matheweis
asked on
PPTP VPN w/Cisco 2801 & Window 2000 RADIUS
Hello,
I have a Cisco 2801 Router with the SEC/K9 modules loaded.
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
System image file is "flash:c2801-advsecurityk9
I am trying to run a PPTP VPN authenticated through Windows 2000 IAS RADIUS.
The client end is a Windows XP connecting using the standard windows DUN PPTP VPN.
Everything works flawlessely until I attempt to use encryption. Users can authenticate, connect, use network resources, etc. etc.
The working configuration on the Cisco is:
interface virtual-template 1 ppp encrypt mppe auto
The following also work:
interface virtual-template 1 ppp encrypt mppe 40
interface virtual-template 1 ppp encrypt mppe 128
I am using ms-chap / ms-chap-v2:
interface virtual-template 1 ppp authentication ms-chap ms-chap-v2
Everything works, but encryption is not...
When I tell the Windows client to require the use of encrpytion, some very odd things happen... The first time I try to connect, I will get an error 742: "The remote computer does not support the required encryption type." Oddly, if I try to connect within a few seconds of receiving the error, the connection then goes through, and everything again works as expected. Even looking at the "Status" of the connection shows MPPE 128-bit encryption. BUT THE LINK IS NOT ACTUALLY ENCRYPTED!!! Packet captures on the wire show all the data going clear through in non-encrypted GRE packets.
I see the following lines in the debug log of the Cisco that may be relevant:
026544: *Jun 23 04:31:33.973 UTC: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *
026548: *Jun 23 04:31:33.977 UTC: RADIUS: MS-MPPE-Enc-Policy [7] 6
026549: *Jun 23 04:31:33.977 UTC: RADIUS: 00 00 00 02 [????]
026551: *Jun 23 04:31:33.977 UTC: RADIUS: MS-MPPE-Enc-Type [8] 6
026552: *Jun 23 04:31:33.977 UTC: RADIUS: 00 00 00 0C [????]
026643: *Jun 23 04:31:34.057 UTC: Vi4 MPPE: RADIUS keying material missing
If I force the router to do the encryption, with:
interface virtual-template 1 ppp encrypt mppe auto required
Then the link will drop just after the connection is made, every time.
I see the following relevant line in the debug logs of the Cisco:
028180: *Jun 23 04:43:33.905 UTC: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *
028184: *Jun 23 04:43:33.905 UTC: RADIUS: MS-MPPE-Enc-Policy [7] 6
028185: *Jun 23 04:43:33.905 UTC: RADIUS: 00 00 00 02 [????]
028187: *Jun 23 04:43:33.905 UTC: RADIUS: MS-MPPE-Enc-Type [8] 6
028188: *Jun 23 04:43:33.905 UTC: RADIUS: 00 00 00 0C [????]
028279: *Jun 23 04:43:33.973 UTC: Vi4 MPPE: RADIUS keying material missing
028297: *Jun 23 04:43:34.009 UTC: Vi4 MPPE: Required encryption not negotiated
I am convinced this is not a general RADIUS / connection / authentication, etc. problem, because everything works fine when not using mppe.
I thought perhaps it might be this problem: CSCdv50861—MPPE does not negotiate with Windows 2000.
But that problem was supposedly fixed in IOS release 12.3, which I am running.
I remmember reading somewhere that MPPE 128 bit encryption does not work with hardware VPN boards, but I'm not sure if it was true, and regardless, my setup doesn't even seem to work with 40 bit mppe.
I've spent a good deal of time poring over the following pages, as they claim to have working solutions, but I still have no luck.
http://my.execpc.com/~keithp/pptp.htm
http://www.cisco.com/warp/public/116/pptp_3885.html
I have spent the last 3 days trying to find a solution, and I'm at my wits end...
The 100 points will be awarded to those who tell me it's not possible, either because of an IOS bug, hardware incompatability, etc., or it just plain can't be done.
But I will increase the points to 500, and award them accordingly if anyone can help me to a working solution. Thanks in advance!
