PPTP VPN on a Cisco 2811
Hi guys,.
Can someone please advise what I'm doing wrong? I'm currently testing one of our routers to use the pptp VPN Protocol.
Please find below the config:
VPDN enable
!
VPDN-Group 1
! PPTP by default VPDN group
accept-dialin
Pptp Protocol
virtual-model 1
tunnel L2TP non-session timeout 15
interface virtual-Template1
IP nat inside
IP virtual-reassembly
POOL_IP of the peer default ip address pool
No keepalive
PPP encryption mppe auto
PPP authentication ms-chap-v2, ms-chap
!
!
local IP POOL_IP 192.168.42.50 pool 192.168.42.100
debugging running I get this:
NTCSYD2 #sh debugging
PPP:
Debugging PPP authentication is on
PPP protocol errors debug is on
Negotiation of Protocol PPP debug is on
NTCSYD2 #.
* 23:43:21.855 Jan 18: PPP: Alloc context [4670 550]
* 23:43:21.859 Jan 18: ppp8 PPP: Phase is
* 23:43:21.859 Jan 18: ppp8 PPP: via vpn, set the direction of the call
* 23:43:21.859 Jan 18: ppp8 PPP: treatment of connection as a callin
* 23:43:21.859 Jan 18: ppp8 PPP: Session Session handle [8] id [8]
* Jan 18 23:43:21.859: ppp8 TPIF: State of the event [OPEN] [initial check]
* 23:43:21.859 Jan 18: ppp8 PPP LCP: switch to passive mode, State [stopped]
* Jan 18 23:43:22.203: ppp8 TPIF: I CONFREQ [order] id 0 len 21
* Jan 18 23:43:22.207: ppp8 TPIF: MRU 1400 (0 x 01040578)
* Jan 18 23:43:22.207: ppp8 TPIF: MagicNumber 0x48C56584 (0x050648C56584)
* Jan 18 23:43:22.207: ppp8 TPIF: PFC (0 x 0702)
* Jan 18 23:43:22.207: ppp8 TPIF: RAC (0 x 0802)
* Jan 18 23:43:22.207: ppp8 TPIF: reminder 6 (0x0D0306)
* Jan 18 23:43:22.207: ppp8 TPIF: O CONFREQ [order] id 1 len 15
* Jan 18 23:43:22.207: ppp8 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
* Jan 18 23:43:22.207: ppp8 TPIF: MagicNumber 0x3710B12D (0x05063710B12D)
* Jan 18 23:43:22.207: ppp8 TPIF: O [order] CONFREJ id 0 len 7
* Jan 18 23:43:22.207: ppp8 TPIF: reminder 6 (0x0D0306)
* Jan 18 23:43:22.207: ppp8 TPIF: State of the event [receive ConfReq-] [arrested at REQsent
]
* Jan 18 23:43:22.211: ppp8 TPIF: I CONFACK [REQsent] id 1 len 15
* Jan 18 23:43:22.211: ppp8 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
* Jan 18 23:43:22.211: ppp8 TPIF: MagicNumber 0x3710B12D (0x05063710B12D)
* Jan 18 23:43:22.211: ppp8 TPIF: State of the event [receive ConfAck] [REQsent to ACKrcvd]
* Jan 18 23:43:22.211: ppp8 TPIF: I CONFREQ [ACKrcvd] id 1 len 18
* Jan 18 23:43:22.211: ppp8 TPIF: MRU 1400 (0 x 01040578)
* Jan 18 23:43:22.211: ppp8 TPIF: MagicNumber 0x48C56584 (0x050648C56584)
* Jan 18 23:43:22.211: ppp8 TPIF: PFC (0 x 0702)
* Jan 18 23:43:22.211: ppp8 TPIF: RAC (0 x 0802)
* Jan 18 23:43:22.211: ppp8 TPIF: O CONFNAK [ACKrcvd] id 1 len 8
* Jan 18 23:43:22.211: ppp8 TPIF: MRU 1500 (0x010405DC)
* Jan 18 23:43:22.211: ppp8 TPIF: State of the event [receive ConfReq-] [ACKrcvd to ACKrcvd
]
* Jan 18 23:43:22.211: ppp8 TPIF: I CONFREQ [ACKrcvd] id 2 len 18
* Jan 18 23:43:22.211: ppp8 TPIF: MRU 1400 (0 x 01040578)
