Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 857 PPTP VPN Server

Status
Not open for further replies.
kyleheath

kyleheath

IS-IT--Management
Joined
Jul 9, 2007
Messages
7
Location
GB
I would like to setup my Cisco 857 router to accept incoming Windows PPTP VPN connections, is there a standard setup for this as I cannot fidn any mention of PPTP VPNs in the SDM, it is all IPSEC.

I have put some commands together from websites and managed to accept PPTP incoming calls, but the username is rejected with a 691 error so I feel I havent setup AAA correctly. Does anyone have a config for a PPTP VPN Server I can look at?

Cheers

Kyle
 
Sort by date Sort by votes
Upvote 0 Downvote
Thanks Andy, I only have one PC to support at this site so need to use the local authentication rather than an IAS Server, I can get a response to a PPTP VPN now but the debugging on the router shows

cannot process authentication server Radius UNKNOWN

Which suggests to me I havent setup aaa to authenticate locally to the users setup on the router, I have the authentication and authorization set to local but I still get a 691 error on connection. Ill admit I have no Cisco training at all so Im winging this as best I can!

Cheers

Kyle
 
Upvote 0 Downvote
You need PPP network authentication enabled:
Code: 
aaa authentication ppp default local

You might also need network authorisation as well, but this depends on your existing AAA configuration:
Code: 
aaa authorization network default if-authenticated

HTH

Andy
 
Upvote 0 Downvote
Thanks Andy, still stuck at the authentication side, but Im putting this down to a lack of Cisco knowledge so I guess I either need a config that is setup for this on an 800 series so I can work it out, or its the books for me and a sharp learning curve!

If anyone has a Cisco 800 series with the config for a PPTP VPN and local authentication it would be greatly appreciated!


Cheers

Kyle
 
Upvote 0 Downvote
Here is my current config


Building configuration...

Current configuration : 10854 bytes
!
version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname leadoncourt
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$X4U2$7grG.1OwQ8mSVbXmBmdFT/
enable password
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
no ip source-route
no ip dhcp use vrf connected
!
ip dhcp pool dhcppool
import all
network 192.168.191.0 255.255.255.0
default-router 192.168.191.1
dns-server 213.130.128.32
update arp
!
ip dhcp pool dhcpool
dns-server 213.130.128.32
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip name-server 213.130.128.32
ip name-server 213.130.128.33
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
vpdn-group test-vpn
accept-dialin
protocol pptp
virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-2306029966
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2306029966
revocation-check none
rsakeypair TP-self-signed-2306029966
!
!
crypto pki certificate chain TP-self-signed-2306029966
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333036 30323939 3636301E 170D3037 30373133 31363130
35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33303630
32393936 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CFA8 C456D807 C8AF5005 251BFBD5 5BD06704 AD1E4A08 C9921231 F8D469E5
445757D9 EC991D0B A57E5890 48440EAE DC184611 0393CC67 4B940F94 784FA75A
62FCD675 5AC4D555 A636B0EC 72244B7A E0E1B865 AF766563 9B44CEDE D3C0113E
D8BD1571 92D2E53C B89EC192 C896E77E 6FCC9E85 FC5A89D1 9FDB789E 76087BC1
53750203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B6C6561 646F6E63 6F757274 301F0603 551D2304 18301680
1474E4A5 D0616E64 E6DEB0F8 C76857ED FC4AA336 A7301D06 03551D0E 04160414
74E4A5D0 616E64E6 DEB0F8C7 6857EDFC 4AA336A7 300D0609 2A864886 F70D0101
04050003 81810030 8A904443 72DF8FD4 496B09ED AA564042 E70DA5DD 2825405B
64AB230A A6E65FFF 6122ADE8 E89FF6F4 D83BADA4 AD43376B AE5560A9 CFE767F9
0199B298 97E34D29 CB555F9A 5DD3161F 51CFC0E8 CE724BE0 963AC947 6D1CA721
D78E43A0 F1B55CB5 E244CE84 B87ED235 17FBDD81 74C2115E 36FB175B F0EF435B
4498F320 C1384C
quit

