Solved

PPTP VPN w/Cisco 2801 & Window 2000 RADIUS

Posted on 2006-06-22
17
1,910 Views
Last Modified: 2008-01-09
Hello,

I have a Cisco 2801 Router with the SEC/K9 modules loaded.

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
System image file is "flash:c2801-advsecurityk9-mz.124-3c.bin"

I am trying to run a PPTP VPN authenticated through Windows 2000 IAS RADIUS.

The client end is a Windows XP connecting using the standard windows DUN PPTP VPN.

Everything works flawlessely until I attempt to use encryption. Users can authenticate, connect, use network resources, etc. etc.

The working configuration on the Cisco is:
interface virtual-template 1 ppp encrypt mppe auto

The following also work:
interface virtual-template 1 ppp encrypt mppe 40
interface virtual-template 1 ppp encrypt mppe 128

I am using ms-chap / ms-chap-v2:
interface virtual-template 1 ppp authentication ms-chap ms-chap-v2

Everything works, but encryption is not...

When I tell the Windows client to require the use of encrpytion, some very odd things happen... The first time I try to connect, I will get an error 742: "The remote computer does not support the required encryption type." Oddly, if I try to connect within a few seconds of receiving the error, the connection then goes through, and everything again works as expected. Even looking at the "Status" of the connection shows MPPE 128-bit encryption. BUT THE LINK IS NOT ACTUALLY ENCRYPTED!!! Packet captures on the wire show all the data going clear through in non-encrypted GRE packets.

I see the following lines in the debug log of the Cisco that may be relevant:
026544: *Jun 23 04:31:33.973 UTC: RADIUS:   MS-CHAP-MPPE-Keys  [12]  34  *
026548: *Jun 23 04:31:33.977 UTC: RADIUS:   MS-MPPE-Enc-Policy [7]   6
026549: *Jun 23 04:31:33.977 UTC: RADIUS:   00 00 00 02    [????]
026551: *Jun 23 04:31:33.977 UTC: RADIUS:   MS-MPPE-Enc-Type   [8]   6
026552: *Jun 23 04:31:33.977 UTC: RADIUS:   00 00 00 0C    [????]
026643: *Jun 23 04:31:34.057 UTC: Vi4 MPPE: RADIUS keying material missing


If I force the router to do the encryption, with:
interface virtual-template 1 ppp encrypt mppe auto required

Then the link will drop just after the connection is made, every time.

I see the following relevant line in the debug logs of the Cisco:
028180: *Jun 23 04:43:33.905 UTC: RADIUS:   MS-CHAP-MPPE-Keys  [12]  34  *
028184: *Jun 23 04:43:33.905 UTC: RADIUS:   MS-MPPE-Enc-Policy [7]   6  
028185: *Jun 23 04:43:33.905 UTC: RADIUS:   00 00 00 02                                      [????]
028187: *Jun 23 04:43:33.905 UTC: RADIUS:   MS-MPPE-Enc-Type   [8]   6  
028188: *Jun 23 04:43:33.905 UTC: RADIUS:   00 00 00 0C                                      [????]
028279: *Jun 23 04:43:33.973 UTC: Vi4 MPPE: RADIUS keying material missing
028297: *Jun 23 04:43:34.009 UTC: Vi4 MPPE: Required encryption not negotiated

I am convinced this is not a general RADIUS / connection / authentication, etc. problem, because everything works fine when not using mppe.

I thought perhaps it might be this problem: CSCdv50861—MPPE does not negotiate with Windows 2000.

But that problem was supposedly fixed in IOS release 12.3, which I am running.

I remmember reading somewhere that MPPE 128 bit encryption does not work with hardware VPN boards, but I'm not sure if it was true, and regardless, my setup doesn't even seem to work with 40 bit mppe.

I've spent a good deal of time poring over the following pages, as they claim to have working solutions, but I still have no luck.
http://my.execpc.com/~keithp/pptp.htm
http://www.cisco.com/warp/public/116/pptp_3885.html

I have spent the last 3 days trying to find a solution, and I'm at my wits end...

The 100 points will be awarded to those who tell me it's not possible, either because of an IOS bug, hardware incompatability, etc., or it just plain can't be done.

But I will increase the points to 500, and award them accordingly if anyone can help me to a working solution. Thanks in advance!
0
Comment
Question by:matheweis
  • 10
  • 3
  • 2
17 Comments
 
LVL 10

Expert Comment

by:naveedb
Comment Utility
Can you post running config and complete log?
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
Here is the exact and final config how I want to see it, and how it is currently running. As noted above, this work absolutely flawlessly and exactly how I want, except that MPPE encryption does not work, and if "required", the link drops as soon as connected.

