PPTP-Point-to-Point Tunneling Protocol

1 Introduction
Features: Developed by the vendor alliance, mainly composed of Microsoft

Term: PAC------PPTP Access Concentrator, location and functionality similar to NAs in l2f
PNS------PPTP network server, location and functionality similar to the end gateway in l2f
Purpose: Forward PPP data to PNS through the Internet. In the tunneling mode, the PAC accepts the customer's call, LCP negotiation, and some necessary verification, then, the PAC and PNS establish a tunnel. PNS performs ppp chap or PAP authentication and NCP negotiation with the LCP of the client, so that the customer's PPP data can be transparently transmitted to the PNS through the tunnel, PPTP also supports another working mode: In this mode, the client directly establishes a tunnel with the enterprise boundary, so that the client acts as the PNS and the enterprise boundary undertakes the called task (PAC ), this mode is called spontaneous mode, and spontaneous mode is commonly used.

Differences between l2f and PPTP:
1 l2f only supports tunnel mode, and PPTP only supports spontaneous mode.
2 l2f can forward PPP and slip data through tunnels. PPTP can only forward PPP data through tunnels.
3 l2f does not have traffic control and congestion management, PPTP supports
4 In l2f, messages and data are controlled through UDP encapsulation. PPTP control information uses TCP, while data messages use enhanced GRE encapsulation.
5. In l2f, the destination gateway finally performs LCP with the customer. The chap phase is actually negotiated with Nas, but not in PPTP, because Pac does not support
6 l2f does not support active calling, PPTP can
7 when l2f establishes a tunnel, the NAS and the destination gateway will verify each other, And PPTP will not

Note: Only the spontaneous mode is supported when PPTP is used on Cisco devices.

2. Data Packet Structure
The spontaneous mode of PPTP establishes a tunnel between the customer (PNS) and the enterprise boundary (PAC). Unlike l2f, PPTP uses out-of-band management, that is, the control messages and data messages are separated. What is the package structure when they are encapsulated?
Original group: L2 header L3 header L4 header data L2 tail
PPTP control message: L2 header L3 header TCP Header Control Message L2 tail
Data encapsulation in the PPTP tunnel: L2 header L3 header e. GRE header PPP data L2 tail
PPTP controls messages by using the TCP port number 1723

To transmit data in a tunnel, you must first establish a control connection. The control connection has two types of messages:
Type 1: Control Messages
Type 2: Manage messages
Cisco does not define the role of message management, which should be the reason that tunnel mode is not supported. There are 15 types of messages to be controlled:
Message encoding function
1 startccrq start Connection Request
2 startccrp start connection response
3. stopccrq
4 stopccrp terminate connection response
5 echo requst Response Request
6 echo reply response
7. ocrq outbound call request
8. ocrp outbound call response
9 icrq incoming request
10 ICRP incoming response
11 ICCN incoming call connection successful
12 clearrq call Removal
13 CDN call disconnection notification
14. Wide Area Network Error Notification
15 SLI set link information

These messages have different functions, but they all have some common fields:
Length: the length of the PPTP message, including the PPTP header.
PPTP message type: Always 1, indicating that this is a control message
Magic cookie: Always 0x1a2b3c4d, mainly used for TCP Synchronization
Control Message Type: encoding in the preceding section 15, indicating the Message Type

The following describes the special fields of common control messages:
1 startccrq:
Protocol Version 1: The 2-byte version number + 2-byte revision number pointed out by the sender
2. The synchronization function: defines two locations. The first slot indicates that asynchronous data synchronization is supported, and the second slot indicates that synchronous data synchronization is supported.
3. carrier function: two carriers are defined. The first slot indicates analog access and the second slot indicates digital access.
4. Maximum number of channels: this field indicates how many sessions are supported in the tunnel. In spontaneous mode, a channel can have only one session, and Cisco only supports spontaneous mode. Therefore, in a Cisco device, this is always 0
5. Firmware Revision No.: the customer's driver version
6 host name: the DNS name of the host that sent the message
Vendor 7: vendor information

2 startccrp:
Other fields are the same as 1 startccrq. Two more fields are added.
1. Result code: indicates the result when a tunnel is created.
2. Error code: if the result code indicates an error, the error code indicates the cause of the error.

