PPTP VPN between clients Windows and Cisco 2921 router

Hi all!

I have a problem with PPTP VPN between Windows clients and router Cisco 2921 with permission of RADIUS (IAS). When I try to connect to Cisco 2921 of Windows 7 by using MS-CHAP v2 I get the message 778: it was not possible to verify the identity of the server. Can I use PAP - power is OK. On Windows XP, the same situation.

Cisco config:

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname gw.izmv

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

AAA new-model

!

AAA authentication ppp default local radius group of

!

AAA - the id of the joint session

!

clock timezone + 002 2

!

No ipv6 cef

IP source-route

IP cef

!

!

Authenticated MultiLink bundle-name Panel

!

Async-bootp Server dns 192.168.192.XX

VPDN enable

!

VPDN-Group 1

! PPTP by default VPDN group

accept-dialin

Pptp Protocol

virtual-model 1

echo tunnel PPTP 10

tunnel L2TP non-session timeout 15

PMTU IP

adjusting IP mtu

!

redundancy

!

interface Loopback0

IP 192.168.207.1 255.255.255.0

!

!

interface GigabitEthernet0/0

Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

IP 192.168.192.XXX 255.255.255.0

IP 192.168.192.XX 255.255.255.0 secondary

IP nat inside

IP virtual-reassembly

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/1

no ip address

Shutdown

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/2

Description - Inet-

no ip address

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

PPPoE enable global group

PPPoE-client dial-pool-number 1

No cdp enable

!

!

interface virtual-Template1

IP unnumbered Loopback0

IP mtu 1492

IP virtual-reassembly

AutoDetect encapsulation ppp

by default PPP peer ip address pool

PPP mppe auto encryption required

PPP authentication ms-chap-v2

!

!

interface Dialer1

the negotiated IP address

NAT outside IP

IP virtual-reassembly

encapsulation ppp

Dialer pool 1

Dialer-Group 1

PPP authentication pap callin

PPP pap sent-username DSLUSERNAME password DSLPASSWORD

No cdp enable

!

!

IP local pool PPP 192.168.207.200 192.168.207.250

IP forward-Protocol ND

!

!

overload of IP nat inside source list NAT_ACL interface Dialer1

IP nat inside source static tcp 192.168.192.XX 25 expandable 25 82.XXX.XXX.XXX

IP nat inside source static tcp 192.168.192.XX 1352 82.XXX.XXX.XXX 1352 extensible

IP route 0.0.0.0 0.0.0.0 Dialer1

!

NAT_ACL extended IP access list

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

permit tcp 192.168.192.0 0.0.0.255 any eq www

permit tcp 192.168.192.0 0.0.0.255 any eq 443

permit tcp 192.168.192.0 0.0.0.255 any eq 1352

permit tcp host 192.168.192.XX no matter what eq smtp

permit tcp 192.168.192.0 0.0.0.255 any eq 22

permit tcp host 192.168.192.XX no matter what eq field

permit tcp host 192.168.192.XX no matter what eq field

permit tcp host 192.168.192.XX no matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

!

host 192.168.192.XX auth-port 1645 1646 RADIUS server acct-port

Server RADIUS IASKEY key

!

control plan

!

!

!

Line con 0

line to 0

line vty 0 4

line vty 5 15

!

Scheduler allocate 20000 1000

end

Debugging is followed:

14:47:51.755 on 21 oct: PPP: Alloc context [294C7BC4]

14:47:51.755 on 21 oct: ppp98 PPP: Phase is

14:47:51.755 on 21 oct: ppp98 PPP: using AAA Id Unique = 8 b

14:47:51.755 on 21 oct: ppp98 PPP: permission NOT required

14:47:51.755 on 21 oct: ppp98 PPP: via vpn, set the direction of the call

14:47:51.755 on 21 oct: ppp98 PPP: treatment of connection as a callin

14:47:51.755 on 21 oct: ppp98 PPP: Session Session handle [62] id [98]

14:47:51.755 on 21 oct: ppp98 TPIF: State of the event [OPEN] [initial check]

14:47:51.755 on 21 oct: ppp98 PPP LCP: switch to passive mode, State [stopped]