* Jan 18 23:43:22.211: ppp8 TPIF: MagicNumber 0x48C56584 (0x050648C56584)
* Jan 18 23:43:22.211: ppp8 TPIF: PFC (0 x 0702)
* Jan 18 23:43:22.211: ppp8 TPIF: RAC (0 x 0802)
* Jan 18 23:43:22.215: ppp8 TPIF: O CONFNAK [ACKrcvd] id 2 len 8
* Jan 18 23:43:22.215: ppp8 TPIF: MRU 1500 (0x010405DC)
* Jan 18 23:43:22.215: ppp8 TPIF: State of the event [receive ConfReq-] [ACKrcvd to ACKrcvd
]
* Jan 18 23:43:22.215: ppp8 TPIF: I CONFREQ [ACKrcvd] id 3 len 18
* Jan 18 23:43:22.215: ppp8 TPIF: MRU 1500 (0x010405DC)
* Jan 18 23:43:22.215: ppp8 TPIF: MagicNumber 0x48C56584 (0x050648C56584)
* Jan 18 23:43:22.215: ppp8 TPIF: PFC (0 x 0702)
* Jan 18 23:43:22.215: ppp8 TPIF: RAC (0 x 0802)
* Jan 18 23:43:22.215: ppp8 TPIF: O CONFACK [ACKrcvd] id 3 len 18
* Jan 18 23:43:22.215: ppp8 TPIF: MRU 1500 (0x010405DC)
* Jan 18 23:43:22.215: ppp8 TPIF: MagicNumber 0x48C56584 (0x050648C56584)
* Jan 18 23:43:22.215: ppp8 TPIF: PFC (0 x 0702)
* Jan 18 23:43:22.215: ppp8 TPIF: RAC (0 x 0802)
* Jan 18 23:43:22.219: ppp8 TPIF: State of the event [receive ConfReq +] [ACKrcvd to open]
* Jan 18 23:43:22.219: ppp8 TPIF: I IDENTIFY [open] id 4 len 18 magic 0x48C56584MS
RASV5.20
* Jan 18 23:43:22.219: ppp8 TPIF: I IDENTIFY [open] id 5 len 20 magic 0x48C56584MS
RAS-0-MIS4
* Jan 18 23:43:22.219: ppp8 TPIF: I IDENTIFY [open] id 6 len 24 magic 0x48C56584qY
GSQK'IGC 'xKt6e '.
* 23:43:22.239 Jan 18: ppp8 PPP: Phase is AUTHENTICATING,
* 23:43:22.239 Jan 18: ppp8 MS-CHAP-V2: O CHALLENGE id 1 len 28 of 'NTCSYD2 '.
* Jan 18 23:43:22.239: ppp8 TPIF: State is open
* 23:43:22.243 Jan 18: ppp8 MS-CHAP-V2: I ANSWER id 1 len 67 of "administrateu".
r '.
* 23:43:22.243 Jan 18: ppp8 PPP: Phase TRANSFER, tempting with impatience
* 23:43:22.247 Jan 18: ppp8 PPP: Phase is AUTHENTICATING, unauthenticated user
* 23:43:22.247 Jan 18: ppp8 PPP: request sent MSCHAP_V2 LOGIN
* 23:43:22.251 Jan 18: ppp8 PPP: received LOGIN response FAIL
* 23:43:22.255 Jan 18: ppp8 MS-CHAP-V2: FAILURE O id 1 len 13 msg's 'E = 691 R = 0 '.
* 23:43:22.255 Jan 18: ppp8 PPP DISC: the user has no MSCHAP V2 authentication
* 23:43:22.255 Jan 18: ppp8 PPP: sending Acct event [low] id [2a]
* Jan 18 23:43:22.255: ppp8 TPIF: O TERMREQ [open] id 2 len 4
* Jan 18 23:43:22.255: ppp8 TPIF: event [CLOSE] State [Open for closure]
* 23:43:22.255 Jan 18: ppp8 PPP: Phase ENDS
* Jan 18 23:43:22.259: ppp8 TPIF: I TERMACK [closing] id 2 len 4
* Jan 18 23:43:22.259: ppp8 TPIF: State of the event [TermAck receive] [closing closed]
* Jan 18 23:43:22.259: ppp8 TPIF: event [DOWN] [closed on Initial]
* 23:43:22.259 Jan 18: ppp8 PPP: Phase is BROKEN
Any help would be appreciated extremelly.
See you soon,.
Fabio
It seems that users are unable to authenticate. What do you use to authenticate users? You have a pool of default aaa authentication which checks the ms-chap-v2 user names against RADIUS via AD?
Tags: Cisco Security
Similar Questions
-
Problem Cisco 2811 with L2TP IPsec VPN
Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication
My config:
!
