divide the tunnel pptp vpn router 7200

I have cisco 7200 running Cisco IOS Software, software 7200 (C7200-ADVENTERPRISEK9-M), Version 12.4 (24) T2, VERSION of the SOFTWARE (fc2). I want that connects to the pptp VPN in order to access the internet at the same time. I think that this can be achieved by implementing split VPN tunnel. However I can't understand how to implement this on my 7200. All the documentation I found only tell how to do it on a cisco ASA. I've been watching this article to help me to http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800a393b.shtml#con4VPN clients will assign an ip address in the range of 172.16.10.0/24 to access the network remote fo 17.16.0.0/24Looking to the article posted above, I created the list 102 permit ip 172.16.0.0 ACLaccess 0.0.0.255 172.16.10.0 is 0.0.0.255What I can not understand how to apply this to my activation of VPDN PPTP groupvpdn
!
VPDN-Group 1
! PPTP by default VPDN group
accept-dialin
Pptp Protocol
virtual-model 1
! interface virtual-Template1
IP unnumbered GigabitEthernet0/2
peer default ip address pool-pptp pool
PPP encryption mppe auto
PPP ms-chap for authentication ms-chap-v2
! access-list 102 permit ip 172.16.0.0 0.0.0.255 172.16.10.0 0.0.0.255
Local IP pool pptp 172.16.10.1 172.16.10.254Any help is appreciatedThanks

Split PPTP tunnel must be configured on the client. Unlike the IPSec tunnel split which is performed on the head end, split PPTP tunnel is configured on the client itself.

Here is the configuration guide for document Q & A (last question):

http://www.Cisco.com/en/us/Partner/Tech/tk827/tk369/technologies_q_and_a_item09186a00800946ef.shtml

Here is an article from Microsoft that takes in charge who:

http://TechNet.Microsoft.com/en-us/library/cc779919%28WS.10%29.aspx#w2k3tr_vpn_how_dkma

Hope that helps.

Tags: Cisco Security

Similar Questions

Using the Tunnel interface on router

Hello world

I see hew Tunnel interface on the router.

Router is running OSPF.

However, there is no cryptographic statements.

tunnel configuration

Tunnel1 interface

10.4.x.x from IP x.x.x.x

time 7

source of tunnel Loopback1

destination 10.4.x.x tunnel

My question is when we use the interface Tunnel without any cryptographic statements?

Thank you

MAhesh

This Tunnel is a plain GRE Tunnel. They are generally used without crypto when:

(1) traffic is not sent through an untrusted network and cryptographic protection is not necessary.
(2) the GRE traffic gets encrypted on a separate device if the end point free WILL is not able to do the necessary cryptographic protection.

Sent by Cisco Support technique iPad App

Force traffic into the tunnel?

No IPSEC applied anywhere yet.

If you have 2 routers configured back to back with the physical interfaces tunnel interfaces - which way will be the traffic travels above?

Answer - It will follow the path of the routing table that I guess. OSPF or static or other routes.

Series enough.

Now add one IPSEC.

OSPF fails as IPSEC does not support multicast.

Series enough.

Now, add IPSEC and GRE to the mix. Apply card crypto both physical and tunnel interfaces.

Included here is the common ACL associated with free WILL. That is: -.

access-list 100 permit will host [address physical source] [address physical destination]

It's the ACL that is supposed to define what traffic is 'interesting' and which must be encrypted.

We will repeat the question: what should be the traffic?

I guess it's the same answer. Refer to the routing table.

But that traffic is encrypted? Answer - ONLY traffic destined to the IP tunnel interface.

If you ping from physics to physics, it will be clear.

Question - do you need to force ALL traffic to the bottom of the tunnel interface in the order so he could match the ACL and therefore get encrypted?

How do accomplish us this?

Discussion and debate would be greatly appreciated.

He

Only traffic with the source/destination of the tunnel interfaces - you just encapsulate & encrypt what happens / leaves the tunnel. If you have two sites connected through a VPN IPSEC, 'interesting' traffic for VPN is the source/destination on tunnel interfaces you need to LAN traffic in the tunnel interfaces. If you have either the static routes, or run you a dynamic routing such as OSPF or EIGRP Protocol.

You may have a default route pointing to the firewall, a routing protocol dynamic running - so that all "internal" traffic will take place on the tunnel = encrypted vpn to a remote site, while all the 'internet' traffic routes to the firewall and leaves normally.

