Microsoft VPN behind BM 3.8 SP4

Hello,
We have a big problem in our network. We need a VPN tunnel to a organisation
which demands Microsoft VNP. Before we ran VPN at Bordermanager, this worked
fine.
Now we installed VPN directly at the involved Win2K server and created a
filter exeption for port 1723 (src. port <All>, dest. port 1723) at the BM.
First there was not any connection from 'the outside world', but after
creation of this filter exception we get as far as 'verifying username and
password'. But this times out and auto redial starts.
Who can help us out? Has this to do with the fact that BM NAT does not
support GRE? An if yes, is there a workaround to bypass this?
Thanks in advance,
Ivar Woudsma
Netherlands

In article <95OMh.1577$[email protected]>,
Support-forums.novell.com wrote:
> Who can help us out? Has this to do with the fact that BM NAT does not
> support GRE? An if yes, is there a workaround to bypass this?
>
GRE breaks going through NetWare NAT. There is no workaround if passing
the traffic through NetWare.
You have two choices - don't do NAT on NetWare (not likely to be an
option for several reasons, unless you just use proxy), and bypass the
server.
You could:
a) put a pc on the outside of BMgr, remote control to it from inside the
LAN, and launch the VPN from there, or
b) put in a router/firewall that has GRE support over NAT in parallel
with BMgr, then static route the traffic through that link from the BMgr
server, for the VPN endpoint address.
Both the above require an available public IP address.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Similar Messages

Support configuring PlayBook on a Microsoft VPN with default settings

We have a Microsoft VPN running at work. I can connect to it from any Windows 7 PC with the default VPN settings. How can I configure the PlayBook to connect to the VPN. I have had no success after trying various settings.

Can anyone shed some insight into the correct settings - I too am attempting to get a VPN operational against a standard Microsoft Server VPN.
Is there something that I need to be able to ask IT ? where should I look ?
When I configure a new win 7 laptop all I need is the URL of the VPN server...

How can i bypass IPs shared secret or certificate when connecting to an older microsoft vpn network

I have a macbook pro running Lion. When I attempt to connect via VPN I am asked for either a shared secret or a certificate, but the Microsoft server does not use or recognize either. How can I bypass this requirement so I can access files I desperately need for work?

I am most certainly Not wrong, I just spent an hour sitting with the system administrator and he was befuddled! The network does not require machine authentication. Lion seems to think all networks do.
My connection is set up for PPP (no PPTP option exists, but certainly is NOT under L2TP)
The machine authentication is required by Lion no matter how we set it up.
Any other ideas?

RV082 - SRP527W - VPN behind NAT not working

Hello,
I've really strange behaviors with my routers. We managed to get things running but once a week, the VPN link is down.
The connection is not restart, both routers shows "connected" but are not, and we had to click on "disconnect" to get the link back.
That was before an update in our infrastructure. Now, both routers are behind routers, so both NAT.
Now, the connection works for some time, but once a week, the link disconnected but i'm unable to get it back ! NOTHING works.
Last time, i spent 2Hours to configure the link again, setting the same parameters almost 10 time, and suddenly by magic, the 11st time it worked again. I read many people have troubles with RVXXX firmware so i don't know what to think.
Anyway, my BIG concern now, is that the link is down again, and it has been 6hours since we can't got it back. I restarted the routers many times, i've made some changes in the configuration, but if it worked, why should i modify it ?????? Why is it not working anymore ?
The log for the RV082 is almost empty about the link. Here's a snippet :
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: initiating Main Mode
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
System Log
gateway_to_gateway.htm is changed.
Feb 10 19:09:08 2014
VPN Log
(g2gips0): deleting connection
Feb 10 19:09:08 2014
VPN Log
(g2gips0) #8: deleting state (STATE_MAIN_I1)
Feb 10 19:09:08 2014
VPN Log
added connection description (g2gips0)
Feb 10 19:09:08 2014
VPN Log
listening for IKE messages
Feb 10 19:09:08 2014
VPN Log
forgetting secrets
Feb 10 19:09:08 2014
VPN Log
loading secrets from '/etc/ipsec.d/ipsec.secrets'
Feb 10 19:09:09 2014
System Log
gateway_to_gateway.htm is changed.
The log for the SRP527W is full of this :
Dump pluto log message in syslog : cat /var/log/messages |grep plutoJan 1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan 1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: STATE_MAIN_R1: sent MR1, expecting MI2Jan 1 02:30:09 TLSR0254 authpriv.warn pluto[1156]: "G2" #186: max number of retransmissions (2) reached STATE_MAIN_R1Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: responding to Main ModeJan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: STATE_MAIN_R1: sent MR1, expecting MI2Jan 1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: pending Quick Mode with 37.1.XXX.XXX "G2" took too long -- replacing phase 1Jan 1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: "G2" #189: initiating Main Mode to replace #185Jan 1 02:30:49 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: max number of retransmissions (2) reached STATE_MAIN_R1Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: "G2" #190: responding to Main Mode
Please help me to get things sorted. I just don't understand why nothing is written in the log about the SRP trying to make a connection. I also don't understand why suddenly the link is broken, and without changing anything, it can't get it back normally !!
Best Regards