AAA new-model
!
!
AAA authentication login default local
Ray of AAA for authentication ppp default local group
AAA authorization network default authenticated if
start-stop radius group AAA accounting network L2TP_RADIUS!
dhcp L2tp IP pool
network 192.168.100.0 255.255.255.0
default router 192.168.100.1
domain.local domain name
192.168.101.12 DNS server
18c0.a865.c0a8.6401 hexagonal option 121
18c0.a865.c0a8.6401 hexagonal option 249VPDN enable
!
VPDN-group sec_groupe
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnelsession of crypto consignment
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 55
BA 3des
md5 hash
preshared authentication
Group 2ISAKMP crypto key... address 0.0.0.0 0.0.0.0
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 10 periodicals
!
life crypto ipsec security association seconds 28000
!
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
need transport mode
!!
!
crypto dynamic-map DYN - map 10
Set nat demux
game of transformation-L2TP
!
!
Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-mapinterface Loopback1
Description * L2TP GateWay *.
IP 192.168.100.1 address 255.255.255.255interface FastEthernet0/0
Description * Internet *.
address IP 95.6... 255.255.255.248
IP access-group allow-in-of-wan in
IP access-group allows-off-of-wan on
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
IP route cache policy
automatic duplex
automatic speed
L2TP-VPN crypto card
!interface virtual-Template1
Description * PPTP *.
IP unnumbered Loopback1
IP access-group L2TP_VPN_IN in
AutoDetect encapsulation ppp
default IP address dhcp-pool L2tp peer
No keepalive
PPP mtu Adaptive
PPP encryption mppe auto
PPP authentication ms-chap-v2 callin
PPP accounting L2TP_RADIUSL2TP_VPN_IN extended IP access list
permit any any icmp echo
IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
allow udp any any eq bootps
allow udp any any eq bootpc
deny ip any any journal entryRADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
RADIUS server retry method reorganize
RADIUS server retransmit 2
Server RADIUS 7 key...Debugging shows me
234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234218: * 3 Feb 18:53:38: ISAKMP: (0): success
234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234257: * 3 Feb 18:53:38: ISAKMP: (0): success
234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 192.168.1.218
Protocol: 17
Port: 500
Length: 12
234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 95.6...
Protocol: 17
Port: 0
Length: 12
234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
routerindc #.
234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-893966165, his 480CFF64 =
234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
of 95.6... to 93.73.161.229 for prot 3
234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
routerindc #.
234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
(93.73.161.229 to 95.6 proxy...)
234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
234350: * 3 Feb 18:53:39: life of 28800 seconds
234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
(proxy 95.6... to 93.73.161.229)
234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
234353: * 3 Feb 18:53:39: life of 28800 seconds
234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 95.6..., sa_proto = 50.
sa_spi = 0x31C17753 (834762579).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 93.73.161.229, sa_proto = 50,.
sa_spi = 0x495A4BD (76915901).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
routerindc #.
234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identityAlso when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.
I hope that you will help me. Thank you.
Hi dvecherkin1,
Who IOS you're running, you could hit the next default.
https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr
It may be useful
-Randy-
Evaluate the ticket to help others find the answer quickly.
-
What VPN work as a PPTP vpn firewall CISCO-ASA-5520.
Hi all
Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.
You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.
Michael
Please note all useful posts
-
Is supported PPTP vpn cisco ASA 5520 firewall?
Hi all
I'm Md.kamruzzaman. My compnay buy a firewall of cisco asa 5520 and I want to configure PPTP vpn on asa 5520 firewall. Is it possible to configure the PPTP vpn to asa firewall. If possible can you please tell me what is the procedure to configure the PPTP vpn.
Best regards
MD.kamruzzaman
Sorry, but the Cisco ASA firewall does not support PPTP VPN termination.
You may terminate IPSec and SSL VPN but not of type PPTP.
If you are new to the ASA, how best to configure the supported VPN types is via the VPN Wizard integrated into the application of management of ASSISTANT Deputy Ministers.
-
PPTP VPN Cisco IOS router through
Hi all
I was wondering if there is a trick to get PPTP to work through a Cisco router. He was in fact at some point, but I don't remember what has been changed over time... However, it no longer works.
Current configuration includes:
* CBAC applied inbound and outbound on the Internet interface (I needed to add incoming to fix a problem with the mode passive FTP doesn't work is not on a FTP server hosted behind this router)
* CBAC inspects, among other things, PPTP
* ACL applied inbound on interface Internet, GRE and TCP 1723 admitted any intellectual property
* No other ACL on the router
* IOS 15.0 (1)
* Inbound configuration NAT for TCP 1723 (currently using the WAN IP address)
One thing I saw was so Troubleshooting "IKE Dispatcher: IKEv2 version detected 2, Dropping package! - but I think that it is a wrong journal (router as the Cisco VPN configuration example).