14:47:53.759 on 21 oct: ppp98 PPP LCP: exit passive mode, State [departure]

14:47:53.759 on 21 oct: LCP ppp98: O CONFREQ [departure] id 1 len 19

14:47:53.759 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:53.759 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)

14:47:53.759 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)

14:47:53.759 on 21 oct: ppp98 TPIF: event [UP] State [departure at REQsent]

14:47:54.351 on 21 oct: ppp98 TPIF: I CONFREQ [REQsent] id 0 len 18

14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)

14:47:54.351 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:54.351 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:54.351 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:54.351 on 21 oct: LCP ppp98: O CONFNAK [REQsent] id 0 len 8

14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.351 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [REQsent to REQsent]

14:47:54.751 on 21 oct: ppp98 TPIF: I CONFACK [REQsent] id 1 len 19

14:47:54.751 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.751 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)

14:47:54.751 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)

14:47:54.751 on 21 oct: ppp98 TPIF: State of the event [receive ConfAck] [REQsent to ACKrcvd]

14:47:54.915 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 1 len 18

14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)

14:47:54.915 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:54.915 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:54.915 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:54.915 on 21 oct: LCP ppp98: O CONFNAK [ACKrcvd] id 1 len 8

14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.915 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [ACKrcvd to ACKrcvd]

14:47:55.275 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 2 len 18

14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:55.275 on 21 oct: LCP ppp98: O CONFACK [ACKrcvd] id 2 len 18

14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:55.275 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq +] [ACKrcvd to open]

14:47:55.295 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING,

14:47:55.295 on 21 oct: ppp98 MS-CHAP-V2: O CHALLENGE id 1 len 28 of 'gw.izmv '.

14:47:55.295 on 21 oct: ppp98 TPIF: State is open

14:47:55.583 on 21 oct: ppp98 MS-CHAP-V2: I ANSWER id 1 len 71 of "domain\username".

14:47:55.583 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience

14:47:55.583 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING, unauthenticated user

14:47:55.587 on 21 oct: ppp98 PPP: request sent MSCHAP_V2 LOGIN

14:47:55.591 on 21 oct: ppp98 PPP: received LOGIN response PASS

14:47:55.591 on 21 oct: ppp98 PPP AUTHOR: author data NOT available

14:47:55.591 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience

14:47:55.595 on 21 oct: Vi3 PPP: Phase is AUTHENTICATING, authenticated user

14:47:55.595 on 21 oct: Vi3: given msg No. MS_CHAP_V2

14:47:55.595 on 21 oct: Vi3 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "tG @ #QDD @(@[email protected] (@[email protected]/ ** / @I @:[email protected]/ ** / @@@ EJFDE)).

14:47:55.595 on 21 oct: Vi3 PPP: Phase is in PLACE

14:47:55.595 on 21 oct: Vi3 CPIW: protocol configured, start state cf. [original]

14:47:55.595 on 21 oct: Vi3 CPIW: State of the event [OPEN] [Initial report on startup]

14:47:55.595 on 21 oct: Vi3 CPIW: O CONFREQ [departure] id 1 len 10

14:47:55.595 on 21 oct: Vi3 CPIW: address of 192.168.207.1 (0x0306C0A8CF01)

14:47:55.595 on 21 oct: Vi3 CPIW: event [UP] State [begins to REQsent]

14:47:55.595 on 21 oct: Vi3 CCP: protocol configured, start state cf. [original]

14:47:55.595 on 21 oct: Vi3 CCP: State of the event [OPEN] [Initial report on startup]

14:47:55.595 on 21 oct: Vi3 CCP: O CONFREQ [departure] id 1 len 10

14:47:55.595 on 21 oct: Vi3 CCP: MS - PPC supported bits 0 x 01000060 (0 x 120601000060)

14:47:55.595 on 21 oct: Vi3 CCP: event [UP] State [begins to REQsent]

14:47:55.599 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to

14:47:55.603 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, changed State to

14:47:56.027 on 21 oct: Vi3 LCP: I have TERMREQ [open] id 3 len 16

14:47:56.027 on 21 oct: Vi3 LCP: (0x2F7C5F7E003CCD740000030A)

