How to configure Cisco 800 to accept PPTP VPN connections
We have a Cisco 877 router which has been happily accepting incoming Cisco VPN client connections for some time. However, we have a remote user with 64-bit Vista who cannot use the Cisco VPN Client software, as it's 32-bit only. So, we want to set up the 877 to accept incoming VPN connections (terminating at the router, not passed through to a server).
Have set up the router as in the sanitised config below, but when connecting from the client PC, the connection fails with the following error in the application log:
The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 800.
or
The error code returned on failure is 808.
What configuration needs to be changed to allow the connection to work? It looks as if the connection isn't even making it past the firewall.
Thanks in advance for any assistance.
Have set up the router as in the sanitised config below, but when connecting from the client PC, the connection fails with the following error in the application log:
The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 800.
or
The error code returned on failure is 808.
What configuration needs to be changed to allow the connection to work? It looks as if the connection isn't even making it past the firewall.
Thanks in advance for any assistance.
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname [sanitised]
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 [sanitised]
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.9.200.1 192.9.200.200
ip dhcp excluded-address 192.9.200.240 192.9.200.254
!
ip dhcp pool sdm-pool1
import all
network 192.9.200.0 255.255.255.0
dns-server 213.120.62.97 213.120.62.98
default-router 192.9.200.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 213.120.62.97
ip name-server 213.120.62.98
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group 1
description PPTP VPN Remote Access Group
request-dialin
protocol pptp
source vpdn-template Virtual-Template1
!
!
!
crypto pki trustpoint TP-self-signed-1632451653
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1632451653
revocation-check none
rsakeypair TP-self-signed-1632451653
!
!
crypto pki certificate chain TP-self-signed-1632451653
certificate self-signed 01
[sanitised]
quit
username [sanitised] privilege 15 secret 5 [sanitised]
username User1 secret 5 [sanitised]
username User2 secret 5 [sanitised]
username User3 secret 5 [sanitised]
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group [sanitised]
key [sanitised]
pool SDM_POOL_1
acl 103
max-users 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Dialer0
peer default ip address pool SDM_POOL_1
no keepalive
ppp encrypt mppe auto
ppp authentication chap callin
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.9.200.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address [WAN IP] 255.255.255.240
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [sanitised]
ppp chap password 7 [sanitised]
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.10.10.101 10.10.10.110
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.9.200.204 3389 interface Dialer0 3389
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.9.200.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip [SUBNET IP] 0.0.0.15 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp host [sanitised] host [sanitised] eq 3389
access-list 101 permit ip host 10.10.10.101 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.102 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.103 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.104 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.105 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.106 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.107 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.108 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.109 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.110 192.9.200.0 0.0.0.255
access-list 101 permit ip host 10.10.10.101 any
access-list 101 permit ip host 10.10.10.102 any
access-list 101 permit ip host 10.10.10.103 any
access-list 101 permit ip host 10.10.10.104 any
access-list 101 permit ip host 10.10.10.105 any
access-list 101 permit ip host 10.10.10.106 any
access-list 101 permit ip host 10.10.10.107 any
access-list 101 permit ip host 10.10.10.108 any
access-list 101 permit ip host 10.10.10.109 any
access-list 101 permit ip host 10.10.10.110 any
access-list 101 permit udp any host [WAN IP] eq non500-isakmp
access-list 101 permit udp any host [WAN IP] eq isakmp
access-list 101 permit esp any host [WAN IP]
access-list 101 permit ahp any host 2[WAN IP]
access-list 101 permit udp host 213.120.62.98 eq domain host [WAN IP]
access-list 101 permit udp host 213.120.62.97 eq domain host [WAN IP]
access-list 101 deny ip 192.9.200.0 0.0.0.255 any
access-list 101 permit icmp any host [WAN IP] echo-reply
access-list 101 permit icmp any host [WAN IP] time-exceeded
access-list 101 permit icmp any host [WAN IP] unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.101
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.102
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.103
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.104
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.105
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.106
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.107
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.108
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.109
access-list 102 deny ip 192.9.200.0 0.0.0.255 host 10.10.10.110
access-list 102 deny ip any host 10.10.10.101
access-list 102 deny ip any host 10.10.10.102
access-list 102 deny ip any host 10.10.10.103
access-list 102 deny ip any host 10.10.10.104
access-list 102 deny ip any host 10.10.10.105
access-list 102 deny ip any host 10.10.10.106
access-list 102 deny ip any host 10.10.10.107
access-list 102 deny ip any host 10.10.10.108
access-list 102 deny ip any host 10.10.10.109
access-list 102 deny ip any host 10.10.10.110
access-list 102 permit ip 192.9.200.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.9.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Istvan Kalmar
The 64bit Vista or xp is not supported!
