[c-nsp] Cisco vpn - windows client
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Sun Dec 3 06:16:11 EST 2006
Are you using Radius? the first config you sent didn't include Radius..
please also configure "aaa authorization network default local" (you
configured "if-authenticated", which is ignoring authorization if you've
authenticated). what does "debug ppp neg" say?
oli
cisco-nsp-bounces at puck.nether.net <> wrote on Sunday, December 03, 2006
8:57 AM:
> I have made some progress but cant get the "radius-server
> authorization permit missing Service-Type"
> line to be accepted.... it authorizes using my radius server
> and creates an
> unencrypted vpn but will not negotiate encryption without
> that line....any
> idea why it wouldn't take or a substitute?
> Tom Jaeger
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jorge
> Evangelista Sent: Saturday, December 02, 2006 10:15 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco vpn - windows client
>
> Hi, I have had some similar problems when I configure PPTP over a
> Cisco Router, but you could try to configure a VPN IPsec for Remote
> Clients, and then you have install and configure Cisco VPN Client in
> computers. Try this configuration:
>
> aaa new-model
> !
> !
> aaa authorization network hw-client-groupname local
> aaa session-id common
> ip subnet-zero
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp client configuration address-pool local dynpool !
> crypto isakmp client configuration group user1
> key passwordforuser1
> domain yourdomain.com
> pool dynpool
> acl 100
> !
> crypto isakmp client configuration group user2
> key passwordforuser2
> domain yourdomain.com
> pool dynpool
> acl 100
> !
> !
> crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac !
> crypto dynamic-map dynmap 1
> set transform-set transform-1
> reverse-route
> !
> !
> crypto map dynmap isakmp authorization list hw-client-groupname
> crypto map dynmap client configuration address respond
> crypto map dynmap 1 ipsec-isakmp dynamic dynmap
> !
> !
>
> interface Ethernet0
> description LAN
> ip address 192.168.2.1 255.255.255.0 secondary
> ip address 192.168.1.1 255.255.255.0
> ip nat inside
>
> interface Ethernet1
> description WAN
> ip address 200.49.10.2 255.255.255.252
> ip nat outside
>
> ip local pool dynpool 192.168.2.10 192.168.2.20
> ip nat pool net 200.49.10.2 200.49.10.2 netmask 255.255.255.252
> ip nat inside source list 100 pool net overload
>
> access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 100 permit ip 192.168.1.0 0.0.0.255 any
> access-list 100 permit ip 192.168.2.0 0.0.0.255 any
>
>
> Regards,
>
>
>
> On 12/2/06, Tom Jaeger <tjaeger at networksinstalled.com> wrote:
>> I am hoping someone can help me with this setup. I am new to the
>> list and can't find a place to search the old posts to see if this
>> has been discussed before. If so I am sorry.
>>
>> I am setting up a vpn connection to a cisco 2610 router with
>> c2600-ik9o3s3-mz.123-19.bin installed. I want windows xp computers
>> to connect from remote locations and have been following the
>> write-up at http://www.parkansky.com/tutorials/pptp.htm .
>>
>> I am getting close but not quite there. My Config file and
> errors are
> below.
>> Of note is my 4 port nm-4e will arrive Monday so there is no
>> interface for the 10.0.0.X yet. I wouldnt think that it would stop
>> the initial connection.
>>
>>
>>
>> Thank you for any help or guidance,
>>
>> Tom Jaeger
>>
>>
>>
>>
>>
>> !
>>
>> version 12.3
>>
>> service timestamps debug datetime msec
>>
>> service timestamps log datetime msec
>>
>> no service password-encryption
>>
>> !
>>
>> hostname boca
>>
>> !
>>
>> boot-start-marker
>>
>> boot-end-marker
>>
>> !
>>
>> enable secret 5 "edited"
>>
>> !
>>
>> aaa new-model
>>
>> !
>>
>> !
>>
>> aaa authentication ppp default local
>>
>> aaa authorization network default if-authenticated
>>
>> aaa session-id common
>>
>> ip subnet-zero
>>
>> ip cef
>>
>> !
>>
>> !
>>
>> no ip domain lookup
>>
>> ip domain name "edited"
>>
>> !
>>
>> ip audit po max-events 100
>>
>> vpdn enable
>>
>> !
>>
>> vpdn-group 1
>>
>> ! Default L2TP VPDN group
>>
>> accept-dialin
>>
>> protocol pptp
>>
>> virtual-template 1
>>
>> !