HTH

Traffic to the VPN router IOS NAT tunnel

I need to configure a VPN tunnel that NATs traffic above him. I have already established VPN tunnels and NAT traffic. I did this on a concentrator VPN and ASA, but have seen some places where people say is not possible on a router or I saw real hard evidence that it is. For example, I use a Cisco 2801 router with 12.4(8a) and advanced security. This can be quite difficult as the subnet / vlan that we need NAT needs to pass normal traffic on other VPN tunnels and using a NAT on the Internet directly. Y does it have, any restrictions on it as the IOS version, being a router itself, NAT configuration. Any help is greatly appreciated.

Hi James,

NAT VPN traffic, you can like you do with ASAs on IOS routers.

If you do, it is that you create an ACL to set traffic to be coordinated, apply the ACL to a NAT rule and a condition that NAT statement with a roadmap to occur only when the traffic will be sent through the tunnel.

Federico.

Default route inside the tunnel VPN Site to site

We want to carry the default traffic within the site to site VPN tunnel, our goal is to route all traffic including default branch road and HO HO help branch for surfing the internet.

I have due to difficulties

1. cannot configure dynamic NAT for the router in the branch on the ASA HO, I know configuration for 8.2, but know not about 8.4

This is the configuration for the 8.2, if someone can translate to 8.4, which would be a great help

NAT (outside) 1 192.168.230.0

2. I do not know how to write the default route on the branch office router to send all traffic within the VPN tunnel

Hello

As I understand it then you want to route ALL traffic from the Remote Site to the Central Site and manage Internet traffic there.

I suppose you could define "interesting traffic" in configuring VPN L2L ACL / access-list in the following way

Branch router

extended IP access list

allow an ip

ASA central

ip access list allow one

The idea behind the type of ACL for the VPN L2L above configurations is that, for example, the branch office router has a rule that sets connection coming from the local LAN for 'any' destination address must be sent to the VPN L2L connection. So, it would be in such a way that all the traffic will be sent to the Central Site via VPN L2L.

I must say however, that the VPN router configurations side are not more familiar to me because I manage especially with ASA Firewall (and to some extent still PIX and FWSMs)

I guess that on the ASA Central you will PAT translation to "outside" so that the host can access the Internet?

You would probably do something like this

object-group network to REMOTE-SITE-PAT-SOURCE

network-object

interface of REMOTE-SITE-PAT-SOURCE dynamic NAT (outside, outside) after auto source

If you don't want to use the 'outside' IP address, then you will have to create a 'network of object' for address IP of PAT and use it in the line of NAT configuration above instead of "interface".

Alternate configuration might be

network of the REMOTE-SITE-PAT object

subnet

dynamic NAT interface (outdoors, outdoor)

You also need to enable

permit same-security-traffic intra-interface

To allow traffic to enter and exit the same interface on the ASA

All these answers are naturally suggestion on what you have to do. I don't know what kind of configurations you have right now.

Hope this helps in some way

-Jouni

Post edited by: Jouni Forss

Command to check the tunnel VPN S2S awhile in the cisco router

Dear all,

Please share the command check S2S tunnel of time that is configured on the router.

There are commands that define the lifetimes of (his) IPSec Security Associations, ISAKMP.

For example:

crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600

life 3599 seconds crypto ipsec security association

... and you can determine the remaining lifetime for these SAs with the following commands:

SH detail session crypto

SH in detail its crypto isakmp

SH crypto ipsec his

The delta between the lifetime (s) configured and remaining life will tell you how much time has passed since the last regeneration, but that is as close you are likely to have to determine when the tunnel came first.

You could use other means as States of syslog for you say when a Tunnel is a transitioning upwards or downwards.

Best regards

Mike

Best Soho - Split Tunnel VPN router

Hi - I'm looking for some advice for a soho router.

Basically the main feature, I'm looking for is to run, which I think is a VPN split tunnel, so that all internal clients route default traffic out to the gateway of the ISP. However, if the traffic is destined for a list of several specific subnets (x.x.x.x/24, y.y.y.y/24 etc.), then it should establish a tunnel to an only PPTP/IPSEC host and route remote traffic for these subnets via the tunnel. To be clear, that these subnets (x.x.x.x and y.y.y.y) is not attached to the end of the tunnel - which is a gateway device that will route them further.

I've been watching the various VPN router offers and is not clear to me if I can do it with a RV - 042, BEFVP41 or something like the other thing SRP521W I must be able to manipulate the routing tables directly on.

As an additional note, I have complete control over the end of SOHO - but simply an account at the end of the tunnel with (it is a service provider). The idea is to use public services for 90% of the traffic, but if customers want to access a specific set of addresses, it will forward this specific traffic through the tunnel.

Thanks in advance...

On current view, do not touch the RPS with a bargepole.

