[c-nsp] Cisco vpn - windows client
Tom
tjaeger at networksinstalled.com
Sun Dec 3 02:56:53 EST 2006
I have made some progress but cant get the "radius-server authorization
permit missing Service-Type"
line to be accepted.... it authorizes using my radius server and creates an
unencrypted vpn but will not negotiate encryption without that line....any
idea why it wouldn't take or a substitute?
Tom Jaeger
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jorge Evangelista
Sent: Saturday, December 02, 2006 10:15 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco vpn - windows client
Hi, I have had some similar problems when I configure PPTP over a
Cisco Router, but you could try to configure a VPN IPsec for Remote
Clients, and then you have install and configure Cisco VPN Client in
computers. Try this configuration:
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa session-id common
ip subnet-zero
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group user1
key passwordforuser1
domain yourdomain.com
pool dynpool
acl 100
!
crypto isakmp client configuration group user2
key passwordforuser2
domain yourdomain.com
pool dynpool
acl 100
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap isakmp authorization list hw-client-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
interface Ethernet0
description LAN
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface Ethernet1
description WAN
ip address 200.49.10.2 255.255.255.252
ip nat outside
ip local pool dynpool 192.168.2.10 192.168.2.20
ip nat pool net 200.49.10.2 200.49.10.2 netmask 255.255.255.252
ip nat inside source list 100 pool net overload
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
Regards,
On 12/2/06, Tom Jaeger <tjaeger at networksinstalled.com> wrote:
> I am hoping someone can help me with this setup. I am new to the list and
> can't find a place to search the old posts to see if this has been
discussed
> before. If so I am sorry.
>
> I am setting up a vpn connection to a cisco 2610 router with
> c2600-ik9o3s3-mz.123-19.bin installed. I want windows xp computers to
> connect from remote locations and have been following the write-up at
> http://www.parkansky.com/tutorials/pptp.htm .
>
> I am getting close but not quite there. My Config file and errors are
below.
> Of note is my 4 port nm-4e will arrive Monday so there is no interface for
> the 10.0.0.X yet. I wouldnt think that it would stop the initial
> connection.
>
>
>
> Thank you for any help or guidance,
>
> Tom Jaeger
>
>
>
>
>
> !
>
> version 12.3
>
> service timestamps debug datetime msec
>
> service timestamps log datetime msec
>
> no service password-encryption
>
> !
>
> hostname boca
>
> !
>
> boot-start-marker
>
> boot-end-marker
>
> !
>
> enable secret 5 "edited"
>
> !
>
> aaa new-model
>
> !
>
> !
>
> aaa authentication ppp default local
>
> aaa authorization network default if-authenticated
>
> aaa session-id common
>
> ip subnet-zero
>
> ip cef
>
> !
>
> !
>
> no ip domain lookup
>
> ip domain name "edited"
>
> !
>
> ip audit po max-events 100
>
> vpdn enable
>
> !
>
> vpdn-group 1
>
> ! Default L2TP VPDN group
>
> accept-dialin
>
> protocol pptp
>
> virtual-template 1
>
> !
>
> async-bootp dns-server 10.0.0.5
>
> async-bootp nbns-server 10.0.0.5
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> username tjaeger password 0 "edited"
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> interface Ethernet0/0
>
> ip address 192.168.5.21 255.255.255.0
>
> half-duplex
>
> hold-queue 100 out
>
> !
>
> interface Virtual-Template1
>
> no ip address
>
> ip mroute-cache
>
> peer default ip address pool DIAL-IN
>
> ppp encrypt mppe auto required
>
> ppp authentication ms-chap ms-chap-v2
>
> !
>
> ip local pool DIAL-IN 10.0.0.100 10.0.0.150
>
> no ip http server
>
> no ip http secure-server
>
> ip classless
>
> ip route 0.0.0.0 0.0.0.0 192.168.5.1
>
> !
>
> !
>
> !