3 ocrq:
1 Control Message Type 7
2 call IDs are used to differentiate different sessions. Similar to the mid in l2f technology, Cisco only supports one session in the spontaneous tunnel. This ID is meaningful locally and may be different between the two ends of the peer.
3 call serial number is used for call record, similar to call ID, but globally unified
4. The minimum BPS tells the pac that the client accepts the minimum line speed
5. The maximum BPS tells the pac that the maximum line speed the client accepts
6. The same carrier type as sccrp
7 frames of the same type as sccrp
8. Accept window size throttling and specify the number of cache groups.
9. Delay throttling for group processing, specifying the time required for storing data in the buffer zone
The length of the phone number 10 is only used in forced mode. It is not supported by Cisco and must be 0.

4 ocrp:
1 Control Message Type 8
2 call ID: Same as ocrq
3. Copy the call serial number to ocrq.
4. Result code used for notification results: 1 success 2 failure 3 Management disabled
5. Error Code ID
6. Cause of Encoding Error

E. GRE Encapsulation
Unlike normal GRE, enhanced GRE has some unique functions for forwarding data frames of PPTP.
1 c Indicates whether checksum is supported
2 R indicates whether route selection is supported
3 K indicates whether the key value is supported
4 S indicates whether serial numbers are supported
5 s indicates whether source routing is supported
6. A indicates whether confirmation is supported.
7 recursive Control 0
8 mark 0
9 version 1
The left two bytes of the 10 key value indicate the call ID.
11. When S is set to valid
12. Confirmation No. is valid when a is set

3. Working Process
1
Tunnel creation process:
Phase 1: the client uses sccrq to initiate a control connection. The target port is 1723 and the source port is any unused port. Select a customer ID and call serial number, when a message is received, the PAC copies the call serial number to sccrp to respond to the request from the client. The message indicates whether the control channel is successfully established or whether an error has occurred.

Phase 2: After Phase 1 is successfully established, the client initiates ocrq to point out that it wants to establish a PPP session in PPTP. When the PAC receives the message, it uses ocrp to tell the client whether it has been established successfully.

The third phase: After ocrq/ocrq is switched, common PPP negotiation is performed: LCP, PAP/chap, and NCP. When negotiation is completed, enhanced GRE is used to forward data packets.

2
Tunnel Maintenance
PPTP provides a channel retention mechanism to prevent the tunnel from getting stuck due to one reason. It uses the echo request and response of PPTP.
When the channel is more than 60 s, one party will send a callback request. If no response is received within 60 s, the connection will be disconnected. Either party can initiate this request.

3
Termination of tunnel and other
1. Termination of Tunnel
1 client initiates ccrq/clearrq
2. Reply to CDN through Pac
Terminate a session
3. the PAC immediately initiates stopccrq.
4. The client responds to stopccrp
Terminate control connection

2. SLI message: a client initiates the message and sets the link information.

4. Experiment:
Pac
Hostname Pac
VPDN enable
VPDN-group zu
Accept-dialin
Protocol PPTP
Virtual-TEMPLATE 1

Username zhanghao password 0 Mima

Interface loopback0
IP address 10.1.1.1 255.255.255.0

Interface fastethernet0/0
IP address 1.1.1.121 255.255.255.255

Interface Virtual-Template1
IP unnumbered loopback0
Peer default IP address pool ippool
PPP encrypt MPPE 40 required
PPP authentication MS-Chap

IP local pool ippool 10.1.1.10 10.1.1.100
IP Route 0.0.0.0 0.0.0.0 fastethernet0/0