14:47:56.027 on 21 oct: Vi3 CPIW: event [BOTTOM] State [REQsent on startup]

14:47:56.027 on 21 oct: Vi3 CPIW: State of event [CLOSE] [begins with initial]

14:47:56.027 on 21 oct: Vi3 CCP: event [BOTTOM] State [REQsent on startup]

14:47:56.027 on 21 oct: Vi3 PPP DISC: MPPE required not negotiated

14:47:56.027 on 21 oct: Vi3 PPP: sending Acct event [low] id [8B]

14:47:56.027 on 21 oct: Vi3 CCP: State of event [CLOSE] [start with initial]

14:47:56.027 on 21 oct: Vi3 LCP: O TERMACK [open] id 3 len 4

14:47:56.027 on 21 oct: Vi3 LCP: event [receive TermReq] State [Open to stop]

14:47:56.027 on 21 oct: Vi3 PPP: Phase ENDS

14:47:56.027 on 21 oct: Vi3 LCP: event [CLOSE] [off status of closing]

14:47:56.675 on 21 oct: Vi3 PPP: block vaccess to be released [0x10]

14:47:56.675 on 21 oct: Vi3 LCP: event [CLOSE] State [closing closing]

14:47:56.679 on 21 oct: Vi3 LCP: event [BOTTOM] State [closing on Initial]

14:47:56.679 on 21 oct: Vi3 PPP: compensation AAA Id Unique = 8 b

14:47:56.679 on 21 oct: Vi3 PPP: unlocked by [0x10] always locked by 0 x [0]

14:47:56.679 on 21 oct: Vi3 PPP: free previously blocked vaccess

14:47:56.679 on 21 oct: Vi3 PPP: Phase is BROKEN

14:47:56.679 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to down

14:47:56.683 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, state change downstairs

I'll be very grateful for any useful suggestions

Advertisement

We had the same problem using MS-CHAP-V2 and 3945 router using IOS 15.2. When you add the same combination of username/password locally it worked fine but it wasn't no of course of the solution. We have solved this problem by adding the following line in the config file:

AAA authorization network default authenticated if

This is because Windows 2000 clients require the use of a statement of authorization aaa in the router config. Maybe it was default (and therefore not shown) previous iOS releases.

Success!

Wil Schenkeveld

Tags: Cisco Security

Similar Questions

  • Setting up a VPN between a WRVS4400N and ASA device

    I'm a newbie when it comes to Cisco devices and I have a problem setting a VPN between a local and a seat some distance away.

    Here, our local office, we have a device Cisco WRVS4400N Small Business.

    At Headquarters, they have a feature of Cisco ASA.

    We must set up a point to point VPN and I have no idea how to proceed with these devices.

    To compound things, resources, I'm at the other end in an unknown entity that also does not seem to have a lot of experience with this.

    Is there any type of step by step guide for such a configuration?

    If not, can someone please help with this?

    Hello William,.

    I would call 1866-606-1866 Support Center for assistance on the side the tunnel then the entire side of the ASA WRVS has to do is match the settings. If the side ASA needs support with which we can transfer more TAC.

    Cisco Small Business Support Center

    Randy Manthey

    CCNA, CCNA - security

  • RT for Windows and Cisco VPN (AnyConnect) Solutions?

    Microsoft and Cisco are working together to ensure Cisco VPN is soon available for Windows RT?  I read a thread RT of Windows from Microsoft and Cisco VPN without seeing all the comments of Microsoft or Cisco.  Please notify.

    Hi Gabriel,

    The Microsoft Answers community focuses on the context of use. Please reach out to the business community of COMPUTING in the TechNet forum below:

    http://social.technet.Microsoft.com/forums/en-us/categories

  • 'How to' set up a VPN between a UC540 and a SR520 with remote IP extension

    Hi all

    I need help in establishing a link between a head office UC540 and a distance SR520 I want to use a PC and an IP phone in. This remote site is the first of many.

    I found several examples of IPsec VPN site, but none with references to some VLAN voice and data, should I worry or the phone will only work.