>
> snmp-server community "edited" RO
>
> snmp-server community "edited" RW
>
> snmp-server enable traps snmp authentication
>
> radius-server host 64.135.46.124 auth-port 1645 acct-port 1646
>
> radius-server key "edited"
>
> !
>
> !
>
> !
>
> !
>
> !
>
> line con 0
>
> line aux 0
>
> line vty 0 4
>
> password "edited"
>
> !
>
> ntp clock-period 17208137
>
> ntp server 192.43.244.18
>
> !
>
> end
>
>
>
>
>
>
>
>
>
>
>
> Dec 2 18:04:29.545: ppp3 PPP: Send Message[Dynamic Bind Response]
>
> Dec 2 18:04:29.545: ppp3 PPP: Using vpn set call direction
>
> Dec 2 18:04:29.545: ppp3 PPP: Treating connection as a callin
>
> Dec 2 18:04:29.549: ppp3 PPP: Session handle[99000007] Session id[3]
>
> Dec 2 18:04:29.549: ppp3 PPP: Phase is ESTABLISHING, Passive Open
>
> Dec 2 18:04:29.549: ppp3 LCP: State is Listen
>
> Dec 2 18:04:31.545: ppp3 LCP: Timeout: State Listen
>
> Dec 2 18:04:31.545: ppp3 LCP: O CONFREQ [Listen] id 1 len 15
>
> Dec 2 18:04:31.545: ppp3 LCP: AuthProto MS-CHAP (0x0305C22380)
>
> Dec 2 18:04:31.545: ppp3 LCP: MagicNumber 0x5071B43E (0x05065071B43E)
>
> Dec 2 18:04:31.549: ppp3 LCP: I CONFACK [REQsent] id 1 len 15
>
> Dec 2 18:04:31.549: ppp3 LCP: AuthProto MS-CHAP (0x0305C22380)
>
> Dec 2 18:04:31.549: ppp3 LCP: MagicNumber 0x5071B43E (0x05065071B43E)
>
> Dec 2 18:04:31.553: ppp3 LCP: I CONFREQ [ACKrcvd] id 1 len 21
>
> Dec 2 18:04:31.553: ppp3 LCP: MRU 1400 (0x01040578)
>
> Dec 2 18:04:31.553: ppp3 LCP: MagicNumber 0x03530940 (0x050603530940)
>
> Dec 2 18:04:31.553: ppp3 LCP: PFC (0x0702)
>
> Dec 2 18:04:31.553: ppp3 LCP: ACFC (0x0802)
>
> Dec 2 18:04:31.553: ppp3 LCP: Callback 6 (0x0D0306)
>
> Dec 2 18:04:31.557: ppp3 LCP: O CONFREJ [ACKrcvd] id 1 len 7
>
> Dec 2 18:04:31.557: ppp3 LCP: Callback 6 (0x0D0306)
>
> Dec 2 18:04:31.557: ppp3 LCP: I CONFREQ [ACKrcvd] id 2 len 18
>
> Dec 2 18:04:31.561: ppp3 LCP: MRU 1400 (0x01040578)
>
> Dec 2 18:04:31.561: ppp3 LCP: MagicNumber 0x03530940 (0x050603530940)
>
> Dec 2 18:04:31.561: ppp3 LCP: PFC (0x0702)
>
> Dec 2 18:04:31.561: ppp3 LCP: ACFC (0x0802)
>
> Dec 2 18:04:31.561: ppp3 LCP: O CONFNAK [ACKrcvd] id 2 len 8
>
> Dec 2 18:04:31.561: ppp3 LCP: MRU 1500 (0x010405DC)
>
> Dec 2 18:04:31.565: ppp3 LCP: I CONFREQ [ACKrcvd] id 3 len 18
>
> Dec 2 18:04:31.565: ppp3 LCP: MRU 1400 (0x01040578)
>
> Dec 2 18:04:31.565: ppp3 LCP: MagicNumber 0x03530940 (0x050603530940)
>
> Dec 2 18:04:31.565: ppp3 LCP: PFC (0x0702)
>
> Dec 2 18:04:31.569: ppp3 LCP: ACFC (0x0802)
>
> Dec 2 18:04:31.569: ppp3 LCP: O CONFNAK [ACKrcvd] id 3 len 8