username test password 0 test
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address xxxxxxxxxxxxx
crypto isakmp key xxxxxxx address xxxxxxxxxxxxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
!
crypto map RCC 2 ipsec-isakmp
description Tunnel xxxxxxxxxxxxx
set peer xxxxxxxxxxxxx
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA1
match address 106
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel xxxxxxxxxxxxx
set peer xxxxxxxxxxxxx
set transform-set ESP-3DES-SHA2
match address 105
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel xxxxxxxxxxxxx
set peer xxxxxxxxxxxxx
set transform-set ESP-3DES-SHA1
match address 104
!
crypto map SDM_CMAP_3 1 ipsec-isakmp
description Tunnel xxxxxxxxxxxxx
set peer xxxxxxxxxxxxx
set transform-set ESP-3DES-SHA6
match address 107
!
crypto map SDM_CMAP_4 1 ipsec-isakmp
description Tunnel xxxxxxxxxxxxx
set peer xxxxxxxxxxxxx
set transform-set ESP-3DES-SHA7
match address 108
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface Virtual-Template1
ip unnumbered FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip mroute-cache
peer default ip address pool dhcppool
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.191.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Dialer0
description $FW_OUTSIDE$
ip address 82.163.115.41 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxpassword 0 xxxxxxxxxxxxx
crypto map SDM_CMAP_4
!
ip local pool test 192.168.191.50 192.168.191.60
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.191.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xxxxxxxxxxxxx 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Allow PPTP Inbound
access-list 101 permit tcp any any eq 1723
access-list 101 remark Allow GRE Inbound
access-list 101 permit gre any any
access-list 101 permit udp host xxxxxxxxxxxxx host xxxxxxxxxxxxx eq non500-isakmp
access-list 101 permit udp host xxxxxxxxxxxxx host xxxxxxxxxxxxx eq isakmp
access-list 101 permit esp host xxxxxxxxxxxxx host xxxxxxxxxxxxx
access-list 101 permit ahp host xxxxxxxxxxxxx host xxxxxxxxxxxxx
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.190.0 0.0.0.255 192.168.191.0 0.0.0.255
access-list 101 permit udp host xxxxxxxxxxxxxhost xxxxxxxxxxxxx eq non500-isakmp
access-list 101 permit udp host xxxxxxxxxxxxx host xxxxxxxxxxxxx eq isakmp
access-list 101 permit esp host xxxxxxxxxxxxx host xxxxxxxxxxxxx
xxxxxxxxxxxxx
access-list 101 remark Allow HTTP
access-list 101 permit tcp host xxxxxxxxxxxxx host xxxxxxxxxxxxx eq www
access-list 101 remark Telnet Access for CSCM Support
access-list 101 permit tcp host xxxxxxxxxxxxx host xxxxxxxxxxxxx eq telnet
access-list 101 deny ip 192.168.191.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.191.0 0.0.0.255 192.168.190.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.191.0 0.0.0.255 192.168.190.0 0.0.0.255
access-list 103 permit ip 192.168.191.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.191.0 0.0.0.255 192.168.190.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.191.0 0.0.0.255 192.168.190.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.191.0 0.0.0.255 192.168.190.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.191.0 0.0.0.255 192.168.190.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.191.0 0.0.0.255 192.168.190.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^xxxxxxxxxxxxx.^C
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxxxxx
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
no process cpu extended
no process cpu autoprofile hog
end

I know its a bit messy but I learning!

Cheers

Kyle
 
Upvote 0 Downvote
DHCP isn't used for the VPN users, you need to use a local pool, you are also using IP Unnumbered against a Layer-2 interface that doesn't have an IP address. I suggest you make the following changes:
Code: 
async-bootp dns-server 213.130.128.32
!
interface Virtual-Template1
 ip unnumbered vlan1
 peer default ip address pool test

Also debug the PPP negotiation and authentication and see what the messages say.

HTH

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
345
Blackybear
Blackybear
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
417
badwolf1686
B
pbxcomm
  • Locked
  • Question Question
CISCO VG450
Replies
1
Views
846
nt8d09
nt8d09
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
574
CPM86
CPM86
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
810
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top