Hi again,
Samir, i rebooted all the routers dozens of time when that happened, and it doesn't changed anything. Anyway, i called the Cisco Hotline. They could connect by VPN to RV082, but not the SRP, they didn't know why. Hardware or software failure.
Anyway, i bought another router.
Now i would like to use the SRP527W as a WIFI hotspot only. It doesn't work.
My settings are :
- Router defined as BRIDGE only (using Port lan 4 as Ethernet WAN)
- WAN Interface is assigned 192.168.0.246 / 24
- Gateway for the WAN interface is 192.168.0.254
- Ethernet cable is plugged from LAN4/WAN to my new Modem/Router on LAN3.
- Port LAN2 of SRP527W is defined with VLAN IP Address 192.168.15.254.
When connected to the SRP527W on LAN2, from my computer (192.168.15.200), i can't ping 192.168.0.246 neither 0.254 (gateway is set to 15.254)
Still, when connected to the SRP527W and with the Ping Dagnosis interface, pinging "192.168.0.254" shows "timed out".
I tried almost every configuration, none worked.
Please note that when connected from my computer directly to my new modem/router on port LAN3, with IP Address 192.168.0.200, i can access internet and ping everything. When set as DHCP too, i can grab an IP Address from my DHCP Windows Server.
So, why is the SRP527W unable to work in this configuration ? it seems nothing pass through WAN port.
If i'm right, there is only the WAN port that should be plugged to my modem router. With this settings, SSID should go directly to Internet, and for the other SSID, my LAN (through the modem/router). However, it doesn't work.
Could you help me please ? Thank you

Modern UI apps do not connect to internet when using microsoft VPN (forced tunneling) (win 8.1)

hi, i am running windows 8.1 on a Surface Pro 3, when i connect to VPN (microsoft) all apps on the desktop work as expected,
when in modern UI, apps do not detect an intenet connection.
i belive this is fixed in windows 8 using this hotfix:
https://support.microsoft.com/kb/2797356?wa=wsignin1.0
& Here:
http://support.microsoft.com/kb/2876419
these hofixes are for windows 8 & not 8.1...
are there hotfixes for windows 8.1 available? (disabling forced tunneling is not an acceptable solution unfortunatley
Thanks

Hi,
Actually this is a known issue and there is no effective method untill now. You can find related threads in Technet but none of them got a useful solution. However, I'm still keep researching and testing, aim to find a workaround method for this problem.
If there is any progress in the future, I'll post the solution here.
Thanks for your understanding.
Roger Lu
TechNet Community Support

Cico vpn and microsoft vpn

i am currently using cisco vpn client, after connecting i want to reconnect another vpn to microsoft, while connecting it displays error 800, after getting these detail it shows that your cisco router firmware is old ( older than 2000) i am using cisco 1811 ios 12.3.9.
other detail of vpn 800 error "tcp window size is 0"
any help regarding this, thanks in advance