I have a Cisco 2801 Router with the SEC/K9 modules loaded.
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
System image file is "flash:c2801-advsecurityk9
I am trying to run a PPTP VPN authenticated through Windows 2000 IAS RADIUS.
The client end is a Windows XP connecting using the standard windows DUN PPTP VPN.
Everything works flawlessely until I attempt to use encryption. Users can authenticate, connect, use network resources, etc. etc.
The working configuration on the Cisco is:
interface virtual-template 1 ppp encrypt mppe auto
The following also work:
interface virtual-template 1 ppp encrypt mppe 40
interface virtual-template 1 ppp encrypt mppe 128
I am using ms-chap / ms-chap-v2:
interface virtual-template 1 ppp authentication ms-chap ms-chap-v2
Everything works, but encryption is not...
When I tell the Windows client to require the use of encrpytion, some very odd things happen... The first time I try to connect, I will get an error 742: "The remote computer does not support the required encryption type." Oddly, if I try to connect within a few seconds of receiving the error, the connection then goes through, and everything again works as expected. Even looking at the "Status" of the connection shows MPPE 128-bit encryption. BUT THE LINK IS NOT ACTUALLY ENCRYPTED!!! Packet captures on the wire show all the data going clear through in non-encrypted GRE packets.
I see the following lines in the debug log of the Cisco that may be relevant:
026544: *Jun 23 04:31:33.973 UTC: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *
026548: *Jun 23 04:31:33.977 UTC: RADIUS: MS-MPPE-Enc-Policy [7] 6
026549: *Jun 23 04:31:33.977 UTC: RADIUS: 00 00 00 02 [????]
026551: *Jun 23 04:31:33.977 UTC: RADIUS: MS-MPPE-Enc-Type [8] 6
026552: *Jun 23 04:31:33.977 UTC: RADIUS: 00 00 00 0C [????]
026643: *Jun 23 04:31:34.057 UTC: Vi4 MPPE: RADIUS keying material missing
If I force the router to do the encryption, with:
interface virtual-template 1 ppp encrypt mppe auto required
Then the link will drop just after the connection is made, every time.
I see the following relevant line in the debug logs of the Cisco:
028180: *Jun 23 04:43:33.905 UTC: RADIUS: MS-CHAP-MPPE-Keys [12] 34 *
028184: *Jun 23 04:43:33.905 UTC: RADIUS: MS-MPPE-Enc-Policy [7] 6
028185: *Jun 23 04:43:33.905 UTC: RADIUS: 00 00 00 02 [????]
028187: *Jun 23 04:43:33.905 UTC: RADIUS: MS-MPPE-Enc-Type [8] 6
028188: *Jun 23 04:43:33.905 UTC: RADIUS: 00 00 00 0C [????]
028279: *Jun 23 04:43:33.973 UTC: Vi4 MPPE: RADIUS keying material missing
028297: *Jun 23 04:43:34.009 UTC: Vi4 MPPE: Required encryption not negotiated
I am convinced this is not a general RADIUS / connection / authentication, etc. problem, because everything works fine when not using mppe.
I thought perhaps it might be this problem: CSCdv50861—MPPE does not negotiate with Windows 2000.
But that problem was supposedly fixed in IOS release 12.3, which I am running.
I remmember reading somewhere that MPPE 128 bit encryption does not work with hardware VPN boards, but I'm not sure if it was true, and regardless, my setup doesn't even seem to work with 40 bit mppe.
I've spent a good deal of time poring over the following pages, as they claim to have working solutions, but I still have no luck.
http://my.execpc.com/~keithp/pptp.htm
http://www.cisco.com/warp/public/116/pptp_3885.html
I have spent the last 3 days trying to find a solution, and I'm at my wits end...
The 100 points will be awarded to those who tell me it's not possible, either because of an IOS bug, hardware incompatability, etc., or it just plain can't be done.
But I will increase the points to 500, and award them accordingly if anyone can help me to a working solution. Thanks in advance!
Can you post running config and complete log?
