[c-nsp] Problem with VPN to PIX - solved!!

Ted Mittelstaedt tedm at toybox.placo.com
Wed Apr 6 02:09:33 EDT 2005 

Hi All,

  Thanks all for your assistance with this!  While nobody sent me a
working config
I got enough leads, plus more research and debugging of logs and such to
solve
the problem.

  The Cisco PIX VPN config example for the Microsoft l2tp/IPSec VPN
client
that is on the Cisco website, I discovered it probably is correct - for
what
it does.  It is here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_ex
ample09186a00800942ad.shtml

But what ISN'T explained in that config example is that the Microsoft VPN
client in Windows 2000 is a totally different from any Microsoft-supplied
VPN clients for Windows 98/ME/NT4 and Windows XP.  So, the Cisco config
example
is ONLY usable with the Microsoft VPN client for W2K.  No other version.

The Microsoft Win2K VPN client for one thing supports xauth, and to get
it to use a pre-shared key you have to modify the registry AND setup a
security policy.  Instructions
for this I found here:

http://www.securecomputing.com/pdf/swpa_3x_an_CiscoPIX_L2TP_IPSec_A.pdf

This is an excellent document, for a PDF.

For Windows 98/ME and for Windows XP there's a configuration page to
allow
you to use a preshared key.

I also ran across a note on the Microsoft website:

http://www.microsoft.com/downloads/details.aspx?FamilyID=17d997d2-5034-4b
bb-b74d-ad8430a1f7c8&DisplayLang=en

This patch must be applied to XP SP2 systems for the Microsoft IPSec VPN
client to work.

One of the things that had me tearing my hair out turned out to be an
access
list in an upstream router that was blocking l2tp.  That router, a
Netopia/Siemens
job, was supplied and managed by the customer ISP.  When I called them to
ask if they
were blocking IPSec they told me some of those routers came from the
factory
with these filters enabled.

But even with that fixed I still couldn't get connectivity until I turned
on
debugging and found that the Microsoft l2tp/ipsec VPN client doesen't
support
md5, only sha.

So, here is the complete config.  This PIX config provides BOTH pptp VPN
connectivity
AND Microsoft l2tp/vpn client connectivity.  The Microsoft l2tp/IPSec VPN
clients
that it supports are the Win98/me/nt and the Windows XP l2tp/IPSec VPN
client.  It
does NOT work with the Cisco VPN client. (at least not the one I tried)
UserIDs and passwords are stored in the PIX config.  I hope this helps
someone!

It sure would be nice if a Cisco person were to post this on the Cisco
website!!

: Saved
: Written by enable_15 at 11:57:28.668 UTC Tue Apr 5 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname YYYYYYYYYYY
domain-name ZZZZZZZZZZZZZZZ.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list eatme-incoming permit tcp 65.75.16.0 255.255.255.0 any eq
3389
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0
255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.253.0
255.255.255.0
access-list l2tp permit udp host 189.17.44.166 any eq 1701
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 189.17.44.166 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool roadwarrior 192.168.254.1-192.168.254.254
ip local pool l2tp 192.168.253.1-192.168.253.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask
255.255.255.255 0 0
access-group eatme-incoming in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 189.17.44.165 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 65.75.64.2 XXXXXXXXXXXX.txt
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set l2tp esp-des esp-sha-hmac
crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 20 match address l2tp
crypto dynamic-map dyna 20 set transform-set l2tp
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap interface outside
isakmp enable outside
isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh 65.75.20.0 255.255.255.0 outside
ssh 65.75.19.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local roadwarrior
vpdn group 1 client configuration dns 192.168.1.2 26.13.2.4
vpdn group 1 client configuration wins 192.168.1.2
vpdn group 1 client accounting RADIUS
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn group 2 accept dialin l2tp
vpdn group 2 ppp authentication chap
vpdn group 2 ppp authentication mschap
vpdn group 2 client configuration address local l2tp
vpdn group 2 client configuration dns 192.168.1.2 26.13.2.4
vpdn group 2 client configuration wins 192.168.1.2
vpdn group 2 client accounting RADIUS
vpdn group 2 client authentication local
vpdn group 2 l2tp tunnel hello 60
vpdn username testuser password AAAAAAAABBBBBBCCCCC
vpdn enable outside
dhcpd address 192.168.1.100-192.168.1.149 inside
dhcpd dns 192.168.1.2 26.13.2.4
dhcpd wins 192.168.1.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd option 46 hex 08
dhcpd enable inside
terminal width 80
Cryptochecksum:a2cb5debc405b868a3cde696e6488edb
: end
$

More information about the cisco-nsp mailing list