Contents

Related Topics

Configure Mobile VPN with PPTP

To configure your Firebox to accept PPTP connections you must first activate and configure the settings for Mobile VPN with PPTP.

Authentication

Mobile VPN with PPTP users can authenticate to the Firebox, or use extended authentication to a RADIUS or VACMAN Middleware server. The instructions to use a VACMAN Middleware server are identical to the instructions to use a RADIUS server. To use the Firebox database, do not select the Use RADIUS authentication to authenticate Mobile VPN with PPTP users check box.

To use a RADIUS or VACMAN Middleware server for authentication:

  1. In the Mobile VPN with PPTP configuration, select the Use RADIUS Authentication to authenticate Mobile VPN with PPTP users check box.
  2. Configure the RADIUS server in the Authentication Servers dialog box, as described in Configure RADIUS Server Authentication.
    Or, configure the VASCO server in the Authentication Servers dialog box as described in Configure VASCO Server Authentication.
  3. On the RADIUS server, create a group named PPTP-Users. Add names or groups of PPTP users to this group.

To establish the PPTP connection, the user must be a member of a group named PPTP-Users. Once the user is authenticated, the Firebox keeps a list of all groups that a user is a member of. Use any of the groups in a policy to control traffic for the user.

For information about how to configure a RADIUS server to use an Active Directory database, see RADIUS Authentication with Active Directory For Mobile VPN Users.

Encryption Settings

U.S. domestic versions of Windows XP have 128-bit encryption enabled. You can get a strong encryption patch from Microsoft for other versions of Windows.

  • If you want to require 128-bit encryption for all PPTP tunnels, select Require 128-bit encryption.
    We recommend that you use 128-bit encryption for VPN.
  • To allow the tunnels to drop from 128-bit to 40-bit encryption for connections that are less reliable, select Allow Drop from 128-bit to 40-bit.
    The Firebox always tries to use 128-bit encryption first. It uses 40-bit encryption if the client cannot use the 128-bit encrypted connection. Usually, only customers outside the United States select this check box.
  • To allow traffic that is not encrypted through the VPN, select Do not require encryption.

MTU and MRU

The Maximum Transmission Unit (MTU) or Maximum Receive Unit (MRU) sizes are sent to the client as part of the PPTP parameters to use during the PPTP session. We recommend that you do not change MTU or MRU values unless you are sure the change corrects a known problem with your PPTP sessions. Incorrect MTU or MRU values cause traffic through the PPTP VPN to fail.

Define Timeout Settings for PPTP Tunnels

You can define two timeout settings for PPTP tunnels if you use RADIUS authentication:

Session Timeout

The maximum length of time the user can send traffic to the external network. If you set this field to zero (0) seconds, minutes, hours, or days, no session timeout is used and the user can stay connected for any length of time.

Idle Timeout

The maximum length of time the user can stay authenticated when idle (not passing any traffic to the external network interface). If you set this field to zero (0) seconds, minutes, hours, or days, no idle timeout is used and the user can stay idle for any length of time.

If you do not use RADIUS for authentication, the PPTP tunnel uses the timeout settings that you set for each Firebox User. For more information about Firebox user settings, see Define a New User for Firebox Authentication.

Add to the IP Address Pool 

Mobile VPN with PPTP supports as many as 50 users at the same time. The Firebox gives an open IP address to each incoming Mobile VPN user from a group of available IP addresses. This continues until all the addresses are in use. After a user closes a session, the address is put back in the available group. The subsequent user who logs in gets this address. 

If FireCluster is enabled, the virtual IP address pool cannot be on the same subnet as a primary cluster IP address.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

You must configure two or more IP addresses for PPTP to operate correctly.

To configure the IP address pool, from Policy Manager:

  1. In the IP Address Pool section, click Add.
    The Add Address dialog box appears.

Screen shot of the Add Address dialog box

  1. From the Choose Type drop-down list, select Host IPv4 (for a single IP address) or Host Range IPv4(for a range of IP addresses).
    You can configure up to 50 addresses.

If you select Host IPv4, you must add at least two IPv4 addresses.

If you select Host Range IPv4 and add a range of IPv4 addresses that is larger than 50 addresses, Mobile VPN with PPTP uses the first 50 addresses in the range. The IP addresses do not need to be on the same subnet as the trusted network.

The IP addresses in the IP address pool cannot be used for anything else on your network.

  1. In the Value field, type the host IP address. If you selected Host Range IPv4, type the first IP address in the range for Value and the last IP address in the range for To.
    The IP addresses do not need to be on the same subnet as the trusted network. The IP address or address range appears in the list of addresses available to remote clients.
  2. Click OK.
  3. Repeat Steps 1–4 to configure all the addresses for use with Mobile VPN with PPTP.

Configure Advanced Settings

  1. On the Mobile VPN with PPTP page, select the Advanced tab.
  2. Configure the Timeout Settings, and the Maximum Transmission Unit (MTU) and Maximum Receive Unit (MRU) settings as described in the subsequent sections.
    We recommend that you use the default settings.

Screen shot of the Moblie VPN with PPTP page, Advanced tab

Timeout Settings

You can define two timeout settings for PPTP tunnels if you use RADIUS authentication:

Session Timeout

The maximum length of time the user can send traffic to the external network. If you set this field to zero (0) seconds, minutes, hours, or days, no session timeout is used and the user can stay connected for any length of time.

Idle Timeout

The maximum length of time the user can stay authenticated when idle (no traffic passes to the external network interface). If you set this field to zero (0) seconds, minutes, hours, or days, no idle timeout is used and the user can stay idle for any length of time.

If you do not use RADIUS for authentication, the PPTP tunnel uses the timeout settings that you set for each Firebox User. For more information about Firebox user settings, see Define a New User for Firebox Authentication.

Other Settings

The Maximum Transmission Unit (MTU) or Maximum Receive Unit (MRU) sizes are sent to the client as part of the PPTP parameters to use during the PPTP session. Do not change MTU or MRU values unless you know the change fixes a problem with your configuration. Incorrect MTU or MRU values cause traffic through the PPTP VPN to fail.

To change the MTU or MRU values:

  1. On the Mobile VPN with PPTP page, select the Advanced tab.
  2. In the Other Settings section, type or select the Maximum Transmission Unit (MTU) or Maximum Receive Unit (MRU) values.

Configure PPTP Policies

After you enable Mobile VPN with PPTP you must configure policies to allow PPTP users access to network resources. For instructions, see Configure Policies For Mobile VPN with PPTP.

Give Us Feedback     Get Support     All Product Documentation     Technical Search