    All the tips and suggestions accepted with gratitude,

    Jerry

    Here is an example of configuration LAN-to-LAN VPN between 2 IOS routers:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080194650.shtml

    Assuming that your example:

    VLAN 1 - data - 192.168.19.0/24

    VLAN 100 - voice - 10.1.1.0/24

    And on the other side:

    VLAN 1 - data - 192.168.20.0/24

    VLAN 100 - voice: 10.2.2.0/24

    The crypto ACL would be:

    access-list 150 permit ip 192.168.19.0 0.0.0.255 192.168.20.0 0.0.0.255

    access-list 150 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

    Crypto ACLs on the other side are the following:

    access-list 150 permit ip 192.168.20.0 0.0.0.255 192.168.19.0 0.0.0.255

    access-list 150 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

  • Taskbar displays the differences between maximized windows and language bar changes positions when the taskbar is moved

    original title: problem moving taskbar

    Hello

    When I move the taskbar to another job, not only is the language bar moves next to the Start button, but also, there seems to be a gap between the taskbar and maximized window (firefox, etc.)

    Help.

    Thank you.

    Hello


    I would suggest trying the following methods and check if it helps.
    Method 1:
    Run the scan of auditor of file system (CFS) and check if it helps.
    How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista: http://support.Microsoft.com/kb/929833
     
    Method 2:
    Try to create a new user account and check if it helps.
    Create a new user account: http://windows.microsoft.com/en-US/windows-vista/Create-a-user-account
    Note: If the new user account works, see steps on how to copy files to the new user profile in Microsoft article provided: http://windows.microsoft.com/en-US/windows-vista/fix-a-corrupted-user-profile
     
    Hope the information is useful.
  • VPN between a PIX and a VPN 3000

    I'm trying to set up a VPN between PIX and a VPN 3000. All configurations are complete, but the tunnel has not been established. On the PIX, to 'see the crypto engine' and ' show isakmp his ' orders, I do not see the tunnel. Of "show ipsec his ' command, I can see the mistakes"#send"continues to increase when I try to connect to the remote network. Here is the copy - paste command:

    Tag crypto map: myvpnmap, local addr. 10.70.24.2

    local ident (addr, mask, prot, port): (10.70.24.128/255.255.255.128/0/0)

    Remote ident (addr, mask, prot, port): (10.96.0.0/255.224.0.0/0/0)

    current_peer: 10.70.16.5:0

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts 0 digest

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check 0

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed:

    #send 12, #recv errors 0

    local crypto endpt. : 10.70.24.2, remote Start crypto. : 10.70.16.5

    Path mtu 1500, fresh ipsec generals 0, media, mtu 1500

    current outbound SPI: 0

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    Obviously, the PIX identifies protected traffic but failed to establish the tunnel. I was wondering what could be the reason for these kind of mistakes? That means them growing '#send errors?

    Thank you very much!

    Sending error mean simply the PIX is grateful to encrypt this traffic, but there is no built tunnel and so it must drop the package.

    you will need to look at why the tunnel is not under construction however, "sending error" are just a byproduct of some other configuration issue. On the PIX, it looks like you would have something like:

    Crypto ip 10.70.24.128 access list allow 255.255.255.128 10.96.0.0 255.224.0.0

    On the 3000 under the L2L section and the Local and remote network, you need the exact opposite of the latter, then it would be:

    / Local network mask = 10.96.0.0/0.31.255.255

    / Remote network mask = 10.70.24.128/0.0.0.127

    If you have something else the tunnel will fail to come. Otherwise, we see that the Cryptography debugs the PIX and the trunk of the 3000 when the tunnel is built.

  • Unknown device on network adapter between the laptop and the wireless router

    I am running windows 7 64 bit on a laptop computer connected wireless to the router and internet.  The router is Linksys WRT160N connected to the internet.  The map of the network, there is a question mark device unknown between the laptop and the router.  However, I still have access to the internet.  In terms of network, if I hover over the laptop, it does not show an IP address.  It only shows the name of the computer and its MAC address.  Any help would be appreciated.