Changes from actual running config:
All the password / key hashes have been cut to "***SECRET-HASH****"

outside.add.ress.main is primary outside static IP address.
site.add.ress.one, two, and three are the addresses of remote sites connected via IPSec tunnels.
dns.server.one and two are the addresses of the outside dns servers.
default.gateway.out is the default gateway address.

Running Configuration of 2801:
----------------------------
Building configuration...

Current configuration : 11035 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 262144 debugging
enable secret 5 ***SECRET-HASH***
!
aaa new-model
!        
!
aaa authentication login local_authen local
aaa authentication ppp default group radius local
aaa authorization exec local_author local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!
!
no ip bootp server
ip domain name loc.company.com
ip name-server dns.server.two
ip name-server dns.server.one
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 session-limit 16
 pptp tunnel echo 30
!
!
async-bootp dns-server 10.2.0.33 10.2.0.32
async-bootp nbns-server 10.2.0.33
!
!
crypto pki trustpoint TP-self-signed-1738985607
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1738985607
 revocation-check none
 rsakeypair TP-self-signed-1738985607
!
!
crypto pki certificate chain TP-self-signed-1738985607
 certificate self-signed 01
  ******0000000000000000000000000000000000000000*********
  quit
username company privilege 15 secret 5 *****SECRET-HASH ******
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ***SHARED-HASH*** address site.add.ress.one
crypto isakmp key ***SHARED-HASH*** address site.add.ress.two
crypto isakmp key ***SHARED-HASH*** address site.add.ress.three
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel tosite.add.ress.one
 set peer site.add.ress.one
 set transform-set ESP-3DES-MD5
 match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel tosite.add.ress.two
 set peer site.add.ress.two
 set transform-set ESP-3DES-MD5
 match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel tosite.add.ress.three
 set peer site.add.ress.three
 set transform-set ESP-3DES-SHA
 match address 108
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_OUTSIDE$$ETH-LAN$
 ip address outside.add.ress.main 255.0.0.0
 ip access-group 104 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip nat enable
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 description $ETH-LAN$$FW_INSIDE$
 ip address 10.2.0.1 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Virtual-Template1
 ip address 10.2.16.1 255.255.255.0
 peer default ip address pool VPN-USERS
 no keepalive
 ppp encrypt mppe auto
 ppp authentication ms-chap ms-chap-v2
!
ip local pool VPN-USERS 10.2.16.48 10.2.16.63
ip classless
ip route 0.0.0.0 0.0.0.0 default.gateway.out permanent
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 1 deny   any
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.2.0.0 0.0.0.255
access-list 7 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 24.0.0.0 0.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host dns.server.one eq domain host outside.add.ress.main
access-list 101 permit udp host dns.server.two eq domain host outside.add.ress.main
access-list 101 deny   ip 10.2.0.0 0.0.0.255 any
access-list 101 permit icmp any host outside.add.ress.main echo-reply
access-list 101 permit icmp any host outside.add.ress.main time-exceeded
access-list 101 permit icmp any host outside.add.ress.main unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.2.0.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 24.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.4.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.three host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.three host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.three host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.three host outside.add.ress.main
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.1.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.two host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.two host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.two host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.two host outside.add.ress.main
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.one host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.one host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.one host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.one host outside.add.ress.main
access-list 104 permit udp host dns.server.one eq domain host outside.add.ress.main
access-list 104 permit udp host dns.server.two eq domain host outside.add.ress.main
access-list 104 permit tcp any any eq 1723
access-list 104 permit gre any any
access-list 104 deny   ip 10.2.0.0 0.0.0.255 any
access-list 104 permit icmp any host outside.add.ress.main echo-reply
access-list 104 permit icmp any host outside.add.ress.main time-exceeded
access-list 104 permit icmp any host outside.add.ress.main unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.2.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 106 permit ip 10.2.0.0 0.0.0.255 any
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.2.0.0 0.0.0.255 10.4.0.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 106
!
!
radius-server host 10.2.0.33 auth-port 1645 acct-port 1646 key 7 ***SECRET-HASH****
radius-server key 7 ****SECRET-HASH****
!
control-plane
!
banner login ^CWelcome to gateway.loc.company.com
My Company, Inc. (West US)


^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

gateway#
-------------------------------
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
More information that may be of use:

Debug Configuration:
--------------------
gateway#show debug
General OS:
  AAA Authentication debugging is on
  AAA Authorization debugging is on
VPN:
  L2X control packets debugging is on
  VPDN events debugging is on
  VPDN errors debugging is on
PPP:
  PPP authentication debugging is on
  MPPE Events debugging is on
  PPP protocol negotiation debugging is on

Radius protocol debugging is on
Radius packet protocol debugging is on
gateway#
-------------------------------

Full Version Information:
-------------------
gateway#show version
Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(3c), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 07-Jan-06 07:07 by alnguyen

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

gateway uptime is 1 day, 19 hours, 37 minutes
System returned to ROM by bus error at PC 0x6152535C, address 0xB0D0B11 at 00:51:20 UTC Thu Jun 22 2006
System image file is "flash:c2801-advsecurityk9-mz.124-3c.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2801 (revision 6.0) with 234496K/27648K bytes of memory.
Processor board ID FTX1012W1TN
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

gateway#
------------------------------------
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
I'm having trouble posting the logfiles; they may be over some limit ee has. Not sure. At any rate, I've posted them; here are links:

Here is a debug log transcript from a good session, or one from a session where the client forces encryption. (They are identical)
http://www.eisbox.net/ee/logfile-good-or-clientenc.txt

Here is a debug log transcript from a session with encryption forced on the router end
http://www.eisbox.net/ee/logfile-force-router-enc.txt

(Note to EE people; if you would like these listed as part of this Q, can you help me get them in? I get an error 0 - question not found when I try to post them)
0
 
LVL 10

Expert Comment

by:naveedb
Comment Utility
Can you turn off radius and try it with local username / password, this will allow us to verify the configuration.
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
naveedb:

I will try that Monday when I return to the office.

lrmoore:

The Cisco doc I referenced in my initial post mentioned something similar, saying it was the error you would see when the client was not configured for encryption. I wish it were as simple as flipping a switch on the client to enable it....

As I understand it, the following settings in Windows XP DUN, when using PPTP, refer to forcing 40 and 128 bit MPPE encryption respectively:
"Require encryption (disconnect if server declines)"
"Maximum Strength encryption (disconnect if server declines)"

I have tried all possible combinations of forcing the XP client to the above, and forcing the router to either 40 or 128 bit required.

As noted in my first submission, if I force the server to require encryption, it will always disconnect as mentioned, regardless of the client settings. If I force the client to use encryption, it may or may not disconnect as noted in the first post. Again, it really puzzles me how the client can be tricked into thinking the link is encrypted when it is in fact not.

Incidentally, I don't see this as a client issue; my Mac OS X machine is also able to connect fine without encryption, but fails with encryption required. It is perhaps noteworthy that the OS X client will never connect, unlike the XP client that will occasionally connect a link that pretends to be encrypted.

As you can see by my router configuration, I am not averse to using IPSec in the right situation... That said, I am interested in using PPTP for three reasons.

1) The users have been trained to use PPTP. Switching a VPN client is not something I would prefer to do, at least until I am certain I won't have to do it anytime in the near future. I will have to re-train the 50+ users, and many of them do not take change well. Not saying I am not entirely unwilling, I'd just prefer not to.

2) Roaming. This is really the primary issue. Many of these users connect from locations I have no control over the network configuration (Home, Hotspots, etc.) - 95% of the time, they will be behind a NAT. As I understand it (I may be wrong on this) a PPTP VPN stands a much better chance of passing through a firewall than IPSEC. The last thing I need is to have half the users already unhappy with me for making an interface change, only to discover the "upgrade" limited their abilities to remotely log in. As you know, unhappy users == unhappy boss.

3) Reliability. This is probably a non-issue. Our existing PPTP VPN setup has been quite reliable. No random configuration issues. No odd connection problems. Seamless integration with our network. You get the idea. I'd like to think that if I used the Cisco VPN client, it will work at least as reliably as our PPTP vpn client does as present.

All that said, if you think it would fit my needs, I'd be willing to consider deploying the Linksys IPSec over PPTP.

(Though, purely on a point of curiosity, I'd still like to know why this PPTP setup isn't working. Seems to me that for all intensive purposes, there's no reason why it shouldn't)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
Comment Utility
I can't explain the anomalies that you are seeing. By all accounts it "should" work.
Have you tried with various combinations on the client setup of [x] Enable Software compression checked/unchecked?
On the dialer client | Networking | Type of VPN    [ Settings ]

I asked so.....

1) I understand user issues. The client is easy to deply with zero end-user configuration required. It's just as easy as double-clicking a different icon..

2) Actually, IPSEC has a better chance than PPTP/GRE through other locations. I travel all over the country and never have a problem.

3) Non-issue. You may have to update the Cisco VPN client once in a while, but not as often as Microsoft updates

>I'd be willing to consider deploying the Linksys IPSec over PPTP.
Huh? You mean the Cisco VPN over IPSEC?

Some notes of my own:
1) If you're serious about user control, you have Zero control over user behavior or route changes with the Microsoft client. Don't want to enable split-tunneling? It doesn't matter what you want if the client has control over the check box [x] use default gateway on remote network.  If you use the Cisco client, you have 100% control over the client and the user can't do diddly squat to change its behavior or work around it.
2) If you're serious about security and encryption IPSEC 3DES/AES is much more secure and reliable than PPTP
3) You can even integrate username logins with your AD over RADIUS if you want and assign per-user access-lists
4) There is no ambiguity between "enable encryption" or not, 40 or 128 bit? There are no doubts with the Cisco client
4) >No random configuration issues.  - what do you consider this issue? Seems rather random to me..
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Author Comment

by:matheweis
Comment Utility
> I can't explain the anomalies that you are seeing. By all accounts it "should" work.
Me either - I'm thinking it's a Cisco issue in communicating with the radius server at this point. Nothing else makes sense. This just occured to me; I have a Windows 2003 server testbed that I could try it with, just for fun.

> Have you tried with various combinations on the client setup of [x] Enable Software compression checked/unchecked?
No I haven't - will try in the office on Monday...

> Huh? You mean the Cisco VPN over IPSEC?
Allow me to rephrase that; I would be willing to consider using the Cisco IPSec VPN client instead of the Microsoft PPTP DUN Client. (And yes, I did have the Linksys EasyVPN client confused with the Cisco VPN client - perhaps one reason I had in my mind that I didn't like the Cisco client.)

> If you're serious about security and encryption IPSEC 3DES/AES is much more secure and reliable...
I don't work for the government or a bank, so my job doesn't depend on keeping every byte of data from prying eyes, but at the same time, I like to keep the network running using good security practice.  Transferring data over an unencrypted VPN, especially at hotspots, etc., especially when you begin talking centralized user management, is just plain unintelligent. If I can make the network more secure without spending tens of thousands of dollars and hiring a security auditing firm, yes, I want to do it.

> What do you consider this issue? Seems rather random to me..
I was referring to our -existing- setup, which is not AD / RADIUS integrated. This would be considered a "new" setup; I am trying to lighten the administration load of maintining multiple user databases (One in AD, one in the firewall), but keep the upgrade 100% transparent from the users perspective.

Well, now to get a copy of the Cisco client... (They have yet to associate my SmartNET contracts with my CCO login - I don't have access to download it)
Do you have any pointers on deployment?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Here's the admin guide for the Cisco VPN client.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/admin/index.htm

If you have trouble getting the client software, let me know.

I'm anxious to see the outcome of the software compression option test . . .
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
I have obtained a copy of the VPN client from Cisco, and am currently testing. Will get back with you with results by the end of the holidays.

Also will get back with results of tests using local users on the Cisco at that point.

Disabling/enabling software compression and LCP has no effect on the functionality of the Windows DUN PPTP client.

Out of curiosity, does anyone reading this thread have PPTP w/RADIUS & Windows DUN working using any Router/IOS setup? It seems there are various individuals on the 'net who have it working; I'd like to know what they use exactly.
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
Okay, back from vacation...

I get similar results using local users rather than RADIUS.

Changed config as follows:
'aaa authentication ppp default group radius local' -> 'aaa authentication ppp default group local'
Added new line 'username localuser password 0 test'

I'm beginning to think this is an IOS issue with MPPE.

More poking about the 'net came of with this: (and a few other similar stories)
http://lists.cistron.nl/pipermail/freeradius-users/2006-February/051010.html

(Yes, I know I'm not using FreeRADIUS, but symptoms seem awfully similar)

I'm going to try upgrading the IOS from 12.4(3c) to 12.4(8a) and see if it makes any difference....

Another rather curious (side?) effect is that the router seems to be very easily DOS'ed by attempting several (failed) PPTP connections. Say, 15 attempts or so within a minute's time is sufficient to shut down every active VPN tunnel for at least 10 minutes or more. I don't want people to be able to take out my network just by attempting to connect to the VPN server. This point is probably worthy of a new thread, but any thoughts on why this may be?

Cisco VPN client works, but I am not happy with it - it seems to want to reinstall itself after every system configuration change.
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
....seems to want to reinstall itself after every system configuration change.

(That is, any Windows system configuration change)
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
Just a side note to mention that the (PPTP) config (less RADIUS) works perfectly in a Cisco 1841 running 12.4(3d)

Will be testing using the 2801 and 12.4(8a), and the 1841 with RADIUS shortly...
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>....seems to want to reinstall itself after every system configuration change.

First time I've heard of that and I've been using the Cisco client for years on hundreds of systems..
What version client? 4.8 is the latest stable version...
0
 
LVL 3

Author Comment

by:matheweis
Comment Utility
lrmoore:

The client was version 4.8.00.0440 - It seems the random reinstalling issue was caused by something else. I've since tested it on a different workstation, and it works fine.

To all involved and those reading the solution:

The ultimate resolution to my original issue is that there is an IOS compatibilty issue with the functionality I am trying to use, and the Cisco 2801. According to Cisco, the configuration I originally posted more or less SHOULD work (it is supported), yet it does not. Similar configurations DO work on other routers (Such as the 1841).

The points go to lrmoore for guiding me to an alternative solution, namely, using the Cisco VPN client as opposed to the built-in Windows PPTP DUN.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now