[cisco-nas] VPDN PPTP

Richard Greasley richardg at blue-stream.net
Sun Jan 25 08:24:08 EST 2004 

Using CHAP,
Similar errors, except CHAP is now there were PAP was.
I'm not using any encryption at the moment, what I'm firstly working on is
creating an authenticated tunnel.
There aren't any ACLs which would prohibit  this traffic from passing
through the network.
One thing I would also like to add, the XP client is behind a NAT, no ACL to
block this type of traffic.
I did a show vpdn while I was attempting the connection, and this is what I
was seeing.

as5300-5#show vpdn

%No active L2TP tunnels

%No active L2F tunnels

PPTP Tunnel and Session Information Total tunnels 1 sessions 1

LocID Remote Name     State    Remote Address  Port  Sessions
23                    estabd   216.110.114.102 3554  1

LocID RemID TunID Intf    Username      State   Last Chg
23    32768 23    Vi1                   estabd  00:00:12

regards,
Richardg
----- Original Message ----- 
From: "Richard Greasley" <richardg at blue-stream.net>
To: "Mark John" <markjohn20 at hotmail.com>
Cc: <cisco-nas at puck.nether.net>
Sent: Sunday, January 25, 2004 8:25 AM
Subject: Re: [cisco-nas] VPDN PPTP