    Solved my problem.  I checked the button of the IPv6 protocol in the properties of a network connection on the laptop, and now I can see it's the IP address and the unknown device has been replaced by a switch and hub which is part of the router.   I do not uncheck the button IPV4.  I'm guessing that it is a bug in Windows 7 that you need to cut of ipV6 Protocol when you have a Win XP computer on the network if you want to see a map of own network.  As I said before, everything worked before, so this seems to be a cosmetic fix only.  I see that my shared files on the XP computer appear faster after a reboot.

  • Doubt the implementation in a VPN between a VPN3005 and a Cisco 827 router

    Imagine this:

    Establish a VPN tunnel between the central administration (VPN3005) and a branch (827). Only need to spend intellectual property data in the tunnel and the two sites must reach the resources of the other, which means I don't want not just any what NAT involved.

    Can someone tell me what is the way to better/simple to do this?

    Can it be implemented with Cisco easy VPN? (or not, due to not wanting to make any type of NAT)

    Thanks in advance!

    Hello

    I would have preferred a VPN Tunnel from Lan to Lan. I have attached a few URLS that

    explains the implementation of IPSec Lan to Lan tunnel in different scenarios:

    1. with the router with a static routable ip address

    http://www.Cisco.com/warp/public/471/ALTIGAR.shtml

    2. with the router is assigned an IP via DHCP.

    http://www.Cisco.com/warp/public/471/vpn3k_iosdhcp.html

    Kind regards

    Arul

  • Cannot communicate with the server error 11.5 Jabber clients Windows and Mac

    Hi guys,.

    I recently installed CUCM 11.5 (No. Cisco instant messaging and presence) in my lab. Its a simple installation without the LDAP server using the internal directory CUCM to set up customers. I am successfully able to connect to Jabber via my iPhone and iPad on 11.5 Jabber clients or 11.6. I am also able to connect to jabber in windows machine if I use the version of the client Jabber 9.7. However, if I use 11.5 Jabber on the Windows client, it gives me "cannot connect with Server error." On Macbook, I get this error on all the versions I used including old version 9.6.

    The only thing that I noticed that it is option for iPhone Jabber Client forward to put the ip of the CUCM server on option Phone Service only. There are in Windows or Mac Jabber Client 11.6, arrangement for CCM 9 or a later version, where I put my CUCM server IP address.  Am I missing something?

    Kind regards

    S

    Hello

    Just check that you have configured on the system--> the server on cucm entry. If its host name or the FULL domain name, I think your jabber for windows try to solve but unable to do so because of no connectivity to the DNS server or no entry in the DNS server.  Try it below to check if she.

    Change the host file on PC windows from the location below,

    C:\Windows\system32\drivers\etc

    Once you pass on the location and add the cucm entry in the host file, reset your jabber and mention the cucm for connection ip address manually and then check.

  • IPSEC VPN between Pix 515E and 1841 router

    Hi all

    BACKGROUND

    We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.

    PROBLEM

    The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.

    Any help much appreciated.

    You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.

    As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.

    For a feature, it would be preferable to static IP addresses on both sides.

  • Any ideas why Outlook 2007 "violently" flickers between the windows and window main? How to fix?

    It is not all the time, but when it gets into fashion, sometimes you can close the application yet.  The only thing we can do is to shut down the pc.  The task Mgr will not stop it.

    I can't identify exactly what initiates it.  But usually, I have other applications open (Word or Excel) MS & Firefox, maybe.

    It is an example, when you explore Contacts and open a contact window to edit or review.  You leave Outlook to go to the other application and then you see the fast flicker goes into the taskbar.

    Another example similar to the above, this is when you change a contact window.  Right-click to change something, then display studders and falls in flashing mode.

    Intuitively, I think it has something to do with the display or the video card.  I've done R & are the driver for the card.  The only reason why I think it is that the problem decreases in frequency of appearance, apparently with the largest size of display text.  In addition, I don't think that this has happened after the update of the graphics card (see below)

    FYI...
    PC: Dell Dimension E520
    Windows 7 64 bit
    4 GB OF RAM
    EVGA GeForce 9500 w / 1 GB memory
    Display @ 1280 x 1024 (not even changed) resolution

    This problem is difficult to recreate as it seems almost randomly when it occurs.  I can go for days, if not a week, then all of a sudden it will get "fussy".