Hi,
We require more info in order to understand clearly whats going on. Could you please paste the screen shot of the err message.
Regards,
wilson samuel

PIX L2L VPN behind NAT device

I need to know if it is posible to establish a L-2-L VPN if the termination device (PIX 7.x) is behind a router with nat... All the traffic to the public IP is forwarded by the router to the PIX.
the schema is like this:
LAN -> FW -> Internet -> Router (NAT) -> FW (PIX) -> LAN
(see the attached file)
regards
mariano

Chris
We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?
If so, yes absolutely you can do this as i have done it many times in production environments.
No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.
Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.
Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.
Jon

Set up VPN behind modem

Hello. My server is behind a modem and I am wondering how I would set up VPN. There is no router, there isn't even a network, so what would be the starting and ending IP addresses? Would I need to configure the DHCP service? Thanks for your help.

What sort of modem, and what's on the other end of the modem, and how is your Mac connected to the modem?
What task(s) do you want to do with the VPN? Connect from the Mac to another network, or connect from another network to your Mac?
(I'm grey-haired enough to have used 110 and 300 baud modems, and that stuff is rare these days. And it's not really something that's easily feasible with a modem, short of some real hackery and a pile of PPP or SLIP, and that's not "fun" to get working. And it's not at all fast.)

RV220w site-to-site VPN behind other routers?

Hello,
I'm trying to set up a site-to-site VPN tunnel between our branch office and our main office, both using RV220w routers, but the one at the branch office is behind a second router. This means that the main office router has a public IP (x.y.z.200, directly to the Internet - we can call this "router A"), while the branch office router has a local IP (192.168.1.32, via a different router - let's call the branch office RV220w "router B").
What do I need to set up on both ends for this setup to work?
We want all traffic at our branch office to be routed through the main office network, to ensure the branch office has access to the main office resources without each branch office client computer having to VPN in separately.
Router A is running on firmware 1.0.3.5, while router B has firmware 1.0.4.17 (since it's a brand new setup, and didn't have any existing access rules to mess up), and I figured the IPsec Basic VPN Setup would be the key on both ends. I just can't figure out exactly what to put in. Based on the logs on router B, it would seem that it attempts a two-way connection (ie. router A might attempt to connect to router B's LAN IP address), which wouldn't work (router A's IP address has been replaced by "x.y.z.200" in this log listing, for the sake of security):
2013-08-30 10:16:49: [rv220w][IKE] INFO: Adding IPSec configuration with identifier "Main-office"2013-08-30 10:16:49: [rv220w][IKE] INFO: Adding IKE configuration with identifier "Main-office"2013-08-30 10:17:07: [rv220w][IKE] INFO: accept a request to establish IKE-SA: x.y.z.2002013-08-30 10:17:07: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:17:07: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:17:07: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:17:07: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:17:07: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:17:07: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:17:07: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:17:38: [rv220w][IKE] ERROR: Invalid SA protocol type: 02013-08-30 10:17:38: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. 2013-08-30 10:17:44: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:17:44: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:18:07: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 3c3f5b067600073f:00000000000000002013-08-30 10:18:15: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:21:11: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:21:11: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:21:11: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:21:11: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:21:11: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:21:11: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:21:11: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:21:11: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:21:42: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:22:11: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. e09788d81dd19af9:00000000000000002013-08-30 10:22:14: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:22:14: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:22:14: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:22:14: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:22:14: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:22:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:22:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:22:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:22:45: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:23:14: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. f1623847b0a3009f:00000000000000002013-08-30 10:26:27: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:26:27: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:26:27: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:26:27: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:26:27: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:26:27: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:26:27: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:26:27: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:26:58: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:27:14: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:27:14: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:27:27: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 1139fbb8ce5b48ac:00000000000000002013-08-30 10:27:45: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:29:53: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:29:53: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:29:53: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:29:53: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:29:53: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:29:53: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:29:53: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:29:53: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:30:24: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:30:43: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:30:43: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:30:53: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 48bd23b0ee8b5ae0:00000000000000002013-08-30 10:31:14: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:36:29: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:36:29: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:36:29: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:36:29: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:36:29: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:36:29: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:36:29: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:36:29: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:37:00: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:37:14: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:37:14: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:37:29: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 06ac9649e4d2ba8e:00000000000000002013-08-30 10:37:45: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:39:15: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:39:15: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:39:15: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:39:15: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:39:15: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:39:15: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:39:15: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:39:15: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:39:46: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:40:15: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. f60b1e9d4604e39e:00000000000000002013-08-30 10:45:44: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:45:44: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:45:44: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:45:44: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:45:44: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:45:44: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:45:44: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:45:44: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:46:15: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:46:32: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:46:32: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:46:44: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 190c8d7c6f4a706b:00000000000000002013-08-30 10:47:03: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:47:14: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/242013-08-30 10:47:14: [rv220w][IKE] INFO: Configuration found for x.y.z.200.2013-08-30 10:47:14: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]2013-08-30 10:47:14: [rv220w][IKE] INFO: Beginning Identity Protection mode.2013-08-30 10:47:14: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 32013-08-30 10:47:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 42013-08-30 10:47:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 82013-08-30 10:47:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 92013-08-30 10:47:45: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32 2013-08-30 10:48:14: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 79546b1e76be8dbb:0000000000000000
Any ideas to what would be the correct way to make this work?