Adding access to additional subnets through a VPN tunnel is pretty standard, routing will be automatic if the VPN was established, but you must ensure that

1. politics VPN at BOTH ENDS allows your local subnet to access these networks

2. your subnet is not incompatible with other subnets or roads that can be used on remote networks

3. assuming you're OK so far, remote subnets must have a route is added to the default gateway to point to your subnet via intermediate networks

Good luck!

LAN to lan vpn between ASA and router 7200

Hi friends,

I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

<7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

I will have the following configuration:

7200 router:

crypto ISAKMP policy 80

the enc

AUTH pre-shared

Group 1

life 3600

ISAKMP crypto key cisco123 address 192.168.12.2

Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

map VPNTunnel 80 ipsec-isakmp crypto

defined by peer 192.168.12.2

game of transformation-VPNtrans

match address 110

int fa0/0

IP add 10.10.5.2 255.255.255.192

IP virtual-reassembly

no ip route cache

Speed 100

full duplex

card crypto VPNTunnel

access-list 110 permit ip any 192.135.5.0 0.0.0.255

ASA:

int e0/0

nameif inside

security-level 100

192.135.5.254 Add IP 255.255.255.0

int e0/1

nameif outside

security-level 0

IP add 192.168.12.2 255.255.255.240

access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

"pre-shared key auth" ISAKMP policy 10

ISAKMP policy 10-enc

ISAKMP policy 10 md5 hash

10 1 ISAKMP policy group

ISAKMP duration strategy of life 10-3600

Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

card crypto VPN 10 matches the ACL address

card crypto VPN 10 set peer 10.10.5.2

card crypto VPN 10 the transform-set VPNtran value

tunnel-group 10.10.5.2 type ipsec-l2l

IPSec-attributes of type tunnel-group 10.10.5.2

cisco123 pre-shared key

card crypto VPN outside interface

ISAKMP allows outside

dhcpd address 192.135.5.1 - 192.135.5.250 inside

dhcpd dns 172.15.4.5 172.15.4.6

dhcpd wins 172.15.76.5 172.15.74.5

dhcpd lease 14400

dhcpd ping_timeout 500

dhcpd allow inside

Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

Please advise...

Thank you very much...

Where it fails at the present time?

Can you share out of after trying to establish the VPN tunnel:

See the isa scream his

See the ipsec scream his

Please also run the following debug to see where it is a failure:

debugging cry isa

debugging ipsec cry

Router (IPSec)-> INTERNET-> Router (IPsec) where to put the TUNNEL IP POOL?

Hello

I'm still learning the VPN (IPsec), I was able to create a tunnel between my PC and my router, but now I want to connect two routers:

F0/1=192.168.0.1 ROUTER A-> INTERNET-> ROUTER B F0/1=192.168.10.1

Both routers receive an IP address from my ISP, I can't do a ping to a site at the other site, I mean, I am able to PING ROUTER A from ROUTER B with the ISP addresses and otherwise.

Two ROUTERS have the same configuration, except for the IP addresses and the ACL, they are opposite.

I think I know what I did wrong, but I don't know how to solve: the TUNNEL need also an IP from a POOL where should I put up, the ROUTER A or ROUTER B?

ROUTER

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

router host name

!

boot-start-marker

boot-end-marker

!

No aaa new-model

IP cef

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key cisco address 81.83.201.BB

!

!

Crypto ipsec transform-set esp-3des RIGHT

!

router_A_to_router_B 1000 ipsec-isakmp crypto map

set of peer 81.83.201.BB

transformation-RIGHT game

match address 101

!

interface FastEthernet0/0

DHCP IP address

automatic speed

full-duplex

router_A_to_router_B card crypto

!

interface FastEthernet0/1

the IP 192.168.0.1 255.255.255.0

automatic speed

full-duplex

!

!

no ip address of the http server

no ip http secure server

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

!

!

control plan

!

Line con 0

Speed 115200

line to 0

line vty 0 4

!

!

end

ROUTER B

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

router host name

!

boot-start-marker

boot-end-marker

!

No aaa new-model

IP cef

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key cisco address 81.83.201.AA

!

!

Crypto ipsec transform-set esp-3des RIGHT

!

router_B_to_router_A 1000 ipsec-isakmp crypto map

set of peer 81.83.201.AA

transformation-RIGHT game

match address 101

!

interface FastEthernet0/0

DHCP IP address

automatic speed

full-duplex

router_B_to_router_A card crypto

!

interface FastEthernet0/1

IP 192.168.10.1 255.255.255.0

automatic speed

full-duplex

!

!

no ip address of the http server

no ip http secure server

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

!

!

control plan

!

Line con 0

Speed 115200

line to 0

line vty 0 4

!

!

end

!

!

!

!