>>
>> async-bootp dns-server 10.0.0.5
>>
>> async-bootp nbns-server 10.0.0.5
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> username tjaeger password 0 "edited"
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> interface Ethernet0/0
>>
>> ip address 192.168.5.21 255.255.255.0
>>
>> half-duplex
>>
>> hold-queue 100 out
>>
>> !
>>
>> interface Virtual-Template1
>>
>> no ip address
>>
>> ip mroute-cache
>>
>> peer default ip address pool DIAL-IN
>>
>> ppp encrypt mppe auto required
>>
>> ppp authentication ms-chap ms-chap-v2
>>
>> !
>>
>> ip local pool DIAL-IN 10.0.0.100 10.0.0.150
>>
>> no ip http server
>>
>> no ip http secure-server
>>
>> ip classless
>>
>> ip route 0.0.0.0 0.0.0.0 192.168.5.1
>>
>> !
>>
>> !
>>
>> !
>>
>> snmp-server community "edited" RO
>>
>> snmp-server community "edited" RW
>>
>> snmp-server enable traps snmp authentication
>>
>> radius-server host 64.135.46.124 auth-port 1645 acct-port 1646
>>
>> radius-server key "edited"
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> !
>>
>> line con 0
>>
>> line aux 0
>>
>> line vty 0 4
>>
>> password "edited"
>>
>> !
>>
>> ntp clock-period 17208137
>>
>> ntp server 192.43.244.18
>>
>> !
>>
>> end
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Dec 2 18:04:29.545: ppp3 PPP: Send Message[Dynamic Bind Response]
>>
>> Dec 2 18:04:29.545: ppp3 PPP: Using vpn set call direction
>>
>> Dec 2 18:04:29.545: ppp3 PPP: Treating connection as a callin
>>
>> Dec 2 18:04:29.549: ppp3 PPP: Session handle[99000007] Session id[3]
>>
>> Dec 2 18:04:29.549: ppp3 PPP: Phase is ESTABLISHING, Passive Open
>>
>> Dec 2 18:04:29.549: ppp3 LCP: State is Listen
>>
>> Dec 2 18:04:31.545: ppp3 LCP: Timeout: State Listen
>>
>> Dec 2 18:04:31.545: ppp3 LCP: O CONFREQ [Listen] id 1 len 15
>>
>> Dec 2 18:04:31.545: ppp3 LCP: AuthProto MS-CHAP (0x0305C22380)
>>
>> Dec 2 18:04:31.545: ppp3 LCP: MagicNumber 0x5071B43E
>> (0x05065071B43E)
>>
>> Dec 2 18:04:31.549: ppp3 LCP: I CONFACK [REQsent] id 1 len 15
>>
>> Dec 2 18:04:31.549: ppp3 LCP: AuthProto MS-CHAP (0x0305C22380)
>>
>> Dec 2 18:04:31.549: ppp3 LCP: MagicNumber 0x5071B43E
>> (0x05065071B43E)
>>
>> Dec 2 18:04:31.553: ppp3 LCP: I CONFREQ [ACKrcvd] id 1 len 21
>>
>> Dec 2 18:04:31.553: ppp3 LCP: MRU 1400 (0x01040578)
>>
>> Dec 2 18:04:31.553: ppp3 LCP: MagicNumber 0x03530940
>> (0x050603530940)
>>
>> Dec 2 18:04:31.553: ppp3 LCP: PFC (0x0702)
>>
>> Dec 2 18:04:31.553: ppp3 LCP: ACFC (0x0802)
>>
>> Dec 2 18:04:31.553: ppp3 LCP: Callback 6 (0x0D0306)
>>
>> Dec 2 18:04:31.557: ppp3 LCP: O CONFREJ [ACKrcvd] id 1 len 7
>>
>> Dec 2 18:04:31.557: ppp3 LCP: Callback 6 (0x0D0306)
>>
>> Dec 2 18:04:31.557: ppp3 LCP: I CONFREQ [ACKrcvd] id 2 len 18
>>
>> Dec 2 18:04:31.561: ppp3 LCP: MRU 1400 (0x01040578)
>>
>> Dec 2 18:04:31.561: ppp3 LCP: MagicNumber 0x03530940
>> (0x050603530940)
>>