>
> Dec 2 18:04:31.569: ppp3 LCP: MRU 1500 (0x010405DC)
>
> Dec 2 18:04:31.573: ppp3 LCP: I CONFREQ [ACKrcvd] id 4 len 18
>
> Dec 2 18:04:31.573: ppp3 LCP: MRU 1500 (0x010405DC)
>
> Dec 2 18:04:31.573: ppp3 LCP: MagicNumber 0x03530940 (0x050603530940)
>
> Dec 2 18:04:31.573: ppp3 LCP: PFC (0x0702)
>
> Dec 2 18:04:31.573: ppp3 LCP: ACFC (0x0802)
>
> Dec 2 18:04:31.573: ppp3 LCP: O CONFACK [ACKrcvd] id 4 len 18
>
> Dec 2 18:04:31.577: ppp3 LCP: MRU 1500 (0x010405DC)
>
> Dec 2 18:04:31.577: ppp3 LCP: MagicNumber 0x03530940 (0x050603530940)
>
> Dec 2 18:04:31.577: ppp3 LCP: PFC (0x0702)
>
> Dec 2 18:04:31.577: ppp3 LCP: ACFC (0x0802)
>
> Dec 2 18:04:31.577: ppp3 LCP: State is Open
>
> Dec 2 18:04:31.577: ppp3 PPP: Phase is AUTHENTICATING, by this end
>
> Dec 2 18:04:31.581: ppp3 MS-CHAP: O CHALLENGE id 1 len 21 from "boca "
>
> Dec 2 18:04:31.581: ppp3 LCP: I IDENTIFY [Open] id 5 len 18 magic
> 0x03530940 MSRASV5.10
>
> Dec 2 18:04:31.581: ppp3 LCP: I IDENTIFY [Open] id 6 len 23 magic
> 0x03530940 MSRAS-0-TOM-IBM
>
> Dec 2 18:04:31.585: ppp3 MS-CHAP: I RESPONSE id 1 len 61 from "tjaeger"
>
> Dec 2 18:04:31.585: ppp3 PPP: Phase is FORWARDING, Attempting Forward
>
> Dec 2 18:04:31.589: ppp3 PPP: Phase is AUTHENTICATING, Unauthenticated
User
>
> Dec 2 18:04:31.701: ppp3 PPP: Phase is FORWARDING, Attempting Forward
>
> Dec 2 18:04:31.705: ppp3 PPP: Send Message[Connect Local]
>
> Dec 2 18:04:31.717: Vi3 PPP: Phase is DOWN, Setup
>
> Dec 2 18:04:31.721: ppp3 PPP: Bind to [Virtual-Access3]
>
> Dec 2 18:04:31.721: Vi3 PPP: Send Message[Static Bind Response]
>
> Dec 2 18:04:31.741: %LINK-3-UPDOWN: Interface Virtual-Access3, changed
> state to up
>
> Dec 2 18:04:31.741: Vi3 PPP: Phase is AUTHENTICATING, Authenticated User
>
> Dec 2 18:04:31.745: Vi3 MS-CHAP: O SUCCESS id 1 len 4
>
> Dec 2 18:04:31.749: Vi3 PPP: Phase is UP
>
> Dec 2 18:04:31.749: Vi3 PPP: Process pending ncp packets
>
> Dec 2 18:04:31.753: Vi3 CCP: O CONFREQ [Closed] id 1 len 10
>
> Dec 2 18:04:31.753: Vi3 CCP: MS-PPC supported bits 0x01000060
> (0x120601000060)
>
> Dec 2 18:04:31.757: Vi3 CCP: I CONFREQ [REQsent] id 7 len 10
>
> Dec 2 18:04:31.757: Vi3 CCP: MS-PPC supported bits 0x010000F1
> (0x1206010000F1)
>
> Dec 2 18:04:31.757: Vi3 CCP: O CONFNAK [REQsent] id 7 len 10
>
> Dec 2 18:04:31.757: Vi3 CCP: MS-PPC supported bits 0x01000060
> (0x120601000060)
>
> Dec 2 18:04:31.761: Vi3 IPCP: I CONFREQ [Not negotiated] id 8 len 34
>