!

!

Best regards

Didier

Didier, there are a number of things missing in your config file to make it work, what I can say fa0/1 is inside and the fa0/0 are outdoors. There is no NAT translation to activate the computers inside the network, allowing access to the Internet. You will also need to exclude the EIGRP NAT roads in order to reach the remote network. Each router must have a default gateway to the Internet, this should be done with the following command:

IP route 0.0.0.0 0.0.0.0 fa0/0 dhcp

This will use the default gateway of the DHCP server that assigns IP address on fa0/0. Once that each router has a path to another and the tunnel connects EIGRP will handle the rest given the information to the router 90, this is the spectacle of one of my spoke routers route:

NTR-2620XM #show ip route
Code: C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route static

Gateway of last resort is to network 0.0.0.0 0.0.0.0

65.0.0.0/32 is divided into subnets, subnets 1
C 65.14.24.190 is directly connected, Dialer0
172.16.0.0/32 is divided into subnets, subnets 1
D EX 172.16.50.31 [170/3074560] via 172.19.8.1, 20:04:58, Tunnel0
172.19.0.0/24 is divided into subnets, subnets 1
C 172.19.8.0 is directly connected, Tunnel0
10.0.0.0/8 is variably divided into subnets, subnets 14, 6 masks
D EX 10.13.13.8/29 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D EX 10.11.7.0/28 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D 10.13.13.0/29 [90/2818560] via 172.19.8.1, 20:04:58, Tunnel0
C 10.19.9.0/27 is directly connected, Vlan200
C 10.19.8.0/24 is directly connected, Vlan100
C 10.19.10.0/28 is directly connected, Vlan900
D EX 10.20.7.0/24 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D [90/3097600] 10.22.7.0/24 through 172.19.8.1, 17:34:52, Tunnel0
D 10.37.4.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D 10.15.50.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D EX 10.24.40.0/24 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
D 10.12.85.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
C 10.19.9.192/26 is directly connected, Vlan500
D EX 10.244.0.0/22 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
74.0.0.0/32 is divided into subnets, subnets 1
C 74.23.201.24 is directly connected, Dialer0
S * 0.0.0.0/0 is directly connected, Dialer0

All designated routes D are dynamic routes drawn other routers on the DMVPN EIGRP. It will propagate the routing table and they point to the appropriate star. If you follow the example that I gave you, you will have a functional DMVPN.

See you soon,.

Sam

PPTP VPN between clients Windows and Cisco 2921 router

Hi all!

I have a problem with PPTP VPN between Windows clients and router Cisco 2921 with permission of RADIUS (IAS). When I try to connect to Cisco 2921 of Windows 7 by using MS-CHAP v2 I get the message 778: it was not possible to verify the identity of the server. Can I use PAP - power is OK. On Windows XP, the same situation.

Cisco config:

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname gw.izmv

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

AAA new-model

!

AAA authentication ppp default local radius group of

!

AAA - the id of the joint session

!

clock timezone + 002 2

!

No ipv6 cef

IP source-route

IP cef

!

!

Authenticated MultiLink bundle-name Panel

!

Async-bootp Server dns 192.168.192.XX

VPDN enable

!

VPDN-Group 1

! PPTP by default VPDN group

accept-dialin

Pptp Protocol

virtual-model 1

echo tunnel PPTP 10

tunnel L2TP non-session timeout 15

PMTU IP

adjusting IP mtu

!

redundancy

!

interface Loopback0

IP 192.168.207.1 255.255.255.0

!

!

interface GigabitEthernet0/0

Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

IP 192.168.192.XXX 255.255.255.0

IP 192.168.192.XX 255.255.255.0 secondary

IP nat inside

IP virtual-reassembly

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/1

no ip address

Shutdown

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/2

Description - Inet-

no ip address

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

PPPoE enable global group

PPPoE-client dial-pool-number 1

No cdp enable

!

!

interface virtual-Template1

IP unnumbered Loopback0

IP mtu 1492

IP virtual-reassembly

AutoDetect encapsulation ppp

by default PPP peer ip address pool

PPP mppe auto encryption required

PPP authentication ms-chap-v2

!

!

interface Dialer1

the negotiated IP address

NAT outside IP

IP virtual-reassembly

encapsulation ppp

Dialer pool 1

Dialer-Group 1

PPP authentication pap callin

PPP pap sent-username DSLUSERNAME password DSLPASSWORD

No cdp enable

!

!

IP local pool PPP 192.168.207.200 192.168.207.250

IP forward-Protocol ND

!