>> Dec 2 18:04:31.561: ppp3 LCP: PFC (0x0702)
>>
>> Dec 2 18:04:31.561: ppp3 LCP: ACFC (0x0802)
>>
>> Dec 2 18:04:31.561: ppp3 LCP: O CONFNAK [ACKrcvd] id 2 len 8
>>
>> Dec 2 18:04:31.561: ppp3 LCP: MRU 1500 (0x010405DC)
>>
>> Dec 2 18:04:31.565: ppp3 LCP: I CONFREQ [ACKrcvd] id 3 len 18
>>
>> Dec 2 18:04:31.565: ppp3 LCP: MRU 1400 (0x01040578)
>>
>> Dec 2 18:04:31.565: ppp3 LCP: MagicNumber 0x03530940
>> (0x050603530940)
>>
>> Dec 2 18:04:31.565: ppp3 LCP: PFC (0x0702)
>>
>> Dec 2 18:04:31.569: ppp3 LCP: ACFC (0x0802)
>>
>> Dec 2 18:04:31.569: ppp3 LCP: O CONFNAK [ACKrcvd] id 3 len 8
>>
>> Dec 2 18:04:31.569: ppp3 LCP: MRU 1500 (0x010405DC)
>>
>> Dec 2 18:04:31.573: ppp3 LCP: I CONFREQ [ACKrcvd] id 4 len 18
>>
>> Dec 2 18:04:31.573: ppp3 LCP: MRU 1500 (0x010405DC)
>>
>> Dec 2 18:04:31.573: ppp3 LCP: MagicNumber 0x03530940
>> (0x050603530940)
>>
>> Dec 2 18:04:31.573: ppp3 LCP: PFC (0x0702)
>>
>> Dec 2 18:04:31.573: ppp3 LCP: ACFC (0x0802)
>>
>> Dec 2 18:04:31.573: ppp3 LCP: O CONFACK [ACKrcvd] id 4 len 18
>>
>> Dec 2 18:04:31.577: ppp3 LCP: MRU 1500 (0x010405DC)
>>
>> Dec 2 18:04:31.577: ppp3 LCP: MagicNumber 0x03530940
>> (0x050603530940)
>>
>> Dec 2 18:04:31.577: ppp3 LCP: PFC (0x0702)
>>
>> Dec 2 18:04:31.577: ppp3 LCP: ACFC (0x0802)
>>
>> Dec 2 18:04:31.577: ppp3 LCP: State is Open
>>
>> Dec 2 18:04:31.577: ppp3 PPP: Phase is AUTHENTICATING, by this end
>>
>> Dec 2 18:04:31.581: ppp3 MS-CHAP: O CHALLENGE id 1 len 21 from
>> "boca "
>>
>> Dec 2 18:04:31.581: ppp3 LCP: I IDENTIFY [Open] id 5 len 18 magic
>> 0x03530940 MSRASV5.10
>>
>> Dec 2 18:04:31.581: ppp3 LCP: I IDENTIFY [Open] id 6 len 23 magic
>> 0x03530940 MSRAS-0-TOM-IBM
>>
>> Dec 2 18:04:31.585: ppp3 MS-CHAP: I RESPONSE id 1 len 61 from
>> "tjaeger"
>>
>> Dec 2 18:04:31.585: ppp3 PPP: Phase is FORWARDING, Attempting
>> Forward
>>
>> Dec 2 18:04:31.589: ppp3 PPP: Phase is AUTHENTICATING,
> Unauthenticated
> User
>>
>> Dec 2 18:04:31.701: ppp3 PPP: Phase is FORWARDING, Attempting
>> Forward
>>
>> Dec 2 18:04:31.705: ppp3 PPP: Send Message[Connect Local]
>>
>> Dec 2 18:04:31.717: Vi3 PPP: Phase is DOWN, Setup
>>
>> Dec 2 18:04:31.721: ppp3 PPP: Bind to [Virtual-Access3]
>>
>> Dec 2 18:04:31.721: Vi3 PPP: Send Message[Static Bind Response]
>>
>> Dec 2 18:04:31.741: %LINK-3-UPDOWN: Interface Virtual-Access3,
>> changed state to up
>>
>> Dec 2 18:04:31.741: Vi3 PPP: Phase is AUTHENTICATING, Authenticated
>> User
>>
>> Dec 2 18:04:31.745: Vi3 MS-CHAP: O SUCCESS id 1 len 4
>>
>> Dec 2 18:04:31.749: Vi3 PPP: Phase is UP
>>
>> Dec 2 18:04:31.749: Vi3 PPP: Process pending ncp packets
>>
>> Dec 2 18:04:31.753: Vi3 CCP: O CONFREQ [Closed] id 1 len 10
>>
>> Dec 2 18:04:31.753: Vi3 CCP: MS-PPC supported bits 0x01000060
>> (0x120601000060)
>>
>> Dec 2 18:04:31.757: Vi3 CCP: I CONFREQ [REQsent] id 7 len 10
>>
>> Dec 2 18:04:31.757: Vi3 CCP: MS-PPC supported bits 0x010000F1
