The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP® system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections. You can create a secure VPN tunnel by configuring a PPTP Profile, and then assigning the PPTP profile to a virtual server. The PPTP protocol is described in RFC 2637.
The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP® system to support a secure virtual private network (VPN) tunnel. A PPTP application layer gateway (ALG) forwards PPTP client (also known as PPTP Access Concentrator [PAC]) control and data connections through the BIG-IP system to PPTP servers (also known as PPTP Network Servers [PNSs]), while providing source address translation that allows multiple clients to share a single translation address.
The PPTP profile defines a Transmission Control Protocol (TCP) control connection and a data channel through a PPTP Generic Routing Encapsulation (GRE) tunnel, which manages the PPTP tunnels through CGNAT for NAT44 and DS-Lite, as well as all translation modes, including Network Address Port Translation (NAPT) or Deterministic modes.
The BIG-IP system proxies PPTP control channels as normal TCP connections. The PPTP profile translates outbound control messages, which contain Call Identification numbers (Call IDs) that match the port that is selected on the outbound side. Subsequently, for inbound control messages containing translated Call IDs, the BIG-IP system restores the original client Call ID. You can use a packet tracer to observe this translation on the subscriber side or on the Internet side. You can also use iRules® to evaluate and manage any headers in the PPTP control channel.
The PPTP profile enables you to configure Log Settings, specifically the Publisher Name setting, which logs the name of the log publisher, and the Include Destination IP setting, which logs the host IP address of the PPTP server, for each call establishment, call failure, and call teardown.
This topic includes examples of the elements that comprise a typical log entry.
PPTP log messages include several elements of interest. The following examples describe typical log messages.
"Mar 1 18:46:11:PPTP CALL-REQUEST id;0 from;10.10.10.1 to;220.127.116.11 nat;18.104.22.168 ext-id;32456" "Mar 1 18:46:11:PPTP CALL-START id;0 from;10.10.10.1 to;22.214.171.124 nat;126.96.36.199 ext-id;32456" "Mar 1 18:46:11:PPTP CALL-END id;0 reason;0 from;10.10.10.1 to;188.8.131.52 nat;184.108.40.206 ext-id;32456"
|Information Type||Example Value||Description|
|Timestamp||Mar 1 18:46:11||The time and date that the system logged the event message.|
|Transformation mode||PPTP||The logged transformation mode.|
|Command||CALL-REQUEST, CALL-START, CALL-END||The type of command that is logged.|
|Client Call ID||id;0||The client Call ID received from a subscriber.|
|Client IP address||from;10.10.10.1||The IP address of the client that initiated the connection.|
|Reason||reason;0||A code number that correlates the reason for terminating the connection. The
following reason codes apply:
|Server IP address||to;220.127.116.11||The IP address of the server that established the connection.
Note: If Include Destination IP is set to Disabled, then the Server IP address uses the value of 0.0.0.0.
|NAT||nat;18.104.22.168||The translated IP address.|
|Translated client Call ID||ext-id;32456||The translated client Call ID from the GRE header of the PPTP call.|
|Enabled||Includes the PPTP server's IP address in log messages for call establishment or call disconnect.|
|Disabled||Default. Includes 0.0.0.0 as the PPTP server's IP address in log messages for call establishment or call disconnect.|
Perform this task when you want to explicitly add a route for a destination client that is not on the directly-connected network. Depending on the settings you choose, the BIG-IP system can forward packets to a specified network device, or the system can drop packets altogether.
|Use Gateway||Select this option when you want the next hop in the route to be a network IP address. This choice works well when the destination is a pool member on the same internal network as this gateway address.|
|Use Pool||Select this option when you want the next hop in the route to be a pool of routers instead of a single next-hop router. If you select this option, verify that you have created a pool on the BIG-IP system, with the routers as pool members.|
|Use VLAN/Tunnel||Select this option when you want the next hop in the route to be a VLAN or tunnel. This option works well when the destination address you specify in the routing entry is a network address. Selecting a VLAN/tunnel name as the resource implies that the specified network is directly connected to the BIG-IP system. In this case, the BIG-IP system can find the destination host simply by sending an ARP request to the hosts in the specified VLAN, thereby obtaining the destination host’s MAC address.|
|Reject||Select this option when you want the BIG-IP system to reject packets sent to the specified destination.|