!

overload of IP nat inside source list NAT_ACL interface Dialer1

IP nat inside source static tcp 192.168.192.XX 25 expandable 25 82.XXX.XXX.XXX

IP nat inside source static tcp 192.168.192.XX 1352 82.XXX.XXX.XXX 1352 extensible

IP route 0.0.0.0 0.0.0.0 Dialer1

!

NAT_ACL extended IP access list

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

permit tcp 192.168.192.0 0.0.0.255 any eq www

permit tcp 192.168.192.0 0.0.0.255 any eq 443

permit tcp 192.168.192.0 0.0.0.255 any eq 1352

permit tcp host 192.168.192.XX no matter what eq smtp

permit tcp 192.168.192.0 0.0.0.255 any eq 22

permit tcp host 192.168.192.XX no matter what eq field

permit tcp host 192.168.192.XX no matter what eq field

permit tcp host 192.168.192.XX no matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

!

host 192.168.192.XX auth-port 1645 1646 RADIUS server acct-port

Server RADIUS IASKEY key

!

control plan

!

!

!

Line con 0

line to 0

line vty 0 4

line vty 5 15

!

Scheduler allocate 20000 1000

end

Debugging is followed:

14:47:51.755 on 21 oct: PPP: Alloc context [294C7BC4]

14:47:51.755 on 21 oct: ppp98 PPP: Phase is

14:47:51.755 on 21 oct: ppp98 PPP: using AAA Id Unique = 8 b

14:47:51.755 on 21 oct: ppp98 PPP: permission NOT required

14:47:51.755 on 21 oct: ppp98 PPP: via vpn, set the direction of the call

14:47:51.755 on 21 oct: ppp98 PPP: treatment of connection as a callin

14:47:51.755 on 21 oct: ppp98 PPP: Session Session handle [62] id [98]

14:47:51.755 on 21 oct: ppp98 TPIF: State of the event [OPEN] [initial check]

14:47:51.755 on 21 oct: ppp98 PPP LCP: switch to passive mode, State [stopped]

14:47:53.759 on 21 oct: ppp98 PPP LCP: exit passive mode, State [departure]

14:47:53.759 on 21 oct: LCP ppp98: O CONFREQ [departure] id 1 len 19

14:47:53.759 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:53.759 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)

14:47:53.759 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)

14:47:53.759 on 21 oct: ppp98 TPIF: event [UP] State [departure at REQsent]

14:47:54.351 on 21 oct: ppp98 TPIF: I CONFREQ [REQsent] id 0 len 18

14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)

14:47:54.351 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:54.351 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:54.351 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:54.351 on 21 oct: LCP ppp98: O CONFNAK [REQsent] id 0 len 8

14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.351 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [REQsent to REQsent]

14:47:54.751 on 21 oct: ppp98 TPIF: I CONFACK [REQsent] id 1 len 19

14:47:54.751 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.751 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)

14:47:54.751 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)

14:47:54.751 on 21 oct: ppp98 TPIF: State of the event [receive ConfAck] [REQsent to ACKrcvd]

14:47:54.915 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 1 len 18

14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)

14:47:54.915 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:54.915 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:54.915 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:54.915 on 21 oct: LCP ppp98: O CONFNAK [ACKrcvd] id 1 len 8

14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.915 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [ACKrcvd to ACKrcvd]

14:47:55.275 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 2 len 18

14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:55.275 on 21 oct: LCP ppp98: O CONFACK [ACKrcvd] id 2 len 18

14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:55.275 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq +] [ACKrcvd to open]

14:47:55.295 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING,

14:47:55.295 on 21 oct: ppp98 MS-CHAP-V2: O CHALLENGE id 1 len 28 of 'gw.izmv '.

14:47:55.295 on 21 oct: ppp98 TPIF: State is open

14:47:55.583 on 21 oct: ppp98 MS-CHAP-V2: I ANSWER id 1 len 71 of "domain\username".

14:47:55.583 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience

14:47:55.583 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING, unauthenticated user

14:47:55.587 on 21 oct: ppp98 PPP: request sent MSCHAP_V2 LOGIN

14:47:55.591 on 21 oct: ppp98 PPP: received LOGIN response PASS

14:47:55.591 on 21 oct: ppp98 PPP AUTHOR: author data NOT available

14:47:55.591 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience

14:47:55.595 on 21 oct: Vi3 PPP: Phase is AUTHENTICATING, authenticated user

14:47:55.595 on 21 oct: Vi3: given msg No. MS_CHAP_V2

14:47:55.595 on 21 oct: Vi3 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "tG @ #QDD @(@B@ (@[email protected]/ ** / @I @:[email protected]/ ** / @@@ EJFDE)).