Dear Kim Andre,
Thank you for reaching the Small Business Support Community.
You must use either public IP addresses or fully qualified domain name (FQDN when the public IP is provided dinamically by the ISP) on both ends VPN configurations, and in your case the "router B" has a private IP, not routable over the internet, so I am afraid it is not going to work the way you desire.
So if for example the gateway router on the branch office is a xDSL or cable modem terminal and this is why you need it, what you can do is set it as a bridge (no public IP manually configured) and have the RV220 do the PPPoE negotiation and public IP assigned so that you can use it on the VPN setup.
Below is a document I like about VPN setup on RV220 routers;
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=4710
In case your ISP provided router is DSL one and they instruct you how to set it up in bridge mode and provide you the PPPoE settings, please refer to page 34, chapter 2 on the admin guide for configuration details;
http://www.cisco.com/en/US/docs/routers/csbr/rv220w/administration/guide/rv220w_admin_v1.0.1.0.pdf
The main issue here is that you need both public IP addresses on the VPN setup, otherwise it is not going to work. Please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.

Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2

I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well. Port forward configurations performed on the Actiontec are working well.
I installed an L2TP/IPSec VPN server, tested internally and it connected successfully. So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
With the port forwarding in place, I tested VPN externally but it didn't connect.
I've done the following so far to no avail:
Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
There was an L2TP port triggering rule enabled, that I toggled on and off with no change
Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router. But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this. For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
My router details:
Verizon Actiontec
MI424WR-GEN2
Revision E
Firmware 20.21.0.2
Verizon Actiontec built-in L2TP/IPSec rule templates. They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
Solved!
Go to Solution.

normally a vpn on that router, will have a GRE tunneling protocol as well.
two ways to build the PF rules,
Manually
Preconfigured
I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

IPsec VPN behind a NAT devices

Thanks but just resolved the problem. Thus i deleted my posting.

Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
here is the cisco url link where u can find further information about it:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
I m gonna test those 2 options
I still don t know how to push acl with easy vpn client and remote mode.
thank you for your advices
regards,
alex
regards,
alex

[SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

Hi,
Have just started with Archlinux and trying to set up a VPN tunnel using pptp.
I have been following the guide at:
https://wiki.archlinux.org/index.php/Mi … pptpclient
I want to connect to a service from www.ipredator.se
Info from them when connection to Windows XP are:
Enter company name "Ipredator". Click Next.
Enter "vpn.ipredator.se" as "Host name or IP address".
I have been given a <USERNAME> and <PASSWORD> from them.
I got the VPN tunnel up and running in Ubuntu with the settings.
Only enabled MSCHAPv2
use MPPE 128 bit
and allow data compression, BSD, Deflate and TCP header.
My configuration files:
options.pptp
# $Id: options.pptp,v 1.3 2006/03/26 23:11:05 quozl Exp $
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection. See "man pppd".
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 or later from [url]http://ppp.samba.org[/url]/
# and the kernel MPPE module available from the CVS repository also on
# [url]http://ppp.samba.org[/url]/, which is packaged for DKMS as kernel_ppp_mppe.
# Lock the port
lock
# Authentication
# We don't need the tunnel server to authenticate itself
noauth
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use. Note that MPPE
# requires the use of MSCHAP-V2 during authentication)
# [url]http://ppp.samba.org[/url]/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# Require MPPE 128-bit encryption
# require-mppe-128
# [url]http://polbox.com/h/hs001/[/url] fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# Require MPPE 128-bit encryption
# mppe required,stateless
chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
<USERNAME> pptpd <PASSWORD> *
I named my tunnel "ipredator"
/etc/ppp/peers/ipredator
pty "pptp vpn.ipredator.se --nolaunchpppd"
name <USERNAME>
remotename Ipredator
require-mppe-128
file /etc/ppp/options.pptp
ipparam ipredator
When I try to connect I get following:
[root@archlinux ppp]# pon $TUNNEL ipredator dump logfd 2 nodetach
pppd options in effect:
nodetach # (from command line)
logfd 2 # (from command line)
dump # (from command line)
noauth # (from /etc/ppp/options.pptp)
refuse-pap # (from /etc/ppp/options.pptp)
refuse-chap # (from /etc/ppp/options.pptp)
refuse-mschap # (from /etc/ppp/options.pptp)
refuse-eap # (from /etc/ppp/options.pptp)
name <USERNAME> # (from /etc/ppp/peers/ipredator)
remotename Ipredator # (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options.pptp)
pty pptp vpn.ipredator.se --nolaunchpppd # (from /etc/ppp/peers/ipredator)
crtscts # (from /etc/ppp/options)
# (from /etc/ppp/options)
asyncmap 0 # (from /etc/ppp/options)
lcp-echo-failure 4 # (from /etc/ppp/options)
lcp-echo-interval 30 # (from /etc/ppp/options)
hide-password # (from /etc/ppp/options)
ipparam ipredator # (from /etc/ppp/peers/ipredator)
proxyarp # (from /etc/ppp/options)
nobsdcomp # (from /etc/ppp/options.pptp)
nodeflate # (from /etc/ppp/options.pptp)
require-mppe-128 # (from /etc/ppp/peers/ipredator)
noipx # (from /etc/ppp/options)
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
MPPE required, but MS-CHAP[v2] auth not performed.
Connection terminated.
[root@archlinux ppp]#
I have not managed to understand way MS-CHAP[v2] auth is not performed.
Any ideas on what I have missed during my configuration would be most appreciated!
use code tags instead of quote since they provide scrollers and keep the thread from becoming a mile long -- Inxsible
Thank you!
Regards,
/Christer
Last edited by agkbill (2011-06-14 15:23:15)

The problem was that <PASSWORD> was never found.
What is written after "remotename" in peers file in the guide "PPTP" is used to find the password in chap-secreds.
But in the guide chap-secrets look like "<USERNAME> pptpd <PASSWORD> *".
Consecuently <PASSWORD> will never be found. It should have been "<USERNAME> PPTP <PASSWORD> *" then it would have worked OK.
The solution was to understand how password was found.
require-mppe-128 works fine as well.
Now it looks like this.
# Secrets for authentication using CHAP
# client server secret IP addresses
<USERNAME> PPTP <PASSWORD> *
pty "pptp vpn.ipredator.se --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name <USERNAME>
remotename PPTP
require-mppe-128
#file /etc/ppp/options.pptp
ipparam ipredator
Output:
[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 14
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x7540313b]
rcvd [LCP EchoReq id=0x0 magic=0xc615076a]
sent [LCP EchoRep id=0x0 magic=0x7540313b]
rcvd [CHAP Challenge id=0x46 <be769cd654150cc3dc0fd20bc73c03>, name = "pptpd"]
sent [CHAP Response id=0x46 <6ce74a85ab09e4ae223bc85f679395f0000000000000000dbb8dc66e8950ab46831b62f5815e015b1e72de1e01a4d00>, name = "<USERNAME>"]
rcvd [LCP EchoRep id=0x0 magic=0xc616076a]
rcvd [CHAP Success id=0x46 "S=2694D1D727F2B8C8E402125EA401750011F24F20"]
CHAP authentication succeeded
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
sent [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
rcvd [IPCP ConfNak id=0x1 <addr 93.182.150.56>]
sent [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
rcvd [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
Cannot determine ethernet address for proxy ARP
local IP address
remote IP address x.x.x.x
Script /etc/ppp/ip-up started (pid 1778)
Script /etc/ppp/ip-up finished (pid 1778), status = 0x0
All the best!
/Christer