> Thank you, I'll make changes and let you know how I fared.
>
> regards,
> Richardg;
> ----- Original Message ----- 
> From: "Mark John" <markjohn20 at hotmail.com>
> To: <richardg at blue-stream.net>
> Cc: <cisco-nas at puck.nether.net>
> Sent: Sunday, January 25, 2004 7:56 AM
> Subject: RE: [cisco-nas] VPDN PPTP
>
>
> > Few things to check:
> >
> > 1. You don't need the 'lcp renegotiation' command on the 5300- this is
> only
> > useful when using L2F and L2TP in compulsory tunnel mode. PPTP does
> support
> > compulsory tunnel mode, but not on Cisco boxes -on Cisco boxes only
> > voluntary tunnel mode is supported (ie. a tunnel directly from the
remote
> > access client).
> >
> > 2. Try changing your authentication protocol - you are using PAP - I am
> > guessing that the remote access XP client does not permit PAP. If the
> remote
> > access client is configured to encrypt PPTP traffic using MPPE then
you'll
> > also need to configure MPPE and MS-CHAP on the AS-5300.
> >
> > 3. Look for an access list blocking GRE. The control channel in PPTP
uses
> > TCP (port 1723) but the data channel uses (enhanced) GRE (IP prot 47).
So,
> > if TCP is permitted then the control channel comes up (and the virtual
> > access i/f gets cloned), but the first data to cross the data channel is
> the
> > PPP neg sequence, and so symptoms that are shown in your debug can
> sometimes
> > result from an ACL blocking GRE. You can double check that GRE packets
are
> > being received from the remote access client using 'debug ip packet det
> > <acl> BUT be very careful using this command.
> >
> > 4. Check the IOS version - I have comes across one or two that had
> problems
> > with PPTP :)
> >
> >
> > Hope that helps,
> >
> > Mark
> >
> >
> > >From: "Richard Greasley" <richardg at blue-stream.net>
> > >To: <cisco-nas at puck.nether.net>
> > >Subject: [cisco-nas] VPDN PPTP
> > >Date: Sun, 25 Jan 2004 07:15:51 -0400
> > >
> > >Hello all,
> > >hoping someone could help me understand why my pptp connection is
failing
> > >from a windows xp computer, to a cisco AS5300 (12.2(2)XA3).
> > >Commands are as follows:
> > >aaa authentication ppp default local
> > >aaa authorization network default local
> > >!
> > >vpdn enable
> > >!
> > >vpdn-group pptptunnel
> > >! Default PPTP VPDN group
> > >  description L2tp incoming
> > >  accept-dialin
> > >   protocol pptp
> > >   virtual-template 1
> > >  local name Office
> > >  lcp renegotiation always
> > >!
> > >interface Loopback2
> > >  description PPTP loopback
> > >  ip address 192.168.15.1 255.255.255.255
> > >!
> > >interface Virtual-Template1
> > >  mtu 1492
> > >  ip unnumbered Loopback2
> > >  load-interval 30
> > >  peer default ip address pool pppoE-pool
> > >  ppp authentication pap
> > >!
> > >ip local pool pppoE-pool 192.168.15.5 192.168.15.30
> > >!
> > >
> > >Needles to say, it fails, I've some debugging on and this is what I was
> > >able
> > >to capture.
> > >Is there a reason why it is timing out during the authentication phase?
> > >
> > >Jan 25 11:12:49.851 UTC: Vi1 VPDN: Virtual interface created
> > >Jan 25 11:12:49.851 UTC: Vi1 VPDN: Clone from Vtemplate 1
> > >Jan 25 11:12:49.903 UTC: Vi1 VPDN: Bind interface direction=2
> > >Jan 25 11:12:49.907 UTC: %LINK-3-UPDOWN: Interface Virtual-Access1,
> changed
> > >stat
> > >e to up
> > >Jan 25 11:12:49.907 UTC: Vi1 PPP: Treating connection as a dedicated
line
> > >Jan 25 11:12:49.907 UTC: Vi1 PPP: Phase is ESTABLISHING, Active Open [0
> > >sess, 0
> > >load]
> > >Jan 25 11:12:49.907 UTC: Vi1 LCP: O CONFREQ [Closed] id 51 len 18
> > >Jan 25 11:12:49.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:12:49.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:12:49.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:12:51.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:12:51.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 52 len 18
> > >Jan 25 11:12:51.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:12:51.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:12:51.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:12:53.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:12:53.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 53 len 18
> > >Jan 25 11:12:53.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:12:53.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:12:53.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:12:55.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:12:55.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 54 len 18
> > >Jan 25 11:12:55.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:12:55.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:12:55.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:12:57.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:12:57.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 55 len 18
> > >Jan 25 11:12:57.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:12:57.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:12:57.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:12:59.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:12:59.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 56 len 18
> > >Jan 25 11:12:59.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:12:59.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:12:59.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:13:01.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:13:01.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 57 len 18
> > >Jan 25 11:13:01.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:13:01.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:13:01.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:13:03.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:13:03.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 58 len 18
> > >Jan 25 11:13:03.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:13:03.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:13:03.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:13:05.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:13:05.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 59 len 18
> > >Jan 25 11:13:05.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:13:05.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:13:05.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:13:07.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:13:07.907 UTC: Vi1 LCP: O CONFREQ [REQsent] id 60 len 18
> > >Jan 25 11:13:07.907 UTC: Vi1 LCP:    MRU 1492 (0x010405D4)
> > >Jan 25 11:13:07.907 UTC: Vi1 LCP:    AuthProto PAP (0x0304C023)
> > >Jan 25 11:13:07.907 UTC: Vi1 LCP:    MagicNumber 0x43712274
> > >(0x050643712274)
> > >Jan 25 11:13:09.907 UTC: Vi1 LCP: TIMEout: State REQsent
> > >Jan 25 11:13:09.907 UTC: Vi1 VPDN: Reset
> > >Jan 25 11:13:09.907 UTC: Vi1 VPDN: Reset
> > >Jan 25 11:13:09.907 UTC: Vi1 VPDN: Unbind interface
> > >Jan 25 11:13:09.907 UTC: Vi1 LCP: State is Listen
> > >
> > >
> > >Thanks in advance,
> > >Richardg;
> > >
> > >_______________________________________________
> > >cisco-nas mailing list
> > >cisco-nas at puck.nether.net
> > >https://puck.nether.net/mailman/listinfo/cisco-nas
> >
> > _________________________________________________________________
> > Stay in touch with absent friends - get MSN Messenger
> > http://www.msn.co.uk/messenger
> >
> >
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
>

More information about the cisco-nas mailing list