ASKER
Here is the exact and final config how I want to see it, and how it is currently running. As noted above, this work absolutely flawlessly and exactly how I want, except that MPPE encryption does not work, and if "required", the link drops as soon as connected.
Changes from actual running config:
All the password / key hashes have been cut to "***SECRET-HASH****"
outside.add.ress.main is primary outside static IP address.
site.add.ress.one, two, and three are the addresses of remote sites connected via IPSec tunnels.
dns.server.one and two are the addresses of the outside dns servers.
default.gateway.out is the default gateway address.
Running Configuration of 2801:
--------------------------
Building configuration...
Current configuration : 11035 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 262144 debugging
enable secret 5 ***SECRET-HASH***
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default group radius local
aaa authorization exec local_author local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!
!
no ip bootp server
ip domain name loc.company.com
ip name-server dns.server.two
ip name-server dns.server.one
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
session-limit 16
pptp tunnel echo 30
!
!
async-bootp dns-server 10.2.0.33 10.2.0.32
async-bootp nbns-server 10.2.0.33
!
!
crypto pki trustpoint TP-self-signed-1738985607
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1738985607
!
!
crypto pki certificate chain TP-self-signed-1738985607
certificate self-signed 01
******00000000000000000000
quit
username company privilege 15 secret 5 *****SECRET-HASH ******
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ***SHARED-HASH*** address site.add.ress.one
crypto isakmp key ***SHARED-HASH*** address site.add.ress.two
crypto isakmp key ***SHARED-HASH*** address site.add.ress.three
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tosite.add.ress.one
set peer site.add.ress.one
set transform-set ESP-3DES-MD5
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel tosite.add.ress.two
set peer site.add.ress.two
set transform-set ESP-3DES-MD5
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel tosite.add.ress.three
set peer site.add.ress.three
set transform-set ESP-3DES-SHA
match address 108
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address outside.add.ress.main 255.0.0.0
ip access-group 104 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 10.2.0.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Virtual-Template1
ip address 10.2.16.1 255.255.255.0
peer default ip address pool VPN-USERS
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
!
ip local pool VPN-USERS 10.2.16.48 10.2.16.63
ip classless
ip route 0.0.0.0 0.0.0.0 default.gateway.out permanent
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 1 deny any
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.2.0.0 0.0.0.255
access-list 7 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 24.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host dns.server.one eq domain host outside.add.ress.main
access-list 101 permit udp host dns.server.two eq domain host outside.add.ress.main
access-list 101 deny ip 10.2.0.0 0.0.0.255 any
access-list 101 permit icmp any host outside.add.ress.main echo-reply
access-list 101 permit icmp any host outside.add.ress.main time-exceeded
access-list 101 permit icmp any host outside.add.ress.main unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.2.0.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 24.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.4.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.three host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.three host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.three host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.three host outside.add.ress.main
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.1.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.two host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.two host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.two host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.two host outside.add.ress.main
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.one host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.one host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.one host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.one host outside.add.ress.main
access-list 104 permit udp host dns.server.one eq domain host outside.add.ress.main
access-list 104 permit udp host dns.server.two eq domain host outside.add.ress.main
access-list 104 permit tcp any any eq 1723
access-list 104 permit gre any any
access-list 104 deny ip 10.2.0.0 0.0.0.255 any
access-list 104 permit icmp any host outside.add.ress.main echo-reply
access-list 104 permit icmp any host outside.add.ress.main time-exceeded
access-list 104 permit icmp any host outside.add.ress.main unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.2.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 106 permit ip 10.2.0.0 0.0.0.255 any
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.2.0.0 0.0.0.255 10.4.0.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
!
!
radius-server host 10.2.0.33 auth-port 1645 acct-port 1646 key 7 ***SECRET-HASH****
radius-server key 7 ****SECRET-HASH****
!
control-plane
!
banner login ^CWelcome to gateway.loc.company.com
My Company, Inc. (West US)
^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
end
gateway#
--------------------------
Changes from actual running config:
All the password / key hashes have been cut to "***SECRET-HASH****"
outside.add.ress.main is primary outside static IP address.
site.add.ress.one, two, and three are the addresses of remote sites connected via IPSec tunnels.
dns.server.one and two are the addresses of the outside dns servers.
default.gateway.out is the default gateway address.
