Vasco aXsGUARD Gatekeeper User manual
aXsGUARD Gatekeeper
PPTP How To
1.7
Table of Contents
1. Introduction
1.1. Audience and Purpose of this Document
1.2. Available Guides
1.3. What is the aXsGUARD Gatekeeper?
1.4. About VASCO
2. General Concepts
2.1. Overview
2.2. What is a Virtual Private Network?
2.3. What is PPTP?
2.3.1. Protocol Description
2.3.2. Key Elements of PPTP Security
2.4. Standard PPTP Deployment
2.5. Routing Scenarios
2.5.1. Overview
2.5.2. Source and Destination Address in Dierent IP Ranges
2.5.3. Source and Destination address in the Same IP Range
2.6. Firewalls and PPTP
3. PPTP Server Conguration
3.1. Overview
3.2. Activating the PPTP Server
3.3. General Conguration Settings
3.4. Authentication Settings
3.4.1. Recommended Method
3.4.2. Supported Authentication Methods
3.4.3. Conguring the Authentication Method
3.5. User Settings
3.6. PPTP Firewall Settings
3.6.1. Overview
3.6.2. Allowing PPTP Trac
3.6.3. Firewall Rights
3.6.4. Example of Firewall Settings for PPTP
3.7. Logging
© VASCO Data Security 2011 1
4. PPTP Client Conguration
4.1. Overview
4.2. Client-Side Firewall
4.3. Windows XP Conguration
4.4. Windows Vista Conguration
4.5. Windows 7 Conguration
5. Troubleshooting
5.1. Client-Side Troubleshooting
5.2. Server-Side Troubleshooting
6. Support
6.1. Overview
6.2. If you encounter a problem
6.3. Return procedure if you have a hardware failure
Alphabetical Index
© VASCO Data Security 2011 2
List of Figures
2.1. VPN Concept
2.2. PPTP Packet
2.3. PPTP Control and Data Channel
2.4. Listing the PPP Device with ipcong
2.5. PPTP Client and PPTP Server with dierent IP ranges
2.6. PPTP Client and PPTP Server in same IP Range
2.7. Consequences of Compromised Client
3.1. PPTP Feature Activation
3.2. PPTP General Conguration Settings
3.3. PPTP Authentication Settings
3.4. User Settings
3.5. Firewall Conguration
3.6. Automatic Activation of Firewall Rules
3.7. User Level Firewall Settings
3.8. PPTP Log entries
4.1. Windows XP Network Connections
4.2. Connecting to the Network at my Workplace
4.3. Virtual Private Connection
4.4. Connection Name
4.5. VPN Server Selection
4.6. PPTP VPN Properties
4.7. Require Data Encryption
4.8. Windows Vista PPTP Setup
4.9. Set up a Connection or Network
4.10. Connect to a Workplace
4.11. Use My Internet Connection
4.12. Connection IP and Description
4.13. User Name and Password Screen
4.14. Final Conguration Step
4.15. Connecting to the PPTP Server
4.16. Connection Successful
4.17. PPTP Connection Status
4.18. Windows 7 Control Panel
4.19. Windows 7 Control Panel
4.20. Windows 7 Network and Sharing Center
4.21. Set up a New Connection or Network
4.22. Connect to a Workplace
4.23. Creating a New Connection
4.24. Creating a New Connection
4.25. PPTP Connection Settings
4.26. PPTP Connection Settings
4.27. PPTP Status
5.1. Include Windows Logon Domain
5.2. PPTP Error 619
© VASCO Data Security 2011 3
List of Tables
3.1. PPTP General Settings
3.2. PPTP User Settings
3.3. User Level Firewall Settings
© VASCO Data Security 2011 4
List of Examples
3.1. Restricting access to two LAN servers
© VASCO Data Security 2011 5
Document Version. This is version 1.7 of the aXsGUARD Gatekeeper PPTP How To.
VASCO Products. VASCO Data Security, Inc. and/or VASCO Data Security International
GmbH are referred to in this document as ‘VASCO’. VASCO Products comprise Hardware,
Software, Services and Documentation. This document addresses potential and existing
VASCO customers and has been provided to you and your organization for the sole
purpose of helping you to use and evaluate VASCO Products. As such, it does not
constitute a license to use VASCO Software or a contractual agreement to use VASCO
Products.
Disclaimer of Warranties and Limitations of Liabilities. VASCO Products are
provided ‘as is’ without warranty or conditions of any kind, whether implied, statutory, or
related to trade use or dealership, including but not limited to implied warranties of
satisfactory quality, merchantability, title, non-infringement or tness for a particular
purpose. VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY
UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU,
YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION,
DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF DATA) ARISING
DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE,
HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS,
INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY
TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT
EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS
SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A
BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS
SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW
SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND
LIMITATIONS.
Intellectual Property and Copyright. VASCO Products contain proprietary and
condential information. VASCO Data Security, Inc. and/or VASCO Data Security
International GmbH own or are licensed under all title, rights and interest in VASCO
Products, updates and upgrades thereof, including copyrights, patent rights, trade secret
rights, mask work rights, database rights and all other intellectual and industrial property
rights. No part of these Products may be transferred, disclosed, reproduced or
transmitted in any form or by any means, electronic, mechanical or otherwise, for any
purpose, except as expressly permitted by VASCO or its authorized licensee in writing.
This document is protected under US and international copyright law as an unpublished
work of authorship. No part of it may be transferred, disclosed, reproduced or
transmitted in any form or by any means, electronic, mechanical or otherwise, for any
purpose, except as expressly permitted in writing by VASCO or its authorized licensee.
Trademarks. VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD™, DIGIPASS®, DIGIPASS as
a Service™ and the ® logo are registered or unregistered trademarks of VASCO
Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other
countries. Other company brand or product names or other designations, denominations,
labels and/or other tags, titles, as well as all URLs (Internet addresses) linked to such
designations or communications (irrespective of whether protected by intellectual
property law or not), mentioned in VASCO Products may be the trademarks or registered
trademarks or be part of any other entitlement of their respective owners.
RADIUS Disclaimer. Information on the RADIUS server provided in this document
relates to its operation in the DIGIPASS as a Service environment. We recommend that
you contact your NAS/RAS vendor for further information.
Copyright © 2011 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights
reserved.
© VASCO Data Security 2011 6
In this How To, we explain the basic principles of PPTP and how to deploy the
aXsGUARD Gatekeeper PPTP server in your network. This documents is intended
for technical personnel and network administators.
In Chapter 2, General Concepts, we briey explain the concept of Virtual Private
Networking (VPN) and PPTP.
In Chapter 3, PPTP Server Conguration, we explain the dierent conguration
settings of the PPTP server, such as acceptable IP ranges, DNS settings and
recommended user settings. We also explain how to implement DIGIPASS
authentication for PPTP, as this is the most secure authentication method.
In Chapter 4, PPTP Client Conguration, we explain how to congure your
Windows XP, Windows Vista and Windows 7 client to successfully establish a
PPTP connection with the aXsGUARD Gatekeeper PPTP server.
In Chapter 5, Troubleshooting, some solutions are oered to solve diculties.
In Chapter 6, Support, we explain how to request support and return hardware
for replacement.
As software development is an ongoing process, the screens
included in this guide may slightly dier from the software version
installed on your aXsGUARD Gatekeeper appliance.
Other documents in the set of aXsGUARD Gatekeeper documentation include:
• aXsGUARD Gatekeeper Installation Guide, which explains how to set up
the aXsGUARD Gatekeeper, and is intended for technical personnel or
system administrators.
• How to guides, which provide detailed information on the conguration of
each of the features available as add-on modules (explained in
Section 1.3, “What is the aXsGUARD Gatekeeper?”). These guides cover
specic features such as:
• aXsGUARD Gatekeeper Authentication
• aXsGUARD Gatekeeper Firewall
• aXsGUARD Gatekeeper Single Sign-On
• aXsGUARD Gatekeeper VPN
• aXsGUARD Gatekeeper Reverse Proxy
• aXsGUARD Gatekeeper Directory Services
Chapter 1. Introduction
1.1. Audience and Purpose of this Document
1.2. Available Guides
© VASCO Data Security 2011 7
Access to aXsGUARD Gatekeeper guides is provided through the permanently
on-screen Documentation button in the aXsGUARD Gatekeeper Administrator
Tool.
Further resources available include:
• Context-sensitive help, which is accessible in the aXsGUARD Gatekeeper
Administrator Tool through the Help button. This button is permanently
available and displays information related to the current screen.
• Training courses covering features in detail can be organized on demand.
These courses address all levels of expertise. Please see
http://www.vasco.com for further information.
Welcome to aXsGUARD Gatekeeper security.
The aXsGUARD Gatekeeper is an authentication appliance, intended for small
and medium sized enterprises. In addition to strong authentication, the
aXsGUARD Gatekeeper has the potential to manage all of your Internet security
needs. Its modular design means that optional features can be purchased at
any time to support, for example, e-mail and Web access control. The
aXsGUARD Gatekeeper can easily be integrated into existing IT infrastructures
as a stand-alone authentication appliance or as a gateway providing both
authentication services and Internet Security.
Authentication and other features such as rewall, e-mail and Web access, are
managed by security policies, which implement a combination of rules, for
example, whether a user must use a DIGIPASS One-Time Password in
combination with a static password for authentication. Security Policies are
applied to specic users or groups of users and can also be applied to specic
computers and the entire system.
VASCO is a world leader in strong authentication and e-signature solutions,
specializing in online accounts, identities and transactions. As a global software
company, VASCO serves a customer base of approximately 10,000 companies in
over 100 countries, including approximately 1,500 international nancial
institutions. In addition to the nancial sector, VASCO’s technologies secure
sensitive information and transactions for the enterprise security, e-commerce
and e-government industries.
For further information, please visit http://www.vasco.com.
1.3. What is the aXsGUARD Gatekeeper?
1.4. About VASCO
© VASCO Data Security 2011 8
In this section, we explain the general concepts of Virtual Private Networking
(VPN), in particular the Point to Point Tunneling Protocol (PPTP). Topics covered
in the section include:
• The key elements underpinning PPTP: authentication, tunneling and
encryption.
• The standard PPTP deployment: how a PPTP client interacts with a PPTP
server.
A Virtual Private Network (VPN) is a network which uses a public (inherently
insecure) network infrastructure, such as the Internet, to provide a private
(secured) connection between hosts and network applications. A VPN also
ensures the integrity of data as it traverses the Internet, through authentication,
tunneling and encryption. In other words, a VPN allows roaming or remote users
to securely connect to corporate LAN resources, such as shared folders,
applications, databases or e-mail. Several VPN protocols are available, such as
the PPTP protocol explained in this manual.
Chapter 2. General
Concepts
2.1. Overview
2.2. What is a Virtual Private Network?
Figure 2.1. VPN Concept
© VASCO Data Security 2011 9
PPTP stands for Point to Point Tunneling Protocol and is an extension of the PPP
protocol, dened per RFC 1171. PPTP allows organizations to use the Internet to
securely transmit data across a VPN. It does this by embedding its own network
protocol within the TCP/IP packets carried by the Internet, which is referred to as
tunneling or encapsulation. PPTP in its barest form works by encapsulating
packets inside PPP packets, which are in turn encapsulated in Generic Routing
Encapsulation (GRE) packets. The GRE packets are sent over IP to the
destination PPTP server and back again. The image below shows the structure
of a PPTP network packet.
The PPTP protocol provides the following key security elements:
2.3. What is PPTP?
2.3.1. Protocol Description
Figure 2.2. PPTP Packet
2.3.2. Key Elements of PPTP Security
© VASCO Data Security 2011 10
• Authentication: The VPN server veries the VPN client’s identity and
restricts VPN access to authorized users only (MS-CHAP and MS-CHAP v2).
The VPN server may also provide audit and accounting capabilities to
monitor who accessed which information and when.
• Tunneling: A technology that enables one network to send its data via
another network’s connections. Tunneling works by encapsulating a
network protocol within packets carried by another network. Tunneling is
also referred to as encapsulation (see Section 2.3.1, “Protocol
Description”) and is achieved by the GRE and PPP protocol.
• Encryption: To insure privacy, data transmission via the VPN over the
Internet is rendered unreadable to unauthorized clients through
encryption (MPPE).
• Compression: The process of reducing the amount of information
necessary to transmit data.
Authentication. PPTP VPN servers use two authentication protocols:
• PAP: The Password Authentication Protocol is a simple authentication
protocol to authenticate a user with a Network Access Server. PAP sends
user names and passwords over the network in cleartext and is therefore
insecure.
• CHAP: Stands for Challenge Handshake Authentication Protocol and
functions as follows:
1. The PPTP VPN server sends a challenge to the requesting client.
2. The client uses this challenge and the password to calculate a response,
which is sent to the server.
3. The PPTP VPN server checks the provided response against its own
calculation of the expected response. If the received response matches,
the server acknowledges the authentication; if not, the connection is
terminated.
• PAP is not supported by the aXsGUARD Gatekeeper because it
is insecure. Only MS-CHAP is supported.
• VASCO recommends DIGIPASS authentication, as this is the
most secure option.
Tunneling. A VPN uses an IP tunneling mechanism where the packet formats
and the addressing used by the VPN might be unrelated to the packet formats
and addressing which is used to route the tunneled packet across the Internet
(see Section 2.5, “Routing Scenarios” for more information about PPTP and
Routing). For this reason, PPTP uses the Generic Routing Encapsulation (GRE)
protocol. The GRE protocol is dened per RFC-1701,1702 and 2784 and is
identied as IP Protocol 47. GRE is used to implement several categories of
encryption and network security. In its most basic form, GRE allows any
network-layer protocol (or in some cases, protocols from other layers, e.g.
Ethernet frames) to be encapsulated in any other network-layer protocol. In its
current form, GRE has been implemented in most UNIX network stacks, routers
and other network equipment and is widely supported.
Ecryption. PPTP supports PPP-based data encryption mechanisms. The
Microsoft implementation of PPTP supports optional use of Microsoft Point-to-
Point Encryption (MPPE), based on the RSA/RC4 algorithm. 40 bit encryption is
supported, but highly insecure (see Section 3.3, “General Conguration
© VASCO Data Security 2011 11
Settings”). The aXsGUARD Gatekeeper enforces 128 bit encryption by default,
as this is the most secure option.
Compression. Compression reduces the amount of information necessary to
transmit data, hereby saving bandwidth and increasing the data transfer speed.
PPTP uses the Compression Control Protocol (CCP) used by the PPP protocol. PPP
negotiates MPPE (see above) with the aXsGUARD Gatekeeper PPTP server using
CCP.
Two hosts are involved in the deployment of PPTP:
• A PPTP Client with access to the Internet.
• A PPTP Server, such as the aXsGUARD Gatekeeper PPTP server.
A PPTP connection between the client and the server consists of two channels, a
control channel and a data channel. These are explained below.
PPTP Control Channel. The PPTP control channel is the initial channel which is
negotiated between a PPTP client on the Internet and the aXsGUARD
Gatekeeper PPTP server. A TCP connection is therefore made to the PPTP server
on TCP port 1723, as shown in the illustration below. This control channel is
used to negotiate tunnel parameters, such as the encryption method and the
compression algorithm (see Section 2.3.2, “Key Elements of PPTP Security”).
The PPTP control channel also establishes, manages, and releases the PPTP data
channel.
PPTP Data Channel. Once the PPTP control channel is up, a second channel is
negotiated to secure the data transfer within the tunnel. This is the PPTP data
channel. On this data channel, PPTP uses the GRE protocol (see Section 2.3.2,
“Key Elements of PPTP Security”) to encapsulate the PPP packets for secure
delivery to the aXsGUARD Gatekeeper PPTP server. In turn, the aXsGUARD
Gatekeeper PPTP server veries and decapsulates these packets before delivery
to the destination host in the LAN.
2.4. Standard PPTP Deployment
Figure 2.3. PPTP Control and Data Channel
© VASCO Data Security 2011 12
Once the PPTP VPN is up, a PPP interface with its own IP address is assigned to
both the client and the PPTP server. The client’s interface settings can be
viewed by running the ipcong command from a Windows command prompt as
shown below.
On the client side, all network trac not destined for the local network is routed
through the PPP interface, until the PPTP connection is terminated. This means
that a strict Firewall Policy should be enforced on the PPTP client and server (see
Section 2.6, “Firewalls and PPTP” and Section 3.6, “PPTP Firewall Settings”). On
the server side, only PPTP trac is routed through this interface. Dierent
routing scenarios apply, depending on the network address which is assigned to
the client’s PPP interface. These are explained in the following sections.
The client’s PPP interface has an IP address in a dierent IP range than the LAN
of the PPTP server, as shown in the image below. Standard routing applies.
2.5. Routing Scenarios
2.5.1. Overview
Figure 2.4. Listing the PPP Device with ipcong
2.5.2. Source and Destination Address in Dierent IP
Ranges
© VASCO Data Security 2011 13
The PPTP client with IP 10.0.0.1 sends a request to a server in the aXsGUARD
Gatekeeper LAN. This server has IP 192.168.250.200. The server receives the
request and replies using the client’s IP address 10.0.0.1 as its destination.
Since this IP address (10.0.0.1) is in a dierent range than the aXsGUARD
Gatekeeper LAN, the packet is automatically routed through the PPP interface
(gateway) of the aXsGUARD Gatekeeper.
The client’s PPP interface has an IP address in the same IP range as the LAN IP
of the PPTP server, as shown in the image below. Trac can only be routed
correctly using Proxy ARP, which is explained below.
Figure 2.5. PPTP Client and PPTP Server with dierent IP ranges
2.5.3. Source and Destination address in the Same IP
Range
© VASCO Data Security 2011 14
The PPTP client with IP 192.168.250.100 sends a request to a server in the
aXsGUARD Gatekeeper LAN. This server has IP 192.168.250.200. The server
replies using the client’s IP address 192.168.250.100 as its destination. Since
this address is within the same IP range as the aXsGUARD Gatekeeper LAN, the
contacted server "thinks" it can reply directly via the LAN using ARP. This is not
the case, since the reply needs be routed back to the originating client and not
the LAN. The aXsGUARD Gatekeeper solves this problem by using Proxy ARP, as
explained below.
PROXY ARP. Proxy ARP is a technique in which a host, usually a router, answers
ARP requests intended for another host by supplying its own physical address.
By "pretending" to be another host, the aXsGUARD Gatekeeper correctly routes
the trac back to the requesting host. Proxy ARP is dened per RFC 1027. For
more information about ARP, see the appropriate online resources.
It is highly recommended to congure the aXsGUARD Gatekeeper Firewall so
that only required network resources can be accessed by the client. This also
improves security in case a client’s computer is hijacked (illustrated below).
The default system-wide Firewall Policies on the aXsGUARD Gatekeeper provide
the appropriate security for PPTP VPN access. However, system administrators
can and should implement the strictest PPTP Firewall Security at the group or
user level, as explained in Section 3.6, “PPTP Firewall Settings”.
Avoid the use of the no-restrictions and int-no-restrictions Firewall
Policies at all times, except for testing or troubleshooting purposes
in non-live environments (see Section 3.6, “PPTP Firewall
Settings”).
Figure 2.6. PPTP Client and PPTP Server in same IP Range
2.6. Firewalls and PPTP
© VASCO Data Security 2011 15
Risk as illustrated above
1. A hacker on the Internet scans public IP addresses for open services and
vulnerabilities.
2. The hacker hijacks the client which has a public IP address.
3. The hacker can execute any attack posing as the hijacked computer and
can access the resources of the corporate LAN through the hijacked
computer’s PPTP connection.
Recommendations
• Create strict, separate aXsGUARD Gatekeeper Firewall Policies for PPTP
VPN access on a user / group basis in agreement with your company
policies, as explained above. The aXsGUARD Gatekeeper PPTP Firewall
conguration is explained in Section 3.6, “PPTP Firewall Settings”.
• Use a strong hardware or software Firewall on the client side. Ensure that
outgoing trac to TCP port 1723 and the GRE protocol are allowed,
otherwise the client will not be able to connect to the PPTP server (see
Section 4.2, “Client-Side Firewall”).
Figure 2.7. Consequences of Compromised Client
© VASCO Data Security 2011 16
In this section, we explain the required aXsGUARD Gatekeeper PPTP server
conguration settings, such as:
• Activating the PPTP Server
• Encryption Settings.
• Accepted IP ranges.
• DNS settings.
• VPN user settings.
• Important PPTP authentication settings, such as DIGIPASS authentication
and Directory Services authentication.
• Recommended Firewall Policies.
Before you can access the PPTP conguration settings, you must activate the
PPTP feature on the aXsGUARD Gatekeeper.
1. Log on to the aXsGUARD Gatekeeper as explained in the System
Administration How To.
2. Navigate to System ⇒ Feature Activation.
3. Expand the VPN & RAS tree.
4. Check the Do you use the aXsGUARD Gatekeeper PPTP Server? option.
5. Click on Update.
Chapter 3. PPTP Server
Conguration
3.1. Overview
3.2. Activating the PPTP Server
Figure 3.1. PPTP Feature Activation
© VASCO Data Security 2011 17
1. Log on to the aXsGUARD Gatekeeper as explained in the System
Administration How To.
2. Navigate to VPN & RAS ⇒ PPTP ⇒ General. A screen as shown below is
displayed.
3. Congure the settings as explained in the table below.
4. Click on Update when nished.
3.3. General Conguration Settings
Figure 3.2. PPTP General Conguration Settings
© VASCO Data Security 2011 18
The aXsGUARD Gatekeeper itself is not a WINS server. The WINS
server is usually the primary domain controller in your windows
domain.
Field Description
Accept
proposed
remote
client IP
Check to accept the IP address proposed by the remote client.
IP address restrictions may apply to certain applications in the
corporate network. For these applications to be available, the
connecting client needs to be congured to propose the
required IP address for the application as opposed to the ones
which are made available (Start and End IP addresses explained
below). Accepting remote client IP addresses is a useful option
which allows PPTP clients to locally print documents via a
terminal server (RDP Session). The necessary drivers for printer
sharing can be installed on the client, so that the printer can be
accessed by the terminal server.
Accept 40
bit
encryption
(insecure)
40-bit encryption produces less encryption overhead, but is
highly insecure. This setting is not recommended.
Start IP
address
The rst IP address of the address pool available for PPTP
clients. The client acquires this address via DHCP.
End IP
address
The last IP address of the address pool available for PPTP
(DHCP).
Domain
Name
Server
(DNS)
Specify the DNS server(s) to be used by the remote PPTP client.
This is usually the LAN IP address of the aXsGUARD
Gatekeeper or the IP address of the primary Domain Controller
(Active Directory) in your Windows network.
Windows
Internet
Naming
Server
(WINS)
Specify the WINS server(s) to be used by the remote PPTP
client. This is required when using Directory Services password
authentication (see note below).
Table 3.1. PPTP General Settings
© VASCO Data Security 2011 19
Table of contents
Other Vasco Gateway manuals