> Dec 2 18:04:31.761: Vi3 IPCP: Address 0.0.0.0 (0x030600000000)
>
> Dec 2 18:04:31.761: Vi3 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
>
> Dec 2 18:04:31.761: Vi3 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
>
> Dec 2 18:04:31.761: Vi3 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
>
> Dec 2 18:04:31.761: Vi3 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
>
> Dec 2 18:04:31.765: Vi3 LCP: O PROTREJ [Open] id 2 len 40 protocol IPCP
>
> Dec 2 18:04:31.765: Vi3 LCP: (0x80210108002203060000000081060000)
>
> Dec 2 18:04:31.765: Vi3 LCP: (0x00008206000000008306000000008406)
>
> Dec 2 18:04:31.765: Vi3 LCP: (0x00000000)
>
> Dec 2 18:04:31.769: Vi3 CCP: I CONFNAK [REQsent] id 1 len 10
>
> Dec 2 18:04:31.769: Vi3 CCP: MS-PPC supported bits 0x01000040
> (0x120601000040)
>
> Dec 2 18:04:31.773: Vi3 CCP: O CONFREQ [REQsent] id 2 len 10
>
> Dec 2 18:04:31.773: Vi3 CCP: MS-PPC supported bits 0x01000040
> (0x120601000040)
>
> Dec 2 18:04:31.773: Vi3 CCP: I CONFREQ [REQsent] id 9 len 10
>
> Dec 2 18:04:31.773: Vi3 CCP: MS-PPC supported bits 0x01000040
> (0x120601000040)
>
> Dec 2 18:04:31.773: Vi3 CCP: O CONFACK [REQsent] id 9 len 10
>
> Dec 2 18:04:31.777: Vi3 CCP: MS-PPC supported bits 0x01000040
> (0x120601000040)
>
> Dec 2 18:04:31.781: Vi3 CCP: I CONFACK [ACKsent] id 2 len 10
>
> Dec 2 18:04:31.781: Vi3 CCP: MS-PPC supported bits 0x01000040
> (0x120601000040)
>
> Dec 2 18:04:31.781: Vi3 CCP: State is Open
>
> Dec 2 18:04:31.793: Vi3 LCP: I TERMREQ [Open] id 10 len 16
> (0x03530940003CCD7400000000)
>
> Dec 2 18:04:31.793: Vi3 LCP: O TERMACK [Open] id 10 len 4
>
> Dec 2 18:04:31.793: Vi3 PPP: Sending Acct Event[Down] id[4]
>
> Dec 2 18:04:31.797: Vi3 PPP: Phase is TERMINATING
>
> Dec 2 18:04:31.801: Vi3 PPP: Block vaccess from being freed [0x18]
>
> Dec 2 18:04:31.809: %LINK-3-UPDOWN: Interface Virtual-Access3, changed
> state to down
>
> Dec 2 18:04:31.813: Vi3 LCP: State is Closed
>
> Dec 2 18:04:31.813: Vi3 PPP: Phase is DOWN
>
> Dec 2 18:04:31.813: Vi3 CCP: State is Closed
>
> Dec 2 18:04:31.817: Vi3 PPP: Unlocked by [0x10] Still Locked by [0xA]
>
> Dec 2 18:04:31.817: Vi3 PPP: Send Message[Disconnect]
>
> Dec 2 18:04:31.817: Vi3 PPP: Unlocked by [0x8] Still Locked by [0x2]
>
> Dec 2 18:04:31.817: Vi3 PPP: Unlocked by [0x2] Still Locked by [0x0]
>
> Dec 2 18:04:31.817: Vi3 PPP: Free previously blocked vaccess
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
"The network is the computer"
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list