Installing the VPN Client on a 64-bit Vista Machine Results in a 1721 Error
Cisco IPSec Client does not support 64-bit. If the user requires 64-bit support, the upgrade path is to use the Cisco AnyConnect VPN Client instead, which does support 64-bit. However, the AnyConnect Client supports only SSL VPN connections (CSCsi26069).
For Windows Vista, there is no firewall support in the VPN Client. To resolve the Bluescreen issue on Windows XP related to the VPN client built-in firewall, upgrade to VPN Client version 5.0.5.x or higher.
here is on cco:
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/release/notes/51client.html#wp1542293
Cisco IPSec Client does not support 64-bit. If the user requires 64-bit support, the upgrade path is to use the Cisco AnyConnect VPN Client instead, which does support 64-bit. However, the AnyConnect Client supports only SSL VPN connections (CSCsi26069).
For Windows Vista, there is no firewall support in the VPN Client. To resolve the Bluescreen issue on Windows XP related to the VPN client built-in firewall, upgrade to VPN Client version 5.0.5.x or higher.
here is on cco:
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/release/notes/51client.html#wp1542293
hi
you can do this using Windows new connection wizard..
- creat a new connection as a virtual private network ..
and change its setting .. after you finish the wizard ..go to it properties then security and click advanced (custom settings) and press on settings.. and make the following:
optional encryption
and
choose only Unencrypted password (PAP) under allow these protocols
and uncheck others..
try and reply
BR
you can do this using Windows new connection wizard..
- creat a new connection as a virtual private network ..
and change its setting .. after you finish the wizard ..go to it properties then security and click advanced (custom settings) and press on settings.. and make the following:
optional encryption
and
choose only Unencrypted password (PAP) under allow these protocols
and uncheck others..
try and reply
BR
ASKER
ikalmar: yes, I'm aware of the incompatibility (in fact I mention it in the question), that's why I need to find an alternative!
memo_tnt:
It's help on configuring the Cisco Router I'm after, not setting up the VPN on the client.
Sorry I wasn't more clear!
memo_tnt:
It's help on configuring the Cisco Router I'm after, not setting up the VPN on the client.
Sorry I wasn't more clear!
ASKER
Is anyone able to offer advice on the code required to enable PPTP VPN on the Cisco 800, please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually, I'm just looking at that now!
ASKER
Got it working based on the article at http://www.parkansky.com/tutorials/pptp.htm recommended by ikalmar.
I've attached the code that I actually used just to make it clear for anyone else.
Thanks!
I've attached the code that I actually used just to make it clear for anyone else.
Thanks!
aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common
vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
interface virtual-template 1
ip unnumbered Vlan1
ip mroute-cache
peer default ip address pool DIAL-IN
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
ip local pool DIAL-IN 172.16.1.1 172.16.1.10
username jbloggs password tiddles
access-list [number] permit gre any any
access-list [number] permit tcp any any eq 1723
ASKER
Needed to work out some of the code myself from the link given by the expert - it wasn't just copying and pasting!