The server is definitely okay - we are able to connect over PPTP VPN from the local network to the server. So I think it's a sort of NAT problem, because I don't see anything dropped by the firewall.
Anyone able to point me in the right direction?
Thank you
Hello
Thanks for fix the "sh run". Could you change the following:
IP nat inside source static tcp 10.77.99.11 1723 1723 road-map repeating sheep ccc.ccc.ccc.ccc
to do this:
IP nat inside source static tcp 10.77.99.11 1723 1723 extensible ccc.ccc.ccc.ccc
It would be prudent to proceed with this change in the removal of the map of the route if no one connects to the server via the PPTP VPN.
Let me know.
Kind regards
ANU
P.S. Please mark this question as answered if it was resolved. Note the useful messages. Thank you!
-
PPTP VPN between clients Windows and Cisco 2921 router
Hi all!
I have a problem with PPTP VPN between Windows clients and router Cisco 2921 with permission of RADIUS (IAS). When I try to connect to Cisco 2921 of Windows 7 by using MS-CHAP v2 I get the message 778: it was not possible to verify the identity of the server. Can I use PAP - power is OK. On Windows XP, the same situation.
Cisco config:
version 15.0
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname gw.izmv
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
AAA new-model
!
AAA authentication ppp default local radius group of
!
AAA - the id of the joint session
!
clock timezone + 002 2
!
No ipv6 cef
IP source-route
IP cef
!
!
Authenticated MultiLink bundle-name Panel
!
Async-bootp Server dns 192.168.192.XX
VPDN enable
!
VPDN-Group 1
! PPTP by default VPDN group
accept-dialin
Pptp Protocol
virtual-model 1
echo tunnel PPTP 10
tunnel L2TP non-session timeout 15
PMTU IP
adjusting IP mtu
!
redundancy
!
interface Loopback0
IP 192.168.207.1 255.255.255.0
!
!
interface GigabitEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0
IP 192.168.192.XXX 255.255.255.0
IP 192.168.192.XX 255.255.255.0 secondary
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
!
interface GigabitEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
!
interface GigabitEthernet0/2
Description - Inet-
no ip address
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
No cdp enable
!
!
interface virtual-Template1
IP unnumbered Loopback0
IP mtu 1492
IP virtual-reassembly
AutoDetect encapsulation ppp
by default PPP peer ip address pool
PPP mppe auto encryption required
PPP authentication ms-chap-v2
!
!
interface Dialer1
the negotiated IP address
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication pap callin
PPP pap sent-username DSLUSERNAME password DSLPASSWORD
No cdp enable
!
!
IP local pool PPP 192.168.207.200 192.168.207.250
IP forward-Protocol ND
!
!
overload of IP nat inside source list NAT_ACL interface Dialer1
IP nat inside source static tcp 192.168.192.XX 25 expandable 25 82.XXX.XXX.XXX
IP nat inside source static tcp 192.168.192.XX 1352 82.XXX.XXX.XXX 1352 extensible
IP route 0.0.0.0 0.0.0.0 Dialer1
!
NAT_ACL extended IP access list
deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255
deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255
deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255
deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255
permit tcp 192.168.192.0 0.0.0.255 any eq www
permit tcp 192.168.192.0 0.0.0.255 any eq 443
permit tcp 192.168.192.0 0.0.0.255 any eq 1352
permit tcp host 192.168.192.XX no matter what eq smtp
permit tcp 192.168.192.0 0.0.0.255 any eq 22
permit tcp host 192.168.192.XX no matter what eq field
permit tcp host 192.168.192.XX no matter what eq field
permit tcp host 192.168.192.XX no matter what eq field
allowed UDP host 192.168.192.XX matter what eq field
allowed UDP host 192.168.192.XX matter what eq field
allowed UDP host 192.168.192.XX matter what eq field
!
host 192.168.192.XX auth-port 1645 1646 RADIUS server acct-port
Server RADIUS IASKEY key
!
control plan
!
!
!
Line con 0
line to 0
line vty 0 4
line vty 5 15
!