Setting up a VPN on OSX lion behind a openbsd firewall

Hello All,
I've been trying to get a VPN up and running on OSX Lion (10.7.4) behind an openbsd firewall.
I'm currently using L2TP only.
From what I've read I think I have the correct ports being forwarded:
udp 500,1701,4500
tcp 1723
From an IPhone I am able to connect and authenticate but traffic does not get routed through the VPN.
Is there anything obvious I'm missing?
Thanks in advance.

more information:
I was attempting to get an iphone set up to use this VPN. It was able to authenticate but it seems it would not route any traffic through the VPN.
I was just able to get my linux laptop configured to use the OSX VPN via openswan, which I think was slightly more difficult due to NAT on both ends.
Any tips for getting IOS working with this OSX VPN behind the firewall? Thanks.

Vpn tunnel

how do i go about connecting 2 airports in two diffrent locations NY /GA so both locations act like one all the time, not that i have to vpn in when i want access

No I'm not using the Linksys software.
I have a Microsft Server set up as a VPN server behind a Linksys v1.1 router. Therefore I cannot ping the WAN IP address as the router is set up to not reply to pings. On the client side, I was just using the Microsoft PPTP VPN connection that comes with XP. When the client tried to connect to the server through a Linksys router at the client end, I get the dialog box that says "Verifying user name and password". But it does not connect and eventually times out. If I bypass the Linksys router on the client end, and plug my computer directly into the cable modem, I get connected to the VPN server with no problems.
It seems so far that it is just when I am trying to get the VPN connection when the client it is conencted to a Linksys v5 router. I have not been able to test this out with another version of the Linksys router. When the client is connected to some other brands of routers, I can get a VPN tunnel to work. Is there some problem with Linksys to Linksys Microsoft VPN tunnel connectivity?