    Any help would be appreciated & thanks!

    Hello

    Interaction with the programs antivirus/antispyware/security and even drivers may be among the possible
    causes of this problem. Something that happens sporadically can be difficult to resolve.

    Follow these steps to remove corruption and missing/damaged file system repair or replacement.

    Run DiskCleanup - start - all programs - Accessories - System Tools - Disk Cleanup

    Start - type in the search box - find command top - RIGHT CLICK – RUN AS ADMIN

    sfc/scannow

    How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program
    generates in Windows Vista cbs.log - even under Windows 7
    http://support.Microsoft.com/kb/928228

    Then, run checkdisk - schedule it to run at next boot, then apply OK your way out, then restart.

    How to run check disk at startup in Vista - Windows 7 is the same
    http://www.Vistax64.com/tutorials/67612-check-disk-Chkdsk.html

    ----------------------------------------------------------------------------

    After the above I hope that some of these groups have experienced and solved similar problems.

    So please check with the experts of the Office and Outlook here: (re - ask your question)

    Discussions of Questions General Outlook
    http://www.Microsoft.com/Office/Community/en-us/default.mspx?DG=Microsoft.public.Outlook.General&lang=en&CR=us

    MS Office discussion groups
    http://www.Microsoft.com/Office/Community/en-us/FlyoutOverview.mspx
    And here:

    Microsoft.public.Outlook discussions
    http://www.Microsoft.com/communities/newsgroups/list/en-us/default.aspx?DG=Microsoft.public.Outlook&cat=en_us_81f401b3-b3fe-4e8d-B291-066f30b63ec8&lang=en&CR=us

    Office newsgroups
    http://www.Microsoft.com/communities/newsgroups/list/en-us/default.aspx?DG=Microsoft.public.Office.Setup&cat=en_us_642d5640-c1ba-43C3-A224-b3ec1473346c&lang=en&CR=us

    I hope this helps.
    Rob - bicycle - Mark Twain said it is good.

  • LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

    Hello

    I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

    When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

    However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

    Encryption = null esp (in 1721) and to "null" in VPN-3000.

    Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

    % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

    Has anyone seen this behavior?

    All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

    Thanx------Naman

    Naman,

    Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

    Kurtis Durrett

  • Clients vpn AnyConnect and cisco using the same certificate

    Can use the same certificate on the ASA client Anyconnect and cisco vpn ikev1-2?

    John.

    The certificate is to identify a user/machine rather than the Protocol, then Yes, generally 'yes' you can use the same certificate for SSL/IKEv1/IKEv2 connections.

    What you need to take care of, it's that said certificate is fulliling Elements of the Protocol, for example implmentations IKEv2 is 'necessary' particular KU are defined and client-server-auth/auth EKU are defined on the certificates.

    M.

  • Easy traffic between remote sites via Cisco VPN

    We have a Cisco 2921 router at Headquarters (Easy VPN Server) and deployed Cisco 887VA (EasyVPN - Extension of remote network) for remote offices using EasyVPN. We allow voice traffic and data via VPN.  Everything has been great to work until this problem has been discovered today:

    When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in both feel.

    Calls from Headquarters and external mobile/fixed are very good. Only calls between two remote sites are affected.

    There is no need for DATA connection between the remote desktop, our only concern is the voice.

    By the looks of it, I think that "hair - pinning" traffic on the interface VPN is necessary. But need some advice on the configuration. (Examples configs etc.).

    Thanks in advance.

    Thanks for your quick response.

    I am sorry, I assumed that the clients have been configured in client mode.

    No need to remove the SDM_POOL_1, given that customers already have configured NEM.

    But add:

    Configuration group customer isakmp crypto CliniEasyVPN

    network extension mode

    You are able to ping to talked to the other?

    Please make this change:

    105 extended IP access list

    Licensing ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

    * Of course free to do trafficking of translated on the shelves.

    Let me know if you have any questions.

    Thank you.

    Portu.

