L2tp and vpnclient?

Similar Messages

• Can a Cisco 2600 router do PPTP,L2TP, and IPSec?

  General question.

  2600 supports L2TP and PPTP with MPPE with an IP PLUS version, and IPsec with a firewall version.

• L2tp and pptp...

  hi...in windows server creating lt2p and pptp server is really no brain. how to setup l2tp and pptp in cisco router? tx :)

  hi...in windows server creating lt2p and pptp server is really no brain. how to setup l2tp and pptp in cisco router? tx :)

• L2TP and fixed Framed IP Address for VPN user

  Hi,
  I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
  The radius server is returning the correct parameters, I think.
  I hope someone can help me.
  It´s a Cisco 892 Integrated Service Router.
  Router Config:
  =============================================================
  Current configuration : 8239 bytes
  ! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service internal
  hostname vpngw2
  boot-start-marker
  boot config usbflash0:CVO-BOOT.CFG
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 5 secret
  aaa new-model
  aaa authentication login default local group radius
  aaa authentication login userauthen local group radius
  aaa authentication ppp default group radius local
  aaa authorization exec default local
  aaa authorization network groupauthor local
  aaa accounting delay-start
  aaa accounting update newinfo
  aaa accounting exec default
  action-type start-stop
  group radius
  aaa accounting network default
  action-type start-stop
  group radius
  aaa accounting resource default
  action-type start-stop
  group radius
  aaa session-id common
  clock timezone CET 1 0
  clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
  ip domain name aspect-online.de
  ip name-server 10.28.1.31
  ip inspect WAAS flush-timeout 10
  ip inspect name DEFAULT100 ftp
  ip inspect name DEFAULT100 h323
  ip inspect name DEFAULT100 icmp
  ip inspect name DEFAULT100 netshow
  ip inspect name DEFAULT100 rcmd
  ip inspect name DEFAULT100 realaudio
  ip inspect name DEFAULT100 rtsp
  ip inspect name DEFAULT100 esmtp
  ip inspect name DEFAULT100 sqlnet
  ip inspect name DEFAULT100 streamworks
  ip inspect name DEFAULT100 tftp
  ip inspect name DEFAULT100 tcp
  ip inspect name DEFAULT100 udp
  ip inspect name DEFAULT100 vdolive
  ip cef
  no ipv6 cef
  virtual-profile if-needed
  multilink bundle-name authenticated
  async-bootp dns-server 10.28.1.31
  async-bootp nbns-server 10.28.1.31
  vpdn enable
  vpdn authen-before-forward
  vpdn authorize directed-request
  vpdn-group L2TP
  ! Default L2TP VPDN group
  accept-dialin
    protocol l2tp
    virtual-template 1
  no l2tp tunnel authentication
  license udi pid -K9 sn FCZ
  username root password 7 secret
  ip ssh source-interface FastEthernet8
  ip ssh version 2
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  lifetime 3600
  crypto isakmp key mykey address 0.0.0.0         no-xauth
  crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
  mode transport
  crypto dynamic-map config-map-l2tp 10
  set nat demux
  set transform-set configl2tp
  crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface FastEthernet0
  no ip address
  spanning-tree portfast
  interface FastEthernet1
  no ip address
  spanning-tree portfast
  <snip>
  interface FastEthernet7
  no ip address
  spanning-tree portfast
  interface FastEthernet8
  ip address 10.28.1.97 255.255.255.0
  ip access-group vpn_to_lan out
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface Virtual-Template1
  ip unnumbered GigabitEthernet0
  ip access-group vpn_to_inet_lan in
  ip nat inside
  ip virtual-reassembly in
  peer default ip address pool l2tpvpnpool
  ppp encrypt mppe 128
  ppp authentication chap
  interface GigabitEthernet0
  description WAN Port
  ip address x.x.x.39 255.255.255.0
  ip access-group from_inet in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map vpnl2tp
  interface Vlan1
  no ip address
  shutdown
  ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
  ip local pool remotepool 192.168.252.240 192.168.252.243
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat log translations syslog
  ip nat inside source route-map natmap interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 x.x.x.33
  ip access-list extended from_inet
  <snip>
  ip access-list extended nat_clients
  permit ip 192.168.252.0 0.0.0.255 any
  ip access-list extended vpn_to_inet_lan
  <snip>
  ip access-list extended vpn_to_lan
  <snip>
  deny   ip any any log-input
  logging trap debugging
  logging facility local2
  logging 10.28.1.42
  no cdp run
  route-map natmap permit 10
  match ip address nat_clients
  radius-server attribute 8 include-in-access-req
  radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
  radius-server key 7 mykey
  radius-server vsa send accounting
  radius-server vsa send authentication
  control-plane
  mgcp profile default
  banner login ^C
  Hostname: vpngw2
  Model: Cisco 892 Integrated Service Router
  Description: L2TP/IPsec VPN Gateway with Radius Auth
  ^C
  line con 0
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  =============================================================
  User Config in Radius (tying multiple attributes):
  =============================================================
  Attribute          | op | Value
  Service-Type       | =  | Framed-User