14:47:55.595 on 21 oct: Vi3 PPP: Phase is in PLACE

14:47:55.595 on 21 oct: Vi3 CPIW: protocol configured, start state cf. [original]

14:47:55.595 on 21 oct: Vi3 CPIW: State of the event [OPEN] [Initial report on startup]

14:47:55.595 on 21 oct: Vi3 CPIW: O CONFREQ [departure] id 1 len 10

14:47:55.595 on 21 oct: Vi3 CPIW: address of 192.168.207.1 (0x0306C0A8CF01)

14:47:55.595 on 21 oct: Vi3 CPIW: event [UP] State [begins to REQsent]

14:47:55.595 on 21 oct: Vi3 CCP: protocol configured, start state cf. [original]

14:47:55.595 on 21 oct: Vi3 CCP: State of the event [OPEN] [Initial report on startup]

14:47:55.595 on 21 oct: Vi3 CCP: O CONFREQ [departure] id 1 len 10

14:47:55.595 on 21 oct: Vi3 CCP: MS - PPC supported bits 0 x 01000060 (0 x 120601000060)

14:47:55.595 on 21 oct: Vi3 CCP: event [UP] State [begins to REQsent]

14:47:55.599 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to

14:47:55.603 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, changed State to

14:47:56.027 on 21 oct: Vi3 LCP: I have TERMREQ [open] id 3 len 16

14:47:56.027 on 21 oct: Vi3 LCP: (0x2F7C5F7E003CCD740000030A)

14:47:56.027 on 21 oct: Vi3 CPIW: event [BOTTOM] State [REQsent on startup]

14:47:56.027 on 21 oct: Vi3 CPIW: State of event [CLOSE] [begins with initial]

14:47:56.027 on 21 oct: Vi3 CCP: event [BOTTOM] State [REQsent on startup]

14:47:56.027 on 21 oct: Vi3 PPP DISC: MPPE required not negotiated

14:47:56.027 on 21 oct: Vi3 PPP: sending Acct event [low] id [8B]

14:47:56.027 on 21 oct: Vi3 CCP: State of event [CLOSE] [start with initial]

14:47:56.027 on 21 oct: Vi3 LCP: O TERMACK [open] id 3 len 4

14:47:56.027 on 21 oct: Vi3 LCP: event [receive TermReq] State [Open to stop]

14:47:56.027 on 21 oct: Vi3 PPP: Phase ENDS

14:47:56.027 on 21 oct: Vi3 LCP: event [CLOSE] [off status of closing]

14:47:56.675 on 21 oct: Vi3 PPP: block vaccess to be released [0x10]

14:47:56.675 on 21 oct: Vi3 LCP: event [CLOSE] State [closing closing]

14:47:56.679 on 21 oct: Vi3 LCP: event [BOTTOM] State [closing on Initial]

14:47:56.679 on 21 oct: Vi3 PPP: compensation AAA Id Unique = 8 b

14:47:56.679 on 21 oct: Vi3 PPP: unlocked by [0x10] always locked by 0 x [0]

14:47:56.679 on 21 oct: Vi3 PPP: free previously blocked vaccess

14:47:56.679 on 21 oct: Vi3 PPP: Phase is BROKEN

14:47:56.679 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to down

14:47:56.683 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, state change downstairs

I'll be very grateful for any useful suggestions

We had the same problem using MS-CHAP-V2 and 3945 router using IOS 15.2. When you add the same combination of username/password locally it worked fine but it wasn't no of course of the solution. We have solved this problem by adding the following line in the config file:

AAA authorization network default authenticated if

This is because Windows 2000 clients require the use of a statement of authorization aaa in the router config. Maybe it was default (and therefore not shown) previous iOS releases.

Success!

Wil Schenkeveld

QuickVPN - could not do a ping the remote VPN router!

Hello

I have a RV042 (VPN router) and I have some problems to run properly using the QuickVPN client.

Here is the Log of the QuickVPN client.

2008-10-15 20:14:38 [STATUS] a network interface detected with 192.168.0.104 IP address
2008-10-15 20:14:38 [STATUS] connection...
2008-10-15 20:14:38 [STATUS] connection to a remote gateway with IP address: 96.20.174.84
2008-10-15 20:14:38 [WARNING] server certificate does not exist on your local computer.
2008-10-15 20:14:44 remote gateway [STATE] has been reached with https...
2008-10-15 20:14:44 [STATUS] commissioning...
2008-10-15 20:14:51 [STATUS] Tunnel is connected successfully.
2008-10-15 20:14:51 [STATUS] verification of network...
2008-10-15 20:14:55 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:14:58 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:01 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:05 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:08 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:11 [WARNING] Ping has been blocked, which can be caused by an unexpected disconnection.
2008-10-15 20:15:19 [STATUS] disconnection...
2008-10-15 20:15:25 [STATUS] Tunnel is disconnected successfully.

