Solved

Cisco ISR: Setting up pptp VPN + Router Interface Q's

Posted on 2010-11-27
8
813 Views
Last Modified: 2012-06-27
I recently purchased a cisco router to replace my watchguard x700 firebox that acted as my firewall, router and NAT device.  Now it has taken me some time but I have set the router up and have even it got it functioning as a firewall.  Here is my next problem VPN.  Prior  to the cisco router we used the watchguard firebox and SBS2003 builtin IAS to do radius authentication with the firewall terminating the VPN connection.  Basically the firewall would provide the VPN connection but would use the SBS2003 server as a radius authentication server.

Now I have been trying to set this up on my cisco route but am having trouble.  In an effort to trouble shoot this issue I have tried to instead use local user authentication and am still having trouble.  I think the problem lies with the use of the Virtual-Template interface.  In all the tutorials I have found on the subject there comes a point where you create a Virtual-Template for the vpdn connection like so:

interface Virtual-Template1
  ip unnumbered GigabitEthernet0/0
  peer default ip address pool vpnpool
  no keepalive
  ppp encrypt mppe auto required
  ppp authentication ms-chap ms-chap-v2

This should be just fine accept for the issue with my GigabitEthernet0/0 which is configured like so:

interface GigabitEthernet0/0
  description External Interface - Public IP's
  ip address x.x.x.23 255.255.255.224 secondary
  ip address x.x.x.3 255.255.255.224 secondary
  ip address x.x.x.4 255.255.255.224 secondary
  ip address x.x.x.5 255.255.255.224 secondary
  ip address x.x.x.30 255.255.255.224 secondary
  ip address x.x.x.22 255.255.255.224
...

So as you can see my external interface has multiple public ip addresses.  Which  address do I use to connect to with my windows vpn client?  I want it to be the x.x.x.22 address but that one is also setup to have static nat to our server as the server also functions as our OWA, exchange, and iis server.  Is this too much to ask and am I misconfiguring the router by atttaching multiple public IP's to one interface?  i know I cant use sub-interfaces as those are meant for VLAN's and different subnets I believe.  Someone suggested in another forum that I use loopback interfaces but I dont know how you would do that and I am not sure if I confused that with something else.  

Anyhow some insight as to where to go and how to do this would be greatly appreciated.  
 
0
Comment
Question by:Prolumina
  • 5
  • 3
8 Comments
 
LVL 15

Accepted Solution

by:
deepdraw earned 500 total points
ID: 34221862
Here is my workign config from a 1760 with only 1 external ip

interface Virtual-Template1
 ip unnumbered FastEthernet0/0  <--this is my internet interface
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp header-compression
 peer default ip address pool DIAL-IN
 no keepalive
 compress stac
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2


ip local pool DIAL-IN 192.168.10.220 192.168.10.230  << ip's in the range of the local interface.

I guess the vpn will work on any interface.

Greg
0
 

Author Comment

by:Prolumina
ID: 34222957
I was able to get VPN working but only partially.  Here is what I have setup.  I have PPTP vpn setup on the router using RADIUS to authenticate against my windows sbs2003 server running IAS.  It works beautifully in that it authenticates and allows me in and even gives me an IP address from the VPN pool.  However that is all I get.  I am unable to ping the the address it gives me from the router or from the internal network.  Also on the computer I use to connect to vpn with I cant ping anything at all using the local addresses i.e. I can ping the router using the public IP of it but not the private ip of the router.  

Any ideas?  Do I have to provide special permissions or something like that?

My vpn pool of addresses is: 10.0.0.200 - 10.0.0.225
the network address range is: 10.0.0.1 - 10.0.0.255

Let me know if you need more info.
0
 
LVL 15

Expert Comment

by:deepdraw
ID: 34223257
I have to set my computer making the vpn connection use the following settings.
remove the tick from enable software compression( properties >>networking >>settings)
remove the tick from use default gateway on remote network.
(tcp/ip settings>properties>advanced)
After those changes my vpn works and i can also access the internet while on the vpn..

Greg
0
 

Author Comment

by:Prolumina
ID: 34223558
All of those options are already applied.  It is very strange I mean I am connecting the router can even see it but for some damn reason I cant ping anything so even though I have been give an IP address its like im not online.  

Is there some type of ACL i need to create for the traffic?  I created one and applied it to the virtual-template1 interface that contains "permit ip any any" iin both directions but it has not helped.  Any more ideas?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 15

Assisted Solution

by:deepdraw
deepdraw earned 500 total points
ID: 34224396
What do you see when you type show ip route when the connection is established.
Just to check you need the things below.
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1

async-bootp gateway 192.168.10.1
async-bootp dns-server 192.168.10.1

ip access-list extended inboundDSL
 permit tcp any any established
permit gre any any log
permit tcp any any eq 1723 log

Can you paste a show run if the above does not help.

Greg
0
 

Author Comment

by:Prolumina
ID: 34225971
Thanks for the help;  I am headed into the office today so that I can work directly with the router.  I will post the SHOW info in about an hour.

Thanks
0
 

Author Comment

by:Prolumina
ID: 34226562
Thank you all for your help.  As it turned out last night I was having lots of trouble with the router so I decided to come in this mornign and do a cold start.  I rebooted to factory default and rebuilt all options on the router.  I got VPN working beautifully using widows IAS for authentication and was very happy.  However halfway through I encountered the same error.  I finally narrowed it down to ONE LINE in the config file.

When setting up the virtual-template I entered the following:
interface Virtual-Template1
 description ==[PPTP Radius VPN]==
 ip unnumbered GigabitEthernet0/0
 peer default ip address pool vpnpool
 ppp encrypt mppe 40
 ppp authentication ms-chap
 
HOWEVER if I entered:

ppp encrypt mppe auto (which uses both 40bit and 128bit)
I received the dreaded error.  

Thank you all for the help with this.  
0
 

Author Closing Comment

by:Prolumina
ID: 34226567
Thank you all for your help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now