  Cisco-AVPair       | =  | vpdn:ip-addresses=192.168.252.220
  Framed-IP-Address  | := | 192.168.252.221
  Cisco-AVPair       | =  | ip:addr-pool=remotepool
  =============================================================
  Debug Log from freeradius2:
  =============================================================
  rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
          Framed-Protocol = PPP
          User-Name = "me1"
          CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
          Connect-Info = "100000000"
          NAS-Port-Type = Sync
          NAS-Port = 10007
          NAS-Port-Id = "Uniq-Sess-ID7"
          Service-Type = Framed-User
          NAS-IP-Address = 10.28.1.97
  # Executing section authorize from file /etc/raddb/sites-enabled/default
  +- entering group authorize {...}
  ++[preprocess] returns ok
  [chap] Setting 'Auth-Type := CHAP'
  ++[chap] returns ok
  ++[mschap] returns noop
  ++[digest] returns noop
  [suffix] No '@' in User-Name = "me1", looking up realm NULL
  [suffix] No such realm "NULL"
  ++[suffix] returns noop
  [eap] No EAP-Message, not doing EAP
  ++[eap] returns noop
  [files] users: Matched entry DEFAULT at line 172
  ++[files] returns ok
  [sql]   expand: %{User-Name} -> me1
  [sql] sql_set_user escaped user --> 'me1'
  rlm_sql (sql): Reserving sql socket id: 4
  [sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'me1'           ORDER BY id
  [sql] User found in radcheck table
  [sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'me1'           ORDER BY id
  [sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'me1'           ORDER BY priority
  rlm_sql (sql): Released sql socket id: 4
  ++[sql] returns ok
  ++[expiration] returns noop
  ++[logintime] returns noop
  [pap] WARNING: Auth-Type already set.  Not setting to PAP
  ++[pap] returns noop
  Found Auth-Type = CHAP
  # Executing group from file /etc/raddb/sites-enabled/default
  +- entering group CHAP {...}
  [chap] login attempt by "me1" with CHAP password
  [chap] Using clear text password "test" for user me1 authentication.
  [chap] chap user me1 authenticated succesfully
  ++[chap] returns ok
  Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
  # Executing section post-auth from file /etc/raddb/sites-enabled/default
  +- entering group post-auth {...}
  ++[exec] returns noop
  Sending Access-Accept of id 7 to 10.28.1.97 port 1645
          Framed-Protocol = PPP
          Framed-Compression = Van-Jacobson-TCP-IP
          Framed-IP-Address := 192.168.252.221
          Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
          Service-Type = Framed-User
  Finished request 0.
  Going to the next request
  Waking up in 4.9 seconds.
  rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
          Acct-Session-Id = "00000011"
          Tunnel-Type:0 = L2TP
          Tunnel-Medium-Type:0 = IPv4
          Tunnel-Server-Endpoint:0 = "x.x.x.39"
          Tunnel-Client-Endpoint:0 = "x.x.x.34"
          Tunnel-Assignment-Id:0 = "L2TP"
          Tunnel-Client-Auth-Id:0 = "me1"
          Tunnel-Server-Auth-Id:0 = "vpngw2"
          Framed-Protocol = PPP
          Framed-IP-Address = 192.168.252.9
          User-Name = "me1"
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Acct-Authentic = RADIUS
          Acct-Status-Type = Start
          Connect-Info = "100000000"
          NAS-Port-Type = Sync
          NAS-Port = 10007
          NAS-Port-Id = "Uniq-Sess-ID7"
          Service-Type = Framed-User
          NAS-IP-Address = 10.28.1.97
          Acct-Delay-Time = 0
  # Executing section preacct from file /etc/raddb/sites-enabled/default
  +- entering group preacct {...}
  ++[preprocess] returns ok
  [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
  [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
  ++[acct_unique] returns ok
  [suffix] No '@' in User-Name = "me1", looking up realm NULL
  [suffix] No such realm "NULL"
  ++[suffix] returns noop
  ++[files] returns noop
  # Executing section accounting from file /etc/raddb/sites-enabled/default
  +- entering group accounting {...}
  [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
  [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
  [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
  [detail]        expand: %t -> Fri Mar 30 11:20:07 2012
  ++[detail] returns ok
  ++[unix] returns ok
  [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
  [radutmp]       expand: %{User-Name} -> me1
  ++[radutmp] returns ok
  [sql]   expand: %{User-Name} -> me1
  [sql] sql_set_user escaped user --> 'me1'
  [sql]   expand: %{Acct-Delay-Time} -> 0
  [sql]   expand:            INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
  rlm_sql (sql): Reserving sql socket id: 3
  rlm_sql (sql): Released sql socket id: 3
  ++[sql] returns ok
  ++[exec] returns noop
  [attr_filter.accounting_response]       expand: %{User-Name} -> me1
  attr_filter: Matched entry DEFAULT at line 12
  ++[attr_filter.accounting_response] returns updated
  Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
  Finished request 1.
  Cleaning up request 1 ID 19 with timestamp +53
  Going to the next request
  Waking up in 4.9 seconds.
  rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
          Acct-Session-Id = "00000011"
          Tunnel-Type:0 = L2TP
          Tunnel-Medium-Type:0 = IPv4
