[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details

Cisco 1811 and Windows Native VPN's

Asked by Rheiniluoma in Virtual Private Networking (VPN), Network Routers, Windows Vista

Tags: Cisco IOS Windows XP Vista x64 1811 VPN Router

Hello,

I have recently purchased several Cisco 1811's. The routers seem pretty solid, however I am having challenges getting the VPN running with Microsoft Native VPN's and Apple.

I have gotten them working with PPTP for both Windows and the iPhone, but I'd like to get them working with L2TP as well.

It's so close it's not even funny...

I connected for a few minutes to the L2TP (first try failed) and on the second try, I could even get on the internet through the VPN's gateway, open up some internal websites, get to a shared drive for almost 10 minutes...

I disconnected and reconnected after about 5 minutes... nothing.. nada.. couldn't ping anything, couldn't see local or the internet.... (same as the first try) On the iPhone I can do fine on pptp, but "A connection could not be established to the ppp server. Try reconnecting..." happens with the L2TP connection. I've read about the two different authentication protocols which have to be used, but I havent made it so far as to try to tackle that...

It's been consistently inconsistent... the L2TP tunnel is just flaky, whereas the PPTP has been rock solid (I accidentally played WoW for an hour through the tunnel last night!!).

And in case anyone needs it, this is a dual-homed configuration with a fixed IP on Fa0 and ADSL on Fa1 (that part works great, even supports the pptp vpn on failover).

Here's my sanitized complete config so far... I'm hitting a wall with this one, so I'd love to get some input on it!.