Running Configuration of 2801:
--------------------------
Building configuration...
Current configuration : 11035 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 262144 debugging
enable secret 5 ***SECRET-HASH***
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default group radius local
aaa authorization exec local_author local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!
!
no ip bootp server
ip domain name loc.company.com
ip name-server dns.server.two
ip name-server dns.server.one
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
session-limit 16
pptp tunnel echo 30
!
!
async-bootp dns-server 10.2.0.33 10.2.0.32
async-bootp nbns-server 10.2.0.33
!
!
crypto pki trustpoint TP-self-signed-1738985607
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1738985607
!
!
crypto pki certificate chain TP-self-signed-1738985607
certificate self-signed 01
******00000000000000000000
quit
username company privilege 15 secret 5 *****SECRET-HASH ******
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ***SHARED-HASH*** address site.add.ress.one
crypto isakmp key ***SHARED-HASH*** address site.add.ress.two
crypto isakmp key ***SHARED-HASH*** address site.add.ress.three
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tosite.add.ress.one
set peer site.add.ress.one
set transform-set ESP-3DES-MD5
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel tosite.add.ress.two
set peer site.add.ress.two
set transform-set ESP-3DES-MD5
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel tosite.add.ress.three
set peer site.add.ress.three
set transform-set ESP-3DES-SHA
match address 108
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address outside.add.ress.main 255.0.0.0
ip access-group 104 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 10.2.0.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Virtual-Template1
ip address 10.2.16.1 255.255.255.0
peer default ip address pool VPN-USERS
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
!
ip local pool VPN-USERS 10.2.16.48 10.2.16.63
ip classless
ip route 0.0.0.0 0.0.0.0 default.gateway.out permanent
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 1 deny any
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.2.0.0 0.0.0.255
access-list 7 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 24.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host dns.server.one eq domain host outside.add.ress.main
access-list 101 permit udp host dns.server.two eq domain host outside.add.ress.main
access-list 101 deny ip 10.2.0.0 0.0.0.255 any
access-list 101 permit icmp any host outside.add.ress.main echo-reply
access-list 101 permit icmp any host outside.add.ress.main time-exceeded
access-list 101 permit icmp any host outside.add.ress.main unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.2.0.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 24.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.4.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.three host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.three host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.three host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.three host outside.add.ress.main
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.1.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.two host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.two host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.two host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.two host outside.add.ress.main
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.3.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 104 permit udp host site.add.ress.one host outside.add.ress.main eq non500-isakmp
access-list 104 permit udp host site.add.ress.one host outside.add.ress.main eq isakmp
access-list 104 permit esp host site.add.ress.one host outside.add.ress.main
access-list 104 permit ahp host site.add.ress.one host outside.add.ress.main
access-list 104 permit udp host dns.server.one eq domain host outside.add.ress.main
access-list 104 permit udp host dns.server.two eq domain host outside.add.ress.main
access-list 104 permit tcp any any eq 1723
access-list 104 permit gre any any
access-list 104 deny ip 10.2.0.0 0.0.0.255 any
access-list 104 permit icmp any host outside.add.ress.main echo-reply
access-list 104 permit icmp any host outside.add.ress.main time-exceeded
access-list 104 permit icmp any host outside.add.ress.main unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.2.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.2.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 106 permit ip 10.2.0.0 0.0.0.255 any
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.2.0.0 0.0.0.255 10.4.0.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
!