          Tunnel-Server-Endpoint:0 = "x.x.x.39"
          Tunnel-Client-Endpoint:0 = "x.x.x.34"
          Tunnel-Assignment-Id:0 = "L2TP"
          Tunnel-Client-Auth-Id:0 = "me1"
          Tunnel-Server-Auth-Id:0 = "vpngw2"
          Framed-Protocol = PPP
          Framed-IP-Address = 192.168.252.9
          Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
          User-Name = "me1"
          Acct-Authentic = RADIUS
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Cisco-AVPair = "nas-tx-speed=100000000"
          Cisco-AVPair = "nas-rx-speed=100000000"
          Acct-Session-Time = 5
          Acct-Input-Octets = 5980
          Acct-Output-Octets = 120
          Acct-Input-Packets = 47
          Acct-Output-Packets = 11
          Acct-Terminate-Cause = User-Request
          Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
          Acct-Status-Type = Stop
          Connect-Info = "100000000"
          NAS-Port-Type = Sync
          NAS-Port = 10007
          NAS-Port-Id = "Uniq-Sess-ID7"
          Service-Type = Framed-User
          NAS-IP-Address = 10.28.1.97
          Acct-Delay-Time = 0
  # Executing section preacct from file /etc/raddb/sites-enabled/default
  +- entering group preacct {...}
  ++[preprocess] returns ok
  [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
  [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
  ++[acct_unique] returns ok
  [suffix] No '@' in User-Name = "me1", looking up realm NULL
  [suffix] No such realm "NULL"
  ++[suffix] returns noop
  ++[files] returns noop
  # Executing section accounting from file /etc/raddb/sites-enabled/default
  +- entering group accounting {...}
  [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
  [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
  [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
  [detail]        expand: %t -> Fri Mar 30 11:20:12 2012
  ++[detail] returns ok
  ++[unix] returns ok
  [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
  [radutmp]       expand: %{User-Name} -> me1
  ++[radutmp] returns ok
  [sql]   expand: %{User-Name} -> me1
  [sql] sql_set_user escaped user --> 'me1'
  [sql]   expand: %{Acct-Input-Gigawords} ->
  [sql]   ... expanding second conditional
  [sql]   expand: %{Acct-Input-Octets} -> 5980
  [sql]   expand: %{Acct-Output-Gigawords} ->
  [sql]   ... expanding second conditional
  [sql]   expand: %{Acct-Output-Octets} -> 120
  [sql]   expand: %{Acct-Delay-Time} -> 0
  [sql]   expand:            UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}' ->            UPDATE radacct SET              acctstoptime       = '2012-03-30 11:20:12',              acctsessiontime    = '5',              acctinputoctets    = '0' << 32 |                                   '5980',              acctoutputoctets   = '0' << 32 |
  rlm_sql (sql): Reserving sql socket id: 2
  rlm_sql (sql): Released sql socket id: 2
  ++[sql] returns ok
  ++[exec] returns noop
  [attr_filter.accounting_response]       expand: %{User-Name} -> me1
  attr_filter: Matched entry DEFAULT at line 12
  ++[attr_filter.accounting_response] returns updated
  Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
  Finished request 2.
  Cleaning up request 2 ID 20 with timestamp +58
  Going to the next request
  Waking up in 0.1 seconds.
  Cleaning up request 0 ID 7 with timestamp +53
  Ready to process requests.
  =============================================================
  Log From Cisco Router:
  =============================================================
  Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
  Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
  Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
  Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
  Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
  Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
  Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
  Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
  Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
  Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS:  authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
  Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS:  User-Name           [1]   5   "me1"
  Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS:  CHAP-Password       [3]   19  *
  Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS:  Connect-Info        [77]  11  "100000000"
  Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
  Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS:  NAS-Port            [5]   6   10007
  Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
  Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
  Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
  Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
  Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
  Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS:  authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
  Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]
  Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.221
  Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS:  Vendor, Cisco       [26]  41
  Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS:   Cisco AVpair       [1]   35  "vpdn:ip-addresses=192.168.252.220"
  Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
  Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
  Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
  Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
  Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
  Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
  Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
  Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
  Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
  Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS:  authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
  Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
  Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS:  Tunnel-Type         [64]  6   00:
  Mar 30 11:20:07 vpngw2 1258: L2TP                   [3]
  Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
  Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
  Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
  Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
  Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
  Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
  Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
  Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS:  User-Name           [1]   5   "me1"
  Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS:  Vendor, Cisco       [26]  35
  Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS:  Connect-Info        [77]  11  "100000000"
  Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
  Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS:  NAS-Port            [5]   6   10007
  Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
  Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
  Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS:  Acct-Delay-Time     [41]  6   0
  Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
  Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
  Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
  Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS:  authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
  Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
  Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
  Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
  Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
  Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
  Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
  Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS:  authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
  Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
  Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS:  Tunnel-Type         [64]  6   00:
  Mar 30 11:20:12 vpngw2 1292: L2TP                   [3]
  Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
  Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
  Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
  Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
  Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
  Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
  Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
  Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  59
  Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   53  "ppp-disconnect-cause=Received LCP TERMREQ from peer"
  Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS:  User-Name           [1]   5   "me1"
  Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  35
  Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
  Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-tx-speed=100000000"
  Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
  Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-rx-speed=100000000"
  Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Time   [46]  6   5
  Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Octets   [42]  6   5980
  Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Octets  [43]  6   120
  Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Packets  [47]  6   47
  Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Packets [48]  6   11
  Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS:  Acct-Terminate-Cause[49]  6   user-request              [1]
  Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  39
  Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=PPP Receive Term"
  Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
  Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS:  Connect-Info        [77]  11  "100000000"
  Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
  Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS:  NAS-Port            [5]   6   10007
  Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
  Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
  Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS:  Acct-Delay-Time     [41]  6   0
  Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
  Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
  Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
  Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS:  authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
  Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
  Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
  =============================================================