Goals:
L2TP/IPSEC working for Windows (in a stable config!)
L2TP/IPSEC working for the iPhone (built-in CISCO config OK as it uses l2tp too...)
Good Firewall configuration that doesn't nuke all of this 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication ppp default group radius local
aaa authorization exec default group radius local 
aaa authorization network default group radius local 
!
!
aaa session-id common
memory-size iomem 15
clock timezone CST -6
clock summer-time CDT recurring
!
crypto pki trustpoint TP-self-signed-1444119379
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1444119379
 revocation-check none
 rsakeypair TP-self-signed-1444119379
!
!
crypto pki certificate chain TP-self-signed-1444119379
 certificate self-signed 01
  <snip>
  	quit
dot11 syslog
!
dot11 ssid HOU-RTR-GUEST
 vlan 2
 authentication open 
 guest-mode
!
dot11 ssid HOU-RTR-WIFI
 vlan 1
 authentication open 
 authentication key-management wpa
 wpa-psk ascii 7 xxxx
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.5.1 10.1.5.10
ip dhcp excluded-address 10.1.5.240 10.1.5.254
!
ip dhcp pool HOU-WIFI-Guests
   network 10.1.5.0 255.255.255.0
   default-router 10.1.5.254 
   dns-server 4.2.2.2 4.2.2.1 208.67.222.222 208.67.220.220 
!
!
ip cef
no ip bootp server
ip domain name cima-energy.com
ip name-server 10.1.1.23
ip name-server 10.1.1.26
ip name-server 4.2.2.2
ip ddns update method sdm_ddns1
 HTTP
  add http://xxxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://xxxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
no ipv6 cef
!
multilink bundle-name authenticated
!
async-bootp subnet-mask 255.255.255.0
async-bootp gateway 10.1.1.254
async-bootp dns-server 10.1.1.23 10.1.1.26
async-bootp nbns-server 10.1.1.23 10.1.1.26
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
vpdn-group L2TP_Client
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 2
 no l2tp tunnel authentication
!
vpdn-group PPTP_Client
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
username user privilege 15 secret 5 $1$d/xxxx
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key MYSECRETKEY address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac 
 mode transport
!
crypto dynamic-map cc 10
 set nat demux
 set transform-set ccsp 
!
!
crypto map cisco 10 ipsec-isakmp dynamic cc 
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description WAN Interface$FW_OUTSIDE$
 backup interface Dialer0
 ip address MYPUBIP 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map cisco
!
interface FastEthernet1
 description ADSL WAN Interface
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
 switchport access vlan 2
!
interface FastEthernet7
 switchport access vlan 2
!
interface FastEthernet8
 switchport access vlan 2
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 2 mode ciphers aes-ccm 
 !
 ssid XXXX-GUEST
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 ip flow ingress
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 ip flow ingress
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 !
 encryption vlan 2 mode ciphers aes-ccm 
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 ssid XXXX-GUEST
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 ip flow ingress
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.2
 encapsulation dot1Q 2
 ip flow ingress
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Virtual-Template1
 description PPTP Dial-Up VPN Endpoint$FW_INSIDE$
 ip unnumbered BVI1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool vpn_pool_1
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2 ms-chap
!
interface Virtual-Template2
 description L2TP Dial-Up VPN Endpoint$FW_INSIDE$
 ip unnumbered BVI1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool vpn_pool_2
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2
!
interface Vlan1
 no ip address
 random-detect 
 bridge-group 1
!
interface Vlan2
 no ip address
 ip access-group 120 in
 bridge-group 2
 bridge-group 2 spanning-disabled
!
interface Async1
 description Dial-Up
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation ppp
 dialer in-band
 dialer pool-member 2
 async mode interactive
!
interface Dialer0
 description ADSL WAN Dialer$FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxx@xxxx.net
 ppp chap password 7 xxxxx
 ppp pap sent-username xxxx@xxx.net password 7 xxxx
 ppp ipcp route default
 crypto map cisco
!
interface Dialer1
 description Dial-Up AT&T Connection$FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 2
 dialer string DIALUPPHONENUM
 dialer-group 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname XXXX.net
 ppp chap password 7 XXXX
 ppp pap sent-username XXXX.net password 7 XXXX
 ppp ipcp route default
!
interface BVI1
 description VLAN1 Gateway
 ip address 10.1.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
interface BVI2
 description VLAN2 Gateway
 ip address 10.1.5.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
ip local pool vpn_pool_1 172.16.10.1 172.16.10.127
ip local pool vpn_pool_2 172.16.10.128 172.16.10.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 MY IP NEXT HOP
ip route 0.0.0.0 0.0.0.0 Dialer0 10
ip route 0.0.0.0 0.0.0.0 Dialer1 20
ip route 10.1.2.0 255.255.255.0 10.1.1.253
ip http server
ip http access-class 15
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
 top 20
 sort-by bytes
!
ip nat inside source route-map DSL interface Dialer0 overload
ip nat inside source route-map DIAL interface Dialer1 overload
ip nat inside source route-map FIBER interface FastEthernet0 overload
!
ip radius source-interface Vlan1 
access-list 10 remark Local subnets
access-list 10 permit 10.1.1.0 0.0.0.254
access-list 15 remark All Trusted Nets
access-list 15 permit 10.1.0.0 0.0.255.255
access-list 15 remark VPN Clients
access-list 15 permit 172.16.10.0 0.0.0.255
access-list 120 deny   ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 120 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
 
!
!
!
!
route-map DSL permit 2
 match ip address 15
 match interface Dialer0
 set metric 5
!
route-map FIBER permit 1
 match ip address 15
 match interface FastEthernet0
 set metric 1
!
route-map DIAL permit 3
 match ip address 15
 match interface Dialer1
 set metric 10
!
!
!
radius-server host 10.1.1.22 auth-port 1812 acct-port 1813 key 7 XXXX
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login 
 
 
********************************************
*        Private Property                  *
* Unauthorized access prohibited           *
* Disconnect NOW if you are not authorized *
********************************************
 
 

!
line con 0
 privilege level 15
 logging synchronous
 transport output telnet ssh
line 1
 modem InOut
 transport input all
 autoselect ppp
line aux 0
 transport output ssh
line vty 0 4
 transport input ssh
 transport output telnet ssh
line vty 5 15
 transport input telnet ssh
 transport output telnet ssh
!
scheduler interval 500
ntp access-group serve-only 15
ntp update-calendar
ntp server 128.194.254.9
ntp server 192.43.244.18 prefer
end
[+][-]09/29/09 03:39 PM, ID: 25454112Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/12/09 07:11 AM, ID: 25551368Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]10/24/09 09:21 AM, ID: 25652854Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/24/09 01:37 PM, ID: 25654190Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]10/24/09 02:02 PM, ID: 25654340Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/28/09 10:32 AM, ID: 25685937Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625