!
radius-server host 10.2.0.33 auth-port 1645 acct-port 1646 key 7 ***SECRET-HASH****
radius-server key 7 ****SECRET-HASH****
!
control-plane
!
banner login ^CWelcome to gateway.loc.company.com
My Company, Inc. (West US)
^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
end
gateway#
--------------------------
ASKER
More information that may be of use:
Debug Configuration:
--------------------
gateway#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
VPN:
L2X control packets debugging is on
VPDN events debugging is on
VPDN errors debugging is on
PPP:
PPP authentication debugging is on
MPPE Events debugging is on
PPP protocol negotiation debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is on
gateway#
--------------------------
Full Version Information:
-------------------
gateway#show version
Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(3c), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 07-Jan-06 07:07 by alnguyen
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
gateway uptime is 1 day, 19 hours, 37 minutes
System returned to ROM by bus error at PC 0x6152535C, address 0xB0D0B11 at 00:51:20 UTC Thu Jun 22 2006
System image file is "flash:c2801-advsecurityk9
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2801 (revision 6.0) with 234496K/27648K bytes of memory.
Processor board ID FTX1012W1TN
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
gateway#
--------------------------
Debug Configuration:
--------------------
gateway#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
VPN:
L2X control packets debugging is on
VPDN events debugging is on
VPDN errors debugging is on
PPP:
PPP authentication debugging is on
MPPE Events debugging is on
PPP protocol negotiation debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is on
gateway#
--------------------------
Full Version Information:
-------------------
gateway#show version
Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(3c), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 07-Jan-06 07:07 by alnguyen
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
gateway uptime is 1 day, 19 hours, 37 minutes
System returned to ROM by bus error at PC 0x6152535C, address 0xB0D0B11 at 00:51:20 UTC Thu Jun 22 2006
System image file is "flash:c2801-advsecurityk9
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2801 (revision 6.0) with 234496K/27648K bytes of memory.
Processor board ID FTX1012W1TN
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
gateway#
--------------------------
ASKER
I'm having trouble posting the logfiles; they may be over some limit ee has. Not sure. At any rate, I've posted them; here are links:
Here is a debug log transcript from a good session, or one from a session where the client forces encryption. (They are identical)
http://www.eisbox.net/ee/logfile-good-or-clientenc.txt
Here is a debug log transcript from a session with encryption forced on the router end
http://www.eisbox.net/ee/logfile-force-router-enc.txt
(Note to EE people; if you would like these listed as part of this Q, can you help me get them in? I get an error 0 - question not found when I try to post them)
Here is a debug log transcript from a good session, or one from a session where the client forces encryption. (They are identical)
http://www.eisbox.net/ee/logfile-good-or-clientenc.txt
Here is a debug log transcript from a session with encryption forced on the router end
http://www.eisbox.net/ee/logfile-force-router-enc.txt
(Note to EE people; if you would like these listed as part of this Q, can you help me get them in? I get an error 0 - question not found when I try to post them)
Can you turn off radius and try it with local username / password, this will allow us to verify the configuration.
ASKER
naveedb:
I will try that Monday when I return to the office.
lrmoore:
The Cisco doc I referenced in my initial post mentioned something similar, saying it was the error you would see when the client was not configured for encryption. I wish it were as simple as flipping a switch on the client to enable it....
As I understand it, the following settings in Windows XP DUN, when using PPTP, refer to forcing 40 and 128 bit MPPE encryption respectively:
"Require encryption (disconnect if server declines)"
"Maximum Strength encryption (disconnect if server declines)"
I have tried all possible combinations of forcing the XP client to the above, and forcing the router to either 40 or 128 bit required.
As noted in my first submission, if I force the server to require encryption, it will always disconnect as mentioned, regardless of the client settings. If I force the client to use encryption, it may or may not disconnect as noted in the first post. Again, it really puzzles me how the client can be tricked into thinking the link is encrypted when it is in fact not.
Incidentally, I don't see this as a client issue; my Mac OS X machine is also able to connect fine without encryption, but fails with encryption required. It is perhaps noteworthy that the OS X client will never connect, unlike the XP client that will occasionally connect a link that pretends to be encrypted.
As you can see by my router configuration, I am not averse to using IPSec in the right situation... That said, I am interested in using PPTP for three reasons.
1) The users have been trained to use PPTP. Switching a VPN client is not something I would prefer to do, at least until I am certain I won't have to do it anytime in the near future. I will have to re-train the 50+ users, and many of them do not take change well. Not saying I am not entirely unwilling, I'd just prefer not to.