Asa 5505 vpn from internet native vpn client, tcp discarted 1723

Hello to all,
I'm configuring this asa for to connect home users to my network using the native microsoft vpn clients with windows xp over internet.
This asa have on the outside interface one public intenet ip and in the inside inferface have configured in the the network 192.168.0.x and i want to acces to this network from internet users using native vpn clients.
I tested with one pc connected directly to the outside interface and works well, but when i connect this interface to internet and tried to connect on user to the vpn i can see in the logs this, and can't connect with error 800.
TCP request discarded from "public_ip_client/61648" to outside:publicip_outside_interface/1723"
Can help me please?, Very thanks in advance !
(running configuration)
: Saved
ASA Version 8.4(3)
hostname ciscoasa
enable password *** encrypted
passwd *** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address publicinternetaddress 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network gatewayono
host gatewayofinternetprovideraccess
description salida gateway ono
object service remotointerno
service tcp destination eq 3389
description remoto
object network pb_clienteing_2
host 192.168.0.15
description Pebble cliente ingesta 2
object service remotoexternopebble
service tcp destination eq 5353
description remotoexterno
object network actusmon
host 192.168.0.174
description Actus monitor web
object service Web
service tcp destination eq www
description 80
object network irdeto
host 192.168.0.31
description Irdeto
object network nmx_mc_p
host 192.168.0.60
description NMX Multicanal Principal
object network nmx_mc_r
host 192.168.0.61
description NMX multicanal reserva
object network tarsys
host 192.168.0.10
description Tarsys
object network nmx_teuve
host 192.168.0.30
description nmx cabecera teuve
object network tektronix
host 192.168.0.20
description tektronix vnc
object service vnc
service tcp destination eq 5900
description Acceso vnc
object service exvncnmxmcr
service tcp destination eq 5757
description Acceso vnc externo nmx mc ppal
object service exvncirdeto
service tcp destination eq 6531
description Acceso vnc externo irdeto
object service exvncnmxmcp
service tcp destination eq 5656
object service exvnctektronix
service tcp destination eq 6565
object service exvncnmxteuve
service tcp destination eq 6530
object service ssh
service tcp destination eq ssh
object service sshtedialexterno
service tcp destination eq 5454
object-group service puertosabiertos tcp
description remotedesktop
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object irdeto
network-object object nmx_mc_p
network-object object nmx_mc_r
network-object object nmx_teuve
network-object object tektronix
object-group service vpn udp
port-object eq 1723
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq pptp
object-group network DM_INLINE_NETWORK_2
network-object object actusmon
network-object object tarsys
access-list inside_access_in extended permit object remotointerno any any
access-list inside_access_in extended permit object ssh any any
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object vnc any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object remotointerno any object pb_clienteing_2
access-list outside_access_in extended permit object-group TCPUDP any object actusmon eq www
access-list outside_access_in remark Acceso tedial ssh
access-list outside_access_in extended permit tcp any object tarsys eq ssh
access-list outside_access_in extended permit object vnc any object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny icmp any any
access-list corporativa standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging asdm debugging
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool clientesvpn 192.168.0.100-192.168.0.110 mask 255.255.255.0
ip local pool clientesvpn2 192.168.1.120-192.168.1.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (outside,inside) source static any interface destination static interface actusmon service Web Web unidirectional
nat (outside,inside) source static any interface destination static interface tarsys service sshtedialexterno ssh unidirectional
nat (outside,inside) source static any interface destination static interface pb_clienteing_2 service remotoexternopebble remotointerno unidirectional
nat (outside,inside) source static any interface destination static interface irdeto service exvncirdeto vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_p service exvncnmxmcp vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_r service exvncnmxmcr vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_teuve service exvncnmxteuve vnc unidirectional
nat (outside,inside) source static any interface destination static interface tektronix service exvnctektronix vnc unidirectional
nat (any,outside) source dynamic DM_INLINE_NETWORK_2 interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
aaa local authentication attempts max-fail 10
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp mode transport
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set clientewindowsxp
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TP-VPN-MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint Ingenieria
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.0.5-192.168.0.36 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point Ingenieria outside
webvpn
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server none
dns-server value 192.168.0.1
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy ingenieria internal
group-policy ingenieria attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy L2TP-Policy internal
group-policy L2TP-Policy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
intercept-dhcp enable
username ingenieria password 4fD/5xY/6BwlkjGqMZbnKw== nt-encrypted privilege 0
username ingenieria attributes
vpn-group-policy ingenieria
username rjuve password SjBNOLNgSkUi5KWk/TUsTQ== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool clientesvpn
address-pool clientesvpn2
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
default-group-policy L2TP-Policy
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
prompt hostname context
call-home reporting anonymous
Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e
: end
no asdm history enable

Yes with this command creates this
policy-map global_policy
class inspection_default
inspect pptp
But don't work. I also tried to add the pptp and gre in the outside access rules but nothing...
I don't understand why if a connect directly to the outside interface with the same outside network works well.
ej: the pc have 89.120.145.14 ip and the outside asa have 89.120.145.140 and if I create one vpn in this pc the outside ip 89.120.145.140 with the correct parameters the asa don't discart 1723 and connect ok but if this ip is not of this range discards 1723...

Microsoft VPN behind BM 3.8 SP4

Similar Messages

Maybe you are looking for