Scheduler allocate 20000 1000
end
Debugging is followed:
14:47:51.755 on 21 oct: PPP: Alloc context [294C7BC4]
14:47:51.755 on 21 oct: ppp98 PPP: Phase is
14:47:51.755 on 21 oct: ppp98 PPP: using AAA Id Unique = 8 b
14:47:51.755 on 21 oct: ppp98 PPP: permission NOT required
14:47:51.755 on 21 oct: ppp98 PPP: via vpn, set the direction of the call
14:47:51.755 on 21 oct: ppp98 PPP: treatment of connection as a callin
14:47:51.755 on 21 oct: ppp98 PPP: Session Session handle [62] id [98]
14:47:51.755 on 21 oct: ppp98 TPIF: State of the event [OPEN] [initial check]
14:47:51.755 on 21 oct: ppp98 PPP LCP: switch to passive mode, State [stopped]
14:47:53.759 on 21 oct: ppp98 PPP LCP: exit passive mode, State [departure]
14:47:53.759 on 21 oct: LCP ppp98: O CONFREQ [departure] id 1 len 19
14:47:53.759 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)
14:47:53.759 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
14:47:53.759 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)
14:47:53.759 on 21 oct: ppp98 TPIF: event [UP] State [departure at REQsent]
14:47:54.351 on 21 oct: ppp98 TPIF: I CONFREQ [REQsent] id 0 len 18
14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)
14:47:54.351 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)
14:47:54.351 on 21 oct: ppp98 TPIF: PFC (0 x 0702)
14:47:54.351 on 21 oct: ppp98 TPIF: RAC (0 x 0802)
14:47:54.351 on 21 oct: LCP ppp98: O CONFNAK [REQsent] id 0 len 8
14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)
14:47:54.351 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [REQsent to REQsent]
14:47:54.751 on 21 oct: ppp98 TPIF: I CONFACK [REQsent] id 1 len 19
14:47:54.751 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)
14:47:54.751 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
14:47:54.751 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)
14:47:54.751 on 21 oct: ppp98 TPIF: State of the event [receive ConfAck] [REQsent to ACKrcvd]
14:47:54.915 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 1 len 18
14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)
14:47:54.915 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)
14:47:54.915 on 21 oct: ppp98 TPIF: PFC (0 x 0702)
14:47:54.915 on 21 oct: ppp98 TPIF: RAC (0 x 0802)
14:47:54.915 on 21 oct: LCP ppp98: O CONFNAK [ACKrcvd] id 1 len 8
14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)
14:47:54.915 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [ACKrcvd to ACKrcvd]
14:47:55.275 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 2 len 18
14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)
14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)
14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)
14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)
14:47:55.275 on 21 oct: LCP ppp98: O CONFACK [ACKrcvd] id 2 len 18
14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)
14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)
14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)
14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)
14:47:55.275 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq +] [ACKrcvd to open]
14:47:55.295 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING,
14:47:55.295 on 21 oct: ppp98 MS-CHAP-V2: O CHALLENGE id 1 len 28 of 'gw.izmv '.
14:47:55.295 on 21 oct: ppp98 TPIF: State is open
14:47:55.583 on 21 oct: ppp98 MS-CHAP-V2: I ANSWER id 1 len 71 of "domain\username".
14:47:55.583 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience
14:47:55.583 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING, unauthenticated user
14:47:55.587 on 21 oct: ppp98 PPP: request sent MSCHAP_V2 LOGIN
14:47:55.591 on 21 oct: ppp98 PPP: received LOGIN response PASS
14:47:55.591 on 21 oct: ppp98 PPP AUTHOR: author data NOT available
14:47:55.591 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience
14:47:55.595 on 21 oct: Vi3 PPP: Phase is AUTHENTICATING, authenticated user
14:47:55.595 on 21 oct: Vi3: given msg No. MS_CHAP_V2
14:47:55.595 on 21 oct: Vi3 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "tG @ #QDD @(@B@ (@[email protected]/ ** / @I @:[email protected]/ ** / @@@ EJFDE)).