2) Roaming. This is really the primary issue. Many of these users connect from locations I have no control over the network configuration (Home, Hotspots, etc.) - 95% of the time, they will be behind a NAT. As I understand it (I may be wrong on this) a PPTP VPN stands a much better chance of passing through a firewall than IPSEC. The last thing I need is to have half the users already unhappy with me for making an interface change, only to discover the "upgrade" limited their abilities to remotely log in. As you know, unhappy users == unhappy boss.
3) Reliability. This is probably a non-issue. Our existing PPTP VPN setup has been quite reliable. No random configuration issues. No odd connection problems. Seamless integration with our network. You get the idea. I'd like to think that if I used the Cisco VPN client, it will work at least as reliably as our PPTP vpn client does as present.
All that said, if you think it would fit my needs, I'd be willing to consider deploying the Linksys IPSec over PPTP.
(Though, purely on a point of curiosity, I'd still like to know why this PPTP setup isn't working. Seems to me that for all intensive purposes, there's no reason why it shouldn't)
I will try that Monday when I return to the office.
lrmoore:
The Cisco doc I referenced in my initial post mentioned something similar, saying it was the error you would see when the client was not configured for encryption. I wish it were as simple as flipping a switch on the client to enable it....
As I understand it, the following settings in Windows XP DUN, when using PPTP, refer to forcing 40 and 128 bit MPPE encryption respectively:
"Require encryption (disconnect if server declines)"
"Maximum Strength encryption (disconnect if server declines)"
I have tried all possible combinations of forcing the XP client to the above, and forcing the router to either 40 or 128 bit required.
As noted in my first submission, if I force the server to require encryption, it will always disconnect as mentioned, regardless of the client settings. If I force the client to use encryption, it may or may not disconnect as noted in the first post. Again, it really puzzles me how the client can be tricked into thinking the link is encrypted when it is in fact not.
Incidentally, I don't see this as a client issue; my Mac OS X machine is also able to connect fine without encryption, but fails with encryption required. It is perhaps noteworthy that the OS X client will never connect, unlike the XP client that will occasionally connect a link that pretends to be encrypted.
As you can see by my router configuration, I am not averse to using IPSec in the right situation... That said, I am interested in using PPTP for three reasons.
1) The users have been trained to use PPTP. Switching a VPN client is not something I would prefer to do, at least until I am certain I won't have to do it anytime in the near future. I will have to re-train the 50+ users, and many of them do not take change well. Not saying I am not entirely unwilling, I'd just prefer not to.
2) Roaming. This is really the primary issue. Many of these users connect from locations I have no control over the network configuration (Home, Hotspots, etc.) - 95% of the time, they will be behind a NAT. As I understand it (I may be wrong on this) a PPTP VPN stands a much better chance of passing through a firewall than IPSEC. The last thing I need is to have half the users already unhappy with me for making an interface change, only to discover the "upgrade" limited their abilities to remotely log in. As you know, unhappy users == unhappy boss.
3) Reliability. This is probably a non-issue. Our existing PPTP VPN setup has been quite reliable. No random configuration issues. No odd connection problems. Seamless integration with our network. You get the idea. I'd like to think that if I used the Cisco VPN client, it will work at least as reliably as our PPTP vpn client does as present.
All that said, if you think it would fit my needs, I'd be willing to consider deploying the Linksys IPSec over PPTP.
(Though, purely on a point of curiosity, I'd still like to know why this PPTP setup isn't working. Seems to me that for all intensive purposes, there's no reason why it shouldn't)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> I can't explain the anomalies that you are seeing. By all accounts it "should" work.
Me either - I'm thinking it's a Cisco issue in communicating with the radius server at this point. Nothing else makes sense. This just occured to me; I have a Windows 2003 server testbed that I could try it with, just for fun.
> Have you tried with various combinations on the client setup of [x] Enable Software compression checked/unchecked?
No I haven't - will try in the office on Monday...
> Huh? You mean the Cisco VPN over IPSEC?