  • Troubleshooting IPSec Site to Site VPN between ASA and 1841

    Hi all

    in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

    I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

    I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

    It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

    On the ASA:

    Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

    address of the peers: 217.86.154.120
    Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

    access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
    local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
    current_peer: 217.xx.yy.zz

    #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 39135054
    current inbound SPI: B2E9E500

    SAS of the esp on arrival:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4374000/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4373976/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Output of the command: "sh crypto isakmp his."

    HIS active: 4
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 4

    IKE Peer: 217.xx.yy.zz
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    On the 1841

    1841 crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

    1841 crypto ipsec #sh its

    Interface: Dialer1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Interface: virtual Network1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

    Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

    I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

    It's the running of the 1841 configuration

    !
    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    host name 1841
    !
    boot-start-marker
    start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
    boot-end-marker
    !
    logging buffered 51200 notifications
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    !
    AAA - the id of the joint session
    !
    iomem 20 memory size
    clock timezone PCTime 1
    PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
    dot11 syslog
    IP source-route
    !
    No dhcp use connected vrf ip
    !
    IP cef
    no ip bootp Server
    IP domain name test
    name of the IP-server 194.25.2.129
    name of the IP-server 194.25.2.130
    name of the IP-server 194.25.2.131
    name of the IP-server 194.25.2.132
    name of the IP-server 194.25.2.133
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    object-group network phone
    VoIP phone description
    Home 172.20.2.50
    Home 172.20.2.51
    !
    redundancy
    !
    !
    controller LAN 0/0/0
    atm mode
    Annex symmetrical shdsl DSL-mode B
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    isakmp encryption key * address 62.aa.bb.cc
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel to62.aa.bb.cc
    the value of 62.aa.bb.cc peer
    game of transformation-ESP-3DES-SHA
    PFS group2 Set
    match address 100
    !
    !
    !
    interface FastEthernet0/0
    DMZ description $ FW_OUTSIDE$
    10.10.10.254 IP address 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description $ETH - LAN$ $FW_INSIDE$
    IP 172.20.2.254 255.255.255.0
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    IP tcp adjust-mss 1412
    automatic duplex
    automatic speed
    !
    ATM0/0/0 interface
    no ip address
    No atm ilmi-keepalive
    !
    point-to-point interface ATM0/0/0.1
    PVC 1/32
    PPPoE-client dial-pool-number 1
    !
    !
    interface Dialer1
    Description $FW_OUTSIDE$
    the negotiated IP address
    IP mtu 1452
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 2
    PPP authentication chap callin pap
    PPP chap hostname xxxxxxx
    PPP chap password 7 xxxxxxx8
    PPP pap sent-name of user password xxxxxxx xxxxxxx 7
    map SDM_CMAP_1 crypto
    !
    IP forward-Protocol ND
    IP http server
    local IP http authentication
    IP http secure server
    !
    !
    The dns server IP
    IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
    IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
    IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
    IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
    IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
    !
    logging trap notifications
    Note category of access list 1 = 2 CCP_ACL
    access-list 1 permit 172.20.2.0 0.0.0.255
    Note access-list category 2 CCP_ACL = 2
    access-list 2 allow 10.10.10.0 0.0.0.255
    Note access-list 100 category CCP_ACL = 4
    Note access-list 100 IPSec rule
    access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    Note CCP_ACL the access list 101 = 2 category
    Note access-list 101 IPSec rule
    access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 101 permit ip 172.20.2.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 2
    Note access-list 102 IPSec rule
    access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    !

    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 101
    !
    allowed SDM_RMAP_2 1 route map
    corresponds to the IP 102
    !
    !
    control plan
    !
    !
    Line con 0
    line to 0
    line vty 0 4
    length 0
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    NTP 172.20.2.250 Server prefer
    end

    As I mentioned previously: suspicion is much appreciated!

    Best regards

    Joerg

    Joerg,

    ASA receives not all VPN packages because IOS does not send anything.

    Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

    The problem seems so on the side of the router.

    I think that is a routing problem, but you only have one default gateway (no other channels on the router).

    The ACL 100 is set to encrypt the traffic between the two subnets.

    It seems that the ACL 101 is also bypassing NAT for VPN traffic.

    Follow these steps:

    Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

    I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

    Federico.

Maybe you are looking for