On a normal IOS (12.4) Cisco router we are running a PPTP server for connections from mobile Windows machines via UMTS.
Nothing special:
vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! interface Virtual-Template1 description PPTP VPN template mtu 1450 ip unnumbered Loopback0 ip access-group pptp-in in ip access-group pptp-out out ip tcp adjust-mss 1400 ip mroute-cache peer default ip address pool vpnpool ppp encrypt mppe auto required ppp authentication ms-chap ppp pap refuse
The interface where the internet traffic comes in has some ACL lines to allow gre and tcp port 1723 traffic from the network ranges where the users are expected.
Now I am wondering: what is preventing anyone with a similar UMTS account, or anyone able to spoof traffic from those ranges, from sending a GRE packet with malicious content?
Would the router just decapsulate any GRE packet that passes the ACL and insert the contents into its routing engine? Or would there need to be a "interface Tunnel" that has been put in GRE mode for such decapsulation to occur? (there is no such interface configured in the router)
I wonder what is making the router only accept the GRE packets that correspond to the active PPTP sessions, and not other GRE traffic. Is there some kind of "dynamic ACL" that is doing that?