Cisco Pix PPTP VPN Setup

This is a somewhat bare-bones description of how to setup a cisco Pix 515 to serve as a PPTP VPN endpoint for windows XP clients, without using any sort of authentication (RADIUS, etc) server.

PIX Configuration:

These are the barebones commands that need to be entered into the Pix...

:
: This IP Pool, of course, will vary...
:
ip local pool mypool 192.168.200.100-192.168.200.110

:
: Alternatively to the sysopt commands, you can manually construct a list of all the allowed
: ports and protocols via access lists
:
sysopt connection permit-ipsec
sysopt connection permit-pptp

:
: This sets up the VPN itself and credentials for two users... user1 and user2
:
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username user1 password password-for-user-1
vpdn username user2 password password-for-user-2
vpdn enable outside

• The rest of the config file - This isn't a drop-in-and-watch-it-work config, its just the one I was using at the time. You will have to adjust the non-vpn-related portions to suit your needs.

Windows Configuration:

Once the pix config is done, here are the steps to connect windows up to it...

• Guide to connecting to this PPTP config under Windows XP - (via the wizard)
• Guide to fixing the wizard's mess - if you don't want all traffic to route through the new tunnel

Details:

What the pix debugging reports during a successful connection...

• example output of 'show vpdn' while the tunnel is operational
• 'debug vpdn' output while tunnel is established and then destroyed