Allow me to rephrase that; I would be willing to consider using the Cisco IPSec VPN client instead of the Microsoft PPTP DUN Client. (And yes, I did have the Linksys EasyVPN client confused with the Cisco VPN client - perhaps one reason I had in my mind that I didn't like the Cisco client.)
> If you're serious about security and encryption IPSEC 3DES/AES is much more secure and reliable...
I don't work for the government or a bank, so my job doesn't depend on keeping every byte of data from prying eyes, but at the same time, I like to keep the network running using good security practice. Transferring data over an unencrypted VPN, especially at hotspots, etc., especially when you begin talking centralized user management, is just plain unintelligent. If I can make the network more secure without spending tens of thousands of dollars and hiring a security auditing firm, yes, I want to do it.
> What do you consider this issue? Seems rather random to me..
I was referring to our -existing- setup, which is not AD / RADIUS integrated. This would be considered a "new" setup; I am trying to lighten the administration load of maintining multiple user databases (One in AD, one in the firewall), but keep the upgrade 100% transparent from the users perspective.
Well, now to get a copy of the Cisco client... (They have yet to associate my SmartNET contracts with my CCO login - I don't have access to download it)
Do you have any pointers on deployment?
Me either - I'm thinking it's a Cisco issue in communicating with the radius server at this point. Nothing else makes sense. This just occured to me; I have a Windows 2003 server testbed that I could try it with, just for fun.
> Have you tried with various combinations on the client setup of [x] Enable Software compression checked/unchecked?
No I haven't - will try in the office on Monday...
> Huh? You mean the Cisco VPN over IPSEC?
Allow me to rephrase that; I would be willing to consider using the Cisco IPSec VPN client instead of the Microsoft PPTP DUN Client. (And yes, I did have the Linksys EasyVPN client confused with the Cisco VPN client - perhaps one reason I had in my mind that I didn't like the Cisco client.)
> If you're serious about security and encryption IPSEC 3DES/AES is much more secure and reliable...
I don't work for the government or a bank, so my job doesn't depend on keeping every byte of data from prying eyes, but at the same time, I like to keep the network running using good security practice. Transferring data over an unencrypted VPN, especially at hotspots, etc., especially when you begin talking centralized user management, is just plain unintelligent. If I can make the network more secure without spending tens of thousands of dollars and hiring a security auditing firm, yes, I want to do it.
> What do you consider this issue? Seems rather random to me..
I was referring to our -existing- setup, which is not AD / RADIUS integrated. This would be considered a "new" setup; I am trying to lighten the administration load of maintining multiple user databases (One in AD, one in the firewall), but keep the upgrade 100% transparent from the users perspective.
Well, now to get a copy of the Cisco client... (They have yet to associate my SmartNET contracts with my CCO login - I don't have access to download it)
Do you have any pointers on deployment?
Here's the admin guide for the Cisco VPN client.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/admin/index.htm
If you have trouble getting the client software, let me know.
I'm anxious to see the outcome of the software compression option test . . .
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/admin/index.htm
If you have trouble getting the client software, let me know.
I'm anxious to see the outcome of the software compression option test . . .
ASKER
I have obtained a copy of the VPN client from Cisco, and am currently testing. Will get back with you with results by the end of the holidays.
Also will get back with results of tests using local users on the Cisco at that point.
Disabling/enabling software compression and LCP has no effect on the functionality of the Windows DUN PPTP client.
Out of curiosity, does anyone reading this thread have PPTP w/RADIUS & Windows DUN working using any Router/IOS setup? It seems there are various individuals on the 'net who have it working; I'd like to know what they use exactly.
Also will get back with results of tests using local users on the Cisco at that point.
Disabling/enabling software compression and LCP has no effect on the functionality of the Windows DUN PPTP client.
Out of curiosity, does anyone reading this thread have PPTP w/RADIUS & Windows DUN working using any Router/IOS setup? It seems there are various individuals on the 'net who have it working; I'd like to know what they use exactly.
ASKER
Okay, back from vacation...
I get similar results using local users rather than RADIUS.