I don't know how it is implemented, but if WuickVPN wait a form ping my router, it will not happen. I was never able to ping my router ouside of my ISP network.

There is a way to disable the Ping process and continue with the VPN connection?

QuickVPN try ping on the router via the VPN tunnel to check the connection. It should work without worrying about whether your ISP filters ICMP messages or not. The tunnel is encrypted your ISP won't know what you're doing.

Please post the corresponding on the RV042 VPN log. That is expected to see how far you get.

You have a firewall running on the computer? I think that some firewalls have difficulty with the traffic of ESP.

What is the router that is connected to the computer? How is it that is configured?

Cannot open an L2TP VPN tunnel behind a router 806.

This is the scenario:

My ISP provider provides pppoE.

When I connect a PC directly to the ADSL modem, I can open my L2TP VPN and VPN works fine and I am able to navigate.

When I connect the PC behind 806, I get a private pool in 806 IP and I am able to navigate, but PC, I open my VPN L2TP software utility (same as before) and cannot open the VPN.

Could you please tell me what config I shoul put in router to open the tunnel of 806 instead of op VPN software utility? The difference is that now 806 global IP gets rather od PC.

So I know now tunnel should be open from the router, but I Don t know what I have lines shlould Add.

Help, please!

I thinkl you want is VPN passthrough, the answer to that is the version of the IOS, I think IOS version 12.2 and allows VPN Passthru especially. There is no other configuration required just to 12.2 or above

S2S VPN - cannot get the tunnel upward

I couldn't lift a VPN site-to site because of a configuration error that I can't fix

The topology is Server1 > Hub > ASA - 1 ASA-2<><>

When I launch a ping server 1 Server 2 to try to get out of the tunnel to the top, I get the following error:

% ASA-6-110002: unable to locate the output for ICMP inside:192.168.100.2/2655 to 192.168.200.2/0 interface

No matter which side I am ping, I get the error on both of the ASA. Here is the config for the two ASA, thanks for any help.

!
ASA-1 hostname
!
interface GigabitEthernet0
nameif outside
security-level 0
IP 80.1.1.1 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
passive FTP mode
network of the PC_LAN object
255.255.255.0 subnet 192.168.100.0
network of the REMOTE_LAN object
192.168.200.0 subnet 255.255.255.0
extended access list ACL-OUTSIDE-PING icmp permitted any one
LAB_S2S_VPN to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.200.0 255.255.255.0 connect
LAB_S2S_VPN list extended access allow icmp 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 connect
pager lines 24
Enable logging
exploitation forest-size of the buffer of 6000
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ARP timeout 14400
NAT static PC_LAN PC_LAN destination (indoor, outdoor) static source REMOTE_LAN REMOTE_LAN
Access-Group ACL-OUTSIDE-PING to the interface inside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 aes-esp - SHA-AES-ESP esp-sha-hmac
card crypto VPN_CRYPTO_MAP 1 corresponds to the address LAB_S2S_VPN
card crypto VPN_CRYPTO_MAP 1 set peer 80.1.1.2
card crypto VPN_CRYPTO_MAP 1 set transform-set ESP-AES-SHA ikev1
VPN_CRYPTO_MAP interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
tunnel-group 80.1.1.2 type ipsec-l2l
IPSec-attributes tunnel-group 80.1.1.2
IKEv1 pre-shared-key *.

ASA-2 host name
!
interface GigabitEthernet0
nameif outside
security-level 0
IP 80.1.1.2 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface GigabitEthernet2
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
network of the PC_LAN object
192.168.200.0 subnet 255.255.255.0
network of the REMOTE_LAN object
255.255.255.0 subnet 192.168.100.0
extended access list ACL-OUTSIDE-PING icmp permitted any one
LAB_S2S_VPN to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.100.0 255.255.255.0 connect
LAB_S2S_VPN list extended access allow icmp 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 connect
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT static REMOTE_LAN REMOTE_LAN destination (indoor, outdoor) static source PC_LAN PC_LAN
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 aes-esp - SHA-AES-ESP esp-sha-hmac
card crypto VPN_CRYPTO_MAP 1 corresponds to the address LAB_S2S_VPN
card crypto VPN_CRYPTO_MAP 1 set peer 80.1.1.1
card crypto VPN_CRYPTO_MAP 1 set transform-set ESP-AES-SHA ikev1
VPN_CRYPTO_MAP interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
tunnel-group 80.1.1.1 type ipsec-l2l
IPSec-attributes tunnel-group 80.1.1.1
IKEv1 pre-shared-key *.
!