14:47:55.595 on 21 oct: Vi3 PPP: Phase is in PLACE
14:47:55.595 on 21 oct: Vi3 CPIW: protocol configured, start state cf. [original]
14:47:55.595 on 21 oct: Vi3 CPIW: State of the event [OPEN] [Initial report on startup]
14:47:55.595 on 21 oct: Vi3 CPIW: O CONFREQ [departure] id 1 len 10
14:47:55.595 on 21 oct: Vi3 CPIW: address of 192.168.207.1 (0x0306C0A8CF01)
14:47:55.595 on 21 oct: Vi3 CPIW: event [UP] State [begins to REQsent]
14:47:55.595 on 21 oct: Vi3 CCP: protocol configured, start state cf. [original]
14:47:55.595 on 21 oct: Vi3 CCP: State of the event [OPEN] [Initial report on startup]
14:47:55.595 on 21 oct: Vi3 CCP: O CONFREQ [departure] id 1 len 10
14:47:55.595 on 21 oct: Vi3 CCP: MS - PPC supported bits 0 x 01000060 (0 x 120601000060)
14:47:55.595 on 21 oct: Vi3 CCP: event [UP] State [begins to REQsent]
14:47:55.599 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to
14:47:55.603 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, changed State to
14:47:56.027 on 21 oct: Vi3 LCP: I have TERMREQ [open] id 3 len 16
14:47:56.027 on 21 oct: Vi3 LCP: (0x2F7C5F7E003CCD740000030A)
14:47:56.027 on 21 oct: Vi3 CPIW: event [BOTTOM] State [REQsent on startup]
14:47:56.027 on 21 oct: Vi3 CPIW: State of event [CLOSE] [begins with initial]
14:47:56.027 on 21 oct: Vi3 CCP: event [BOTTOM] State [REQsent on startup]
14:47:56.027 on 21 oct: Vi3 PPP DISC: MPPE required not negotiated
14:47:56.027 on 21 oct: Vi3 PPP: sending Acct event [low] id [8B]
14:47:56.027 on 21 oct: Vi3 CCP: State of event [CLOSE] [start with initial]
14:47:56.027 on 21 oct: Vi3 LCP: O TERMACK [open] id 3 len 4
14:47:56.027 on 21 oct: Vi3 LCP: event [receive TermReq] State [Open to stop]
14:47:56.027 on 21 oct: Vi3 PPP: Phase ENDS
14:47:56.027 on 21 oct: Vi3 LCP: event [CLOSE] [off status of closing]
14:47:56.675 on 21 oct: Vi3 PPP: block vaccess to be released [0x10]
14:47:56.675 on 21 oct: Vi3 LCP: event [CLOSE] State [closing closing]
14:47:56.679 on 21 oct: Vi3 LCP: event [BOTTOM] State [closing on Initial]
14:47:56.679 on 21 oct: Vi3 PPP: compensation AAA Id Unique = 8 b
14:47:56.679 on 21 oct: Vi3 PPP: unlocked by [0x10] always locked by 0 x [0]
14:47:56.679 on 21 oct: Vi3 PPP: free previously blocked vaccess
14:47:56.679 on 21 oct: Vi3 PPP: Phase is BROKEN
14:47:56.679 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to down
14:47:56.683 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, state change downstairs
I'll be very grateful for any useful suggestions
We had the same problem using MS-CHAP-V2 and 3945 router using IOS 15.2. When you add the same combination of username/password locally it worked fine but it wasn't no of course of the solution. We have solved this problem by adding the following line in the config file:
AAA authorization network default authenticated if
This is because Windows 2000 clients require the use of a statement of authorization aaa in the router config. Maybe it was default (and therefore not shown) previous iOS releases.
Success!
Wil Schenkeveld
-
What clients VPN Cisco 2811 supports?
Is the solution of VPN Cisco 2811 locked customers cisco or that market with other brands too?
Best regards Tommy Svensson
Hello
With the correct IOS feature set, it will support IPsec VPN clients. This includes not only the Cisco VPN client but almost any standard IPsec client.
In addition, if on the 2811 can accept any browser SSL VPN connections, or even use the AnyConnect SSL client.
It will be useful.
Federico.
-
Files shared via PPTP VPN remote access/desktop
Hello
I just bought the RV180W so I can connect to my desktop wherever you are a VPN client. The two things I need to do while I'm connected like a VPN client must be able to access my files on my desktop and be able to remote desktop as well. I have Win7 on all my computers. Ideally, I would like to do on the PPTP VPN connection, but if this is not possible so I can try out the software Cisco QuickVPN.
I activated the PPTP on my router and created a user account. I was also able to successfully establish the remote connection. While I was logged as a PPTP VPN client, I was able to access the Internet and my configuration page of the router, which tells me that the connection is good. However, I was not able to discover my desktop label my network PC in Win7 and I was able to remote desktop. I keep my desktop PC on all the time and he will never sleep. I haven't created any strategy of connection, but maybe that's the problem. Please let me know if you know a solution.
Thank you!
Mustafa greetings,
Thanks for writing.
Have you access the router configuration using the public IP address or local IP address when you are connected to the PPTP tunnel? You can test the tunnel connecting and then ping the local IP address of the router or a computer.