  I found the failure.
  In the cisco config it must be
  aaa authorization network default group radius local
  not
  aaa authorization network groupauthor local

• EToken and vpnclient on linux

  Hello! Does Cisco vpnclient for linux support eToken?

  Using versions of the Aladdin Runtime Environment (RTE) on Windows NT and Windows 2000 can cause the following behavior. The login prompt that is posted by the Aladdin etoken when connecting the VPN Client can get hidden in the background. If this happens, the VPN connection can timeout and fail with the following event:

• Client initiated L2TP and control channel passwords

  I am building a CVS application for CPEs that use client-initiated tunneling feature. IOS version is 12.4(6)T3. The l2tp-class is
  configured as below:
  l2tp-class l2tpclass1
  password 7 15145D015037812E70
  The password string changes at a regular interval. I have two questions w.r.t the password changes.
  1) Why does it happens? I have not seen this happening on other passwords that use encryption type 7. I could not find any references to this in "L2TP Control Channel Authentication Parameters" documentation.
  2) Is there a way to stop this behavior? Currently there is a diff. generated even though the actual configuration has not changed because of the change in password string.
  Regards,
  - Gaurav

  If you configure "username xxxx password yyyyy" on a system, the encrypted form of the password will in fact change each time you do a "write memory." This is part of a "random seed" that's supposed to make the coded password harder to crack. If the box was actually configured by reading an NV config that contains the "password 7 151E080214382420" form, it should stay that way (basically, the internal format used to store the password is always the form it was "entered" in, and the password is encrypted appropriately (if it's not already encrypted) when you do the "writes.

• L2TP and TACACS+

  Hello.
  I have PPTP server on my Cisco 3845 router with authentication on freeware TACACS+ server (Linux). TACACS set ACL and IP address for users.
  Recently employers decide to migrate to L2TP over IPsec. Moreover old PPTP server should work.
  Can I use TACACS server for authenticate L2TP users?
  I have config like this on TACACS.
  user = user1 {
          chap = cleartext "password"
          member = vpdn
          service = ppp protocol = ip {
          addr = 172.20.20.200
          inacl=2005
  Sorry for my Enflish.

  Please see the below documnet. This document describes how to configure Layer 2 Tunnel Protocol (L2TP)       with TACACS+. It includes sample configurations for L2TP Access Concentrator       (LAC) TACACS+ servers, L2TP Network Server (LNS) TACACS+ servers, and routers.
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080118d5f.shtml

• WRT300N Firmware Version: v1.51.2 L2TP problem :( Please help! And hurry.

  ok soo, I changed to a diffrent intrenet provider, for online games. "gamer intrenet"
  But now, they said I have to type those lines in L2TP to connect thier server for better ping in online games.
  I typed username, password, that they gave me.
  and Host Name gch.bezeqint.net
  But now when I press "connect" After few refreshes im getting this error: "Can not connect to L2TP server"
  They said theres nothing to do, and I need a new router. But my router is a good one new and expensive, im not going to give up, any way to fix this?
  I GOT ONLY 22 HOURS TO FIX THIS!! soo please help
  Sorry for bad English, I really hope you get what im trying to say!
  Uprage firmware will help?
  Thanks to all!
  NOTE*** RIGHT NOW IM USING DHCP.
  Message Edited by Igurvitz on 12-22-2008 09:02 AM

  I typed username password and hostname in 192.168.1.1 >> L2TP.
  and my provider is Cable not DSL, or maybe both, but I have a cable... I know I can call them and make myseif L2TP by default but I have 3 pcs in my house I want them to have Intrenet of course but my router (Linksys WRT300N) doesnot want to work with L2TP

• WRV200 - Problems with VPN Client and Internal network access

  I have a WRV200 router and want to access the internal (Private Network) connected on the inside. I have successfully conected to the router with the Linksys VPN Client, but it does not appear to allow access to the internal network.
  How do I enable NAT Transversal or Passthru? I have already selected all of the PPTP, L2TