Prev: storm-control question
Next: Question on 802.11b channel assignments
From: Rob on 26 Mar 2010 06:09
On a normal IOS (12.4) Cisco router we are running a PPTP server
for connections from mobile Windows machines via UMTS.

Nothing special:

vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
interface Virtual-Template1
description PPTP VPN template
mtu 1450
ip unnumbered Loopback0
ip access-group pptp-in in
ip access-group pptp-out out
ip tcp adjust-mss 1400
ip mroute-cache
peer default ip address pool vpnpool
ppp encrypt mppe auto required
ppp authentication ms-chap
ppp pap refuse

The interface where the internet traffic comes in has some
ACL lines to allow gre and tcp port 1723 traffic from the
network ranges where the users are expected.

Now I am wondering: what is preventing anyone with a similar
UMTS account, or anyone able to spoof traffic from those ranges,
from sending a GRE packet with malicious content?

Would the router just decapsulate any GRE packet that passes
the ACL and insert the contents into its routing engine? Or
would there need to be a "interface Tunnel" that has been put
in GRE mode for such decapsulation to occur?
(there is no such interface configured in the router)

I wonder what is making the router only accept the GRE packets
that correspond to the active PPTP sessions, and not other GRE
traffic. Is there some kind of "dynamic ACL" that is doing
that?
From: Elia S. on 10 Apr 2010 08:25
I suggest you using ONLY ms-chap-v2 (not chap-v1) and using strong
passwords.



From: Rob on 10 Apr 2010 09:51
Elia S. <adminNOSPAM(a)spadhausen.com> wrote:
> I suggest you using ONLY ms-chap-v2 (not chap-v1) and using strong
> passwords.

Actually I was worried that the presence of a tunnel interface that
would decapsulate GRE would mean that anyone sending GRE packets to
our router would be able to insert traffic.

But of course it is not like that. One has to authenticate the PPTP
session to be able to send traffic.

So, as you say, the security depends on the username/password and the
algorithm used to verify them.

Thanks.
 | 
Pages: 1
Prev: storm-control question
Next: Question on 802.11b channel assignments