You want to make sure that the addresses that you configure for the PPTP users are not incompatible with your DHCP addresses. You need not configure any policy with PPTP.
In addition, in order to access files through the tunnel, you must map the drive by using the IP address. For example, \\192.168.1.101\MyFiles
Once we verify your tunnel, access issues can be troubleshooted. If you have any problems, consider giving us a call at 1-866-606-1866. We will be happy to help you.
Kind regards
-David Aguilar
Cisco Small Business Support Center
1-866-606-1866
-
divide the tunnel pptp vpn router 7200
I have cisco 7200 running Cisco IOS Software, software 7200 (C7200-ADVENTERPRISEK9-M), Version 12.4 (24) T2, VERSION of the SOFTWARE (fc2). I want that connects to the pptp VPN in order to access the internet at the same time. I think that this can be achieved by implementing split VPN tunnel. However I can't understand how to implement this on my 7200. All the documentation I found only tell how to do it on a cisco ASA. I've been watching this article to help me to http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800a393b.shtml#con4VPN clients will assign an ip address in the range of 172.16.10.0/24 to access the network remote fo 17.16.0.0/24Looking to the article posted above, I created the list 102 permit ip 172.16.0.0 ACLaccess 0.0.0.255 172.16.10.0 is 0.0.0.255What I can not understand how to apply this to my activation of VPDN PPTP groupvpdn
!
VPDN-Group 1
! PPTP by default VPDN group
accept-dialin
Pptp Protocol
virtual-model 1
! interface virtual-Template1
IP unnumbered GigabitEthernet0/2
peer default ip address pool-pptp pool
PPP encryption mppe auto
PPP ms-chap for authentication ms-chap-v2
! access-list 102 permit ip 172.16.0.0 0.0.0.255 172.16.10.0 0.0.0.255
Local IP pool pptp 172.16.10.1 172.16.10.254Any help is appreciatedThanksSplit PPTP tunnel must be configured on the client. Unlike the IPSec tunnel split which is performed on the head end, split PPTP tunnel is configured on the client itself.
Here is the configuration guide for document Q & A (last question):
http://www.Cisco.com/en/us/Partner/Tech/tk827/tk369/technologies_q_and_a_item09186a00800946ef.shtml
Here is an article from Microsoft that takes in charge who:
http://TechNet.Microsoft.com/en-us/library/cc779919%28WS.10%29.aspx#w2k3tr_vpn_how_dkma
Hope that helps.
-
I'm relatively new to the security stuff. I'm a guy of the voice. I created a Pix 501 for IPSEC VPN and works very well. Then I tried it setting up PPTP VPN. I use Windows XP to connect. It connects fine, but I can't ping to the inside interface on the PIX. I can do this by using IPSEC. Any ideas? Here is my config:
:
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
host name *.
domain name *.
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit icmp any any echo response
access-list 80 allow ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.5.0 255.255.255.0
access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.6.0 255.255.255.0
pager lines 24
opening of session
emergency logging console
Outside 1500 MTU
Within 1500 MTU
IP address outside of *. *. *. * 255.255.255.0
IP address inside 10.0.0.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool pool1 192.168.5.100 - 192.168.5.200
IP local pool pool2 192.168.6.100 - 192.168.6.200
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.0.0.0 255.0.0.0 0 0
Access-group 101 in external interface
Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Sysopt connection permit-l2tp
Crypto ipsec transform-set high - esp-3des esp-sha-hmac
Crypto ipsec transform-set esp - esp-md5-hmac RIGHT
Crypto dynamic-map cisco 4 strong transform-set - a
Crypto-map dynamic dynmap 10 transform-set RIGHT
Cisco dynamic of the partners-card 20 crypto ipsec isakmp
partner-map interface card crypto outside
card crypto 10 PPTP ipsec-isakmp dynamic dynmap
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 8
ISAKMP strategy 8 3des encryption
ISAKMP strategy 8 md5 hash
8 2 ISAKMP policy group
ISAKMP life duration strategy 8 the 86400
vpngroup address pool1 pool test
vpngroup default-field lab118 test
vpngroup split tunnel 80 test
vpngroup test 1800 idle time
Telnet timeout 5
SSH 10.0.0.0 255.0.0.0 inside
SSH 192.168.5.0 255.255.255.0 inside
SSH 192.168.6.0 255.255.255.0 inside
SSH timeout 5
management-access inside
Console timeout 0
VPDN PPTP-VPDN-group accept dialin pptp
VPDN group PPTP-VPDN-GROUP ppp authentication chap
VPDN group PPTP-VPDN-GROUP ppp mschap authentication
VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto
VPDN group VPDN GROUP-PPTP client configuration address local pool2
VPDN group VPDN GROUP-PPTP client configuration dns 8.8.8.8
VPDN group VPDN GROUP-PPTP pptp echo 60
VPDN group VPDN GROUP-PPTP client for local authentication
VPDN username bmeade password *.
