if)#ppp encrypt mppe auto required !--- Define the tunnel encryption protocol as mppe !--- the auto keyword regards the size of the key !--- and the required keyword drops ends the tunnel !--- in the case the client doesn’t support mppe encryption R1(config-if)#ppp authentication pap chap ms-chap !--- once the tunnel is up, PPP is used as layer 2 !--- encapsulation protocol due its flexibility. !--- this command defines chap or ms-chap as the PPP !--- authentication method
Once R1 configuration is done, it is time to test the tunnel.
CCNA Exploration: Accessing the WAN Chapter 6 Case Study
6. After this window appears, choose Properties > Security in order to set the option properly.
7. Choose Advanced (customer settings), choose Settings, and select the appropriate encryption (Data Encryption) level and authentication (allow these protocols).
CCNA Exploration: Accessing the WAN Chapter 6 Case Study
Once the laptop establishes the tunnel successfully and based on the debug output displayed in R1, you declare the tunnel up and running.
Step 3 – Verifying the tunnel
To ensure the tunnel is working, as required you enable a few debug commands in R1, terminate the tunnel, re-establish it from the laptop (repeat step 2) and watch the output. After analyzing the output you declare the tunnel is up and running according to Panda Inc. requirements. The commands and enabled debugs are listed below for future reference:
R1#show debug PPP: PPP authentication debugging is on PPP protocol negotiation debugging is on VPN: VPDN events debugging is on
This is debug output with the initial PPTP configured.
R1# *Mar 5 02:16:25.675: ppp2 PPP: Using vpn set call direction *Mar 5 02:16:25.675: ppp2 PPP: Treating connection as a callin *Mar 5 02:16:25.675: ppp2 PPP: Phase is ESTABLISHING, Passive Open
CCNA Exploration: Accessing the WAN Chapter 6 Case Study
* 0 con 0 idle 00:00:00 Interface User Mode Idle Peer Address Vi4 cisco PPPoVPDN 00:00:00 192.168.1.4
This show ip route connected output is before MS-CHAP and MPPE are enabled.
R1#show ip route connected 172.16.0.0/24 is subnetted, 1 subnets C 172.16.142.0 is directly connected, FastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnets C 10.100.100.0 is directly connected, Loopback0 192.168.1.0/32 is subnetted, 1 subnets C 192.168.1.4 is directly connected, Virtual-Access4
This show vpdn output is before MS-CHAP and MPPE are enabled.
R1#show vpdn %No active L2TP tunnels %No active L2F tunnels PPTP Tunnel and Session Information Total tunnels 1 sessions 1 LocID Remote Name State Remote Address Port Sessions VPDN Group 3 estabd 171.69.89.81 4737 1 1 LocID RemID TunID Intf Username State Last Chg Uniq ID 3 32768 3 Vi4 cisco estabd 00:01:44 2 %No active PPPoE tunnels
This show vpdn output is after MS-CHAP and MPPE are enabled.
R1#show vpdn %No active L2TP tunnels %No active L2F tunnels PPTP Tunnel and Session Information Total tunnels 1 sessions 1 LocID Remote Name State Remote Address Port Sessions VPDN Group 5 estabd 171.69.89.81 4893 1 1 LocID RemID TunID Intf Username State Last Chg Uniq ID 5 0 5 Vi4 cisco estabd 00:00:37 4 %No active PPPoE tunnels