You won't have a road to 192.168.200.2 so he was not able to locate the next hop for the traffic of the tunnel.

These static routes adding causes all traffic to be sent to the default gateway of the internet, including VPN and VPN traffic not.
So adding a route for 192.168.200.0 pointing to 80.1.1.X gave the same results.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

VPN router to the problem of the ASA

Hello world.

I am doing a VPN between a router and a series of ASA5500 and difficulties.

The router part is 100% correct because it is a daily task, but miss me something on the side of the ASA of the things.

The ASA also has remote via IPsec tunnels clients as you'll see below, so I have to make sure that continues to work!

It is a fairly urgent question. So any help or advice can be provided, it would be very appreciated!

Here is the router part:

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

isakmp encryption key * ASA-PUBLIC-IP address

ISAKMP crypto keepalive 100

!

!

Crypto ipsec transform-set transform-set esp-3des esp-md5-hmac

!

10 customers map ipsec-isakmp crypto

defined ASA-PUBLIC-IP peer

transform-set transform-Set

match address 102

QoS before filing

!

!

Access-list 100 remark [== NAT control ==]

access-list 100 deny ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

Access-list 102 remark == [VPN access LISTS] ==

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Access-list 102 remark

(Crypto card has been applied to the corresponding interface)

SIDE OF THE ASA:

permit inside_nat0_outbound to access extended list ip 10.1.1.0 255.255.255.0 10.1.1.192 255.255.255.224

prevpn_splitTunnelAcl list standard access allowed 10.1.1.0 255.255.255.0

access-list Interior-access-in extended permit ip 10.1.1.0 255.255.255.0 any

access-list Interior-access-in extended permit icmp 10.1.1.0 255.255.255.0 any

access list for distance-extended permitted ip network 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Global (outside) 1 ASA-PUBLIC-IP

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 10.1.1.0 255.255.255.0

NAT (inside) 0 192.168.2.0 255.255.255.0

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

card crypto outside_map 40 match remote-network address

card crypto outside_map 40 game peers REMOTE-router-IP

outside_map card crypto 40 the transform-set ESP-3DES-MD5 value

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP allows outside

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

tunnel-group prevpn type ipsec-ra

tunnel-group prevpn General-attributes

address pool VPN-pool

Group Policy - by default-prevpn

prevpn group of tunnel ipsec-attributes

pre-shared-key *.

tunnel-group REMOTE-router-IP type ipsec-l2l

REMOTE-router-IP tunnel-group ipsec-attributes

pre-shared-key *.

Hi Chris

first on the router make this change to littil than u ned to add md5 as hashing whil employees u th in the asa and the router u did not, so the default is sha!

do

crypto ISAKMP policy 1

md5 hash

now on the SAA as I see that there is a problem in nat0 you line l2l tunnel

so that you need to look like:

permit inside_nat0_outbound to access extended list ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

You also need a permit for the ipsec traffic, the following command will allow all ipsec traffic if you want to filter traffic not to use this command and use rather ACLs on the external interface, but following that to allow all traffic to your L2L and remote vpn access:

Permitted connection ipsec sysopt

so, please:

clear xlate and reload the ASA then attempt to leave the expmtion NAT new effects

Good luck

If useful rates

Cannot ping vpn client of 1721 cli on the tunnel endpoint

I have a 1721 fortunately supporting ipsec vpn client connections. With one small exception, everything works perfectly fine.

The VPN pool is 10.10.10.1 - 10.10.10.254

The interface internal f0 is attributed to 192.168.1.254/24.

In my example:

Ip address of the VPN client is 10.10.10.5

The host address of an arbitrary machine on the internal lan is 192.168.1.151

I am able to ping 192.168.1.151 10.10.10.5

I'm * not * able to ping 10.10.10.5 192.168.1.254 using the cli on the 1721.

There is a very good reason to want to solve this problem. I would like to be able to access a tftp server on the client vpn directly from the router in order to download the new startup-config files. Is it possible to get the traffic of vpn-/ tunnel-point endpoint client tftp to travel through the tunnel?

When you ping from the CLI on the router, the packet will be from the external interface, not the IP address fa0 interface. The VPN client and the router only built a tunnel from the 10.10.10.5 address the 192.168.1.0 network, then the router not cryptera a package that her origin is outside the IP address.

Try to ping extended to 10.10.10.5 and source of 192.168.1.254 package and see if it works. If it does, you will have also to the source of your TFTP packets from inside interface, you can do with:

IP tftp source interface fa0

divide the tunnel pptp vpn router 7200

Similar Questions

Maybe you are looking for