VPDN allow outside
You will have to connect to an internal system inside and out run the PIX using pptp.
For ssh access the PIX, you will also need additional configuration, see the section on code PIX pre 7.x, section access ssh to the security apparatus .
Concerning
-
PPTP VPN does not work on Iphone Personal Hotspot
Hello
I've just updated to iOS 10 yesterday and now all my devices I use to connect to the personal hotspot on my iphone are not able to establish PPTP VPN connections. I was aware of the PPTP client are disabled in the iOS, but has actually blocked PPTP are not used by devices that connect to the Personal Hotspot?
Please help ASAP, I know there are many more end-users like me having the same problem.
Hello
Apple does not recommend using the PPTP protocol for secure and private communication.
iOS 10 and macOS Sierra intentionally delete a VPN profile PPTP connections when a user upgrades from their device.
Apple recommends using another VPN protocol which is safer:
More information:
Prepare for removal of PPTP VPN before you upgrade to iOS 10 and macOS Sierra - Apple Support
-
I have a windows VPN (PPTP) Server behimd my Nighthawk R7000 router but the router does not allow for VPN passthrough? Any ideas?
I have port 47 GRE TCP/UDP and TCP 1723/UDP sent to my IP address of the VPN server. Am I missing something? It be a checkbox to enable VPN passthrough but I don't see on the R7000 nighthawk? Its not me to VPN in my network. Help, please. Once again it is for Windows VPN not the customer to Open VPN (that I don't want to use)
Yes, I have forwarded manually and yes I have chosen pptp vpn in the drop down menu. I managed to solve the problem though! I just removed the pptp vpn service from the drop down and added service pptp again and now everything works fine.
-
I have windows vista Enterprise edition and trying to connect to a PPTP VPN, I get an error 691 name of user and password are fine, I can connect to the VPN on XP without problem.
original title: VPN Error 691I was able to find a solution by the way that the domain has been configured. I was adding the complete domain name and extension (i.e. domain.local). The .local was me screwing up. I edited the domain field to only reflect the domain name without any extensions. One that I did this it worked like a charm. I have been using a VPN PPTP on a computer Server 2003 domain mixed with 2000 and 2003 domain controllers and Windows 7 Pro laptop computers. Hope this helps someone.
-
LAN-to-LAN tunnel between VPN 3000 and Cisco 1721
Hello
I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).
When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.
However, I would like to Turn off encryption for some time getting the speed improvements, so I changed
Encryption = null esp (in 1721) and to "null" in VPN-3000.
Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721
% C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0
Has anyone seen this behavior?
All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?
Thanx------Naman
Naman,
Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.
Kurtis Durrett
-
PPTP VPN on C2821 - no access on remote hosts
Hello, I'm having a problem with a PPTP VPN on a C2821 router running, I can connect to the server and ping the LAN interface but I get no response from any other host in the network. The network looks like this:
Thank you for the help and I am sorry if I posted in the wrong section.
Idon't see any command "ip route".
Maybe you are looking for
-
Firefox did just have an update?
It's midnight and I usually wake up at this time for some odd reason. So, I get on my laptop, and I see I forgot to close a popup that occurred when I was looking at the lyrics of a song. After I closed out, I saw another window that says something l
-
How can I make my HTML email compatible?
I can't see some incoming emails. This takes place recently. It comes either with the message to use a client HTML compatible e-mail or in a large amount of code. What are the settings need to be changed to correctly display all emails.
-
passage of data container of teststand labwindows/cvi handle error
Hello I'm moving a container of teststand parameter to labwindows/cvi using this UI API messages following this code created by Peter-r. example: https://decibel.NI.com/content/docs/doc-23332 It is a great example to start with, but as I run using wo
-
Hello everyone, I work with a device which provide me time GPS,. as far as I know, it should be time since the beginning of the week... My question is: Is there a built in functions to display the time GPS in DD HH: mmS format or any other format? Th
-
"System.UnauthorizedAccessException" when you run Optika Vision Lite
I installed optika vision lite software on my computer windows 7 and when I clicked on options to change the language from Spanish to English, he brought this error, please help me I need to use the software as soon as possible Thank you See the end