Changed config as follows:
'aaa authentication ppp default group radius local' -> 'aaa authentication ppp default group local'
Added new line 'username localuser password 0 test'
I'm beginning to think this is an IOS issue with MPPE.
More poking about the 'net came of with this: (and a few other similar stories)
http://lists.cistron.nl/pipermail/freeradius-users/2006-February/051010.html
(Yes, I know I'm not using FreeRADIUS, but symptoms seem awfully similar)
I'm going to try upgrading the IOS from 12.4(3c) to 12.4(8a) and see if it makes any difference....
Another rather curious (side?) effect is that the router seems to be very easily DOS'ed by attempting several (failed) PPTP connections. Say, 15 attempts or so within a minute's time is sufficient to shut down every active VPN tunnel for at least 10 minutes or more. I don't want people to be able to take out my network just by attempting to connect to the VPN server. This point is probably worthy of a new thread, but any thoughts on why this may be?
Cisco VPN client works, but I am not happy with it - it seems to want to reinstall itself after every system configuration change.
I get similar results using local users rather than RADIUS.
Changed config as follows:
'aaa authentication ppp default group radius local' -> 'aaa authentication ppp default group local'
Added new line 'username localuser password 0 test'
I'm beginning to think this is an IOS issue with MPPE.
More poking about the 'net came of with this: (and a few other similar stories)
http://lists.cistron.nl/pipermail/freeradius-users/2006-February/051010.html
(Yes, I know I'm not using FreeRADIUS, but symptoms seem awfully similar)
I'm going to try upgrading the IOS from 12.4(3c) to 12.4(8a) and see if it makes any difference....
Another rather curious (side?) effect is that the router seems to be very easily DOS'ed by attempting several (failed) PPTP connections. Say, 15 attempts or so within a minute's time is sufficient to shut down every active VPN tunnel for at least 10 minutes or more. I don't want people to be able to take out my network just by attempting to connect to the VPN server. This point is probably worthy of a new thread, but any thoughts on why this may be?
Cisco VPN client works, but I am not happy with it - it seems to want to reinstall itself after every system configuration change.
ASKER
....seems to want to reinstall itself after every system configuration change.
(That is, any Windows system configuration change)
(That is, any Windows system configuration change)
ASKER
Just a side note to mention that the (PPTP) config (less RADIUS) works perfectly in a Cisco 1841 running 12.4(3d)
Will be testing using the 2801 and 12.4(8a), and the 1841 with RADIUS shortly...
Will be testing using the 2801 and 12.4(8a), and the 1841 with RADIUS shortly...
>....seems to want to reinstall itself after every system configuration change.
First time I've heard of that and I've been using the Cisco client for years on hundreds of systems..
What version client? 4.8 is the latest stable version...
First time I've heard of that and I've been using the Cisco client for years on hundreds of systems..
What version client? 4.8 is the latest stable version...
ASKER
lrmoore:
The client was version 4.8.00.0440 - It seems the random reinstalling issue was caused by something else. I've since tested it on a different workstation, and it works fine.
To all involved and those reading the solution:
The ultimate resolution to my original issue is that there is an IOS compatibilty issue with the functionality I am trying to use, and the Cisco 2801. According to Cisco, the configuration I originally posted more or less SHOULD work (it is supported), yet it does not. Similar configurations DO work on other routers (Such as the 1841).
The points go to lrmoore for guiding me to an alternative solution, namely, using the Cisco VPN client as opposed to the built-in Windows PPTP DUN.
The client was version 4.8.00.0440 - It seems the random reinstalling issue was caused by something else. I've since tested it on a different workstation, and it works fine.
To all involved and those reading the solution:
The ultimate resolution to my original issue is that there is an IOS compatibilty issue with the functionality I am trying to use, and the Cisco 2801. According to Cisco, the configuration I originally posted more or less SHOULD work (it is supported), yet it does not. Similar configurations DO work on other routers (Such as the 1841).
The points go to lrmoore for guiding me to an alternative solution, namely, using the Cisco VPN client as opposed to the built-in Windows PPTP DUN.