>> (0x1206010000F1)
>>
>> Dec 2 18:04:31.757: Vi3 CCP: O CONFNAK [REQsent] id 7 len 10
>>
>> Dec 2 18:04:31.757: Vi3 CCP: MS-PPC supported bits 0x01000060
>> (0x120601000060)
>>
>> Dec 2 18:04:31.761: Vi3 IPCP: I CONFREQ [Not negotiated] id 8 len 34
>>
>> Dec 2 18:04:31.761: Vi3 IPCP: Address 0.0.0.0 (0x030600000000)
>>
>> Dec 2 18:04:31.761: Vi3 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
>>
>> Dec 2 18:04:31.761: Vi3 IPCP: PrimaryWINS 0.0.0.0
>> (0x820600000000)
>>
>> Dec 2 18:04:31.761: Vi3 IPCP: SecondaryDNS 0.0.0.0
>> (0x830600000000)
>>
>> Dec 2 18:04:31.761: Vi3 IPCP: SecondaryWINS 0.0.0.0
>> (0x840600000000)
>>
>> Dec 2 18:04:31.765: Vi3 LCP: O PROTREJ [Open] id 2 len 40 protocol
>> IPCP
>>
>> Dec 2 18:04:31.765: Vi3 LCP: (0x80210108002203060000000081060000)
>>
>> Dec 2 18:04:31.765: Vi3 LCP: (0x00008206000000008306000000008406)
>>
>> Dec 2 18:04:31.765: Vi3 LCP: (0x00000000)
>>
>> Dec 2 18:04:31.769: Vi3 CCP: I CONFNAK [REQsent] id 1 len 10
>>
>> Dec 2 18:04:31.769: Vi3 CCP: MS-PPC supported bits 0x01000040
>> (0x120601000040)
>>
>> Dec 2 18:04:31.773: Vi3 CCP: O CONFREQ [REQsent] id 2 len 10
>>
>> Dec 2 18:04:31.773: Vi3 CCP: MS-PPC supported bits 0x01000040
>> (0x120601000040)
>>
>> Dec 2 18:04:31.773: Vi3 CCP: I CONFREQ [REQsent] id 9 len 10
>>
>> Dec 2 18:04:31.773: Vi3 CCP: MS-PPC supported bits 0x01000040
>> (0x120601000040)
>>
>> Dec 2 18:04:31.773: Vi3 CCP: O CONFACK [REQsent] id 9 len 10
>>
>> Dec 2 18:04:31.777: Vi3 CCP: MS-PPC supported bits 0x01000040
>> (0x120601000040)
>>
>> Dec 2 18:04:31.781: Vi3 CCP: I CONFACK [ACKsent] id 2 len 10
>>
>> Dec 2 18:04:31.781: Vi3 CCP: MS-PPC supported bits 0x01000040
>> (0x120601000040)
>>
>> Dec 2 18:04:31.781: Vi3 CCP: State is Open
>>
>> Dec 2 18:04:31.793: Vi3 LCP: I TERMREQ [Open] id 10 len 16
>> (0x03530940003CCD7400000000)
>>
>> Dec 2 18:04:31.793: Vi3 LCP: O TERMACK [Open] id 10 len 4
>>
>> Dec 2 18:04:31.793: Vi3 PPP: Sending Acct Event[Down] id[4]
>>
>> Dec 2 18:04:31.797: Vi3 PPP: Phase is TERMINATING
>>
>> Dec 2 18:04:31.801: Vi3 PPP: Block vaccess from being freed [0x18]
>>
>> Dec 2 18:04:31.809: %LINK-3-UPDOWN: Interface Virtual-Access3,
>> changed state to down
>>
>> Dec 2 18:04:31.813: Vi3 LCP: State is Closed
>>
>> Dec 2 18:04:31.813: Vi3 PPP: Phase is DOWN
>>
>> Dec 2 18:04:31.813: Vi3 CCP: State is Closed
>>
>> Dec 2 18:04:31.817: Vi3 PPP: Unlocked by [0x10] Still Locked by
>> [0xA]
>>
>> Dec 2 18:04:31.817: Vi3 PPP: Send Message[Disconnect]
>>
>> Dec 2 18:04:31.817: Vi3 PPP: Unlocked by [0x8] Still Locked by [0x2]
>>
>> Dec 2 18:04:31.817: Vi3 PPP: Unlocked by [0x2] Still Locked by [0x0]
>>
>> Dec 2 18:04:31.817: Vi3 PPP: Free previously blocked vaccess
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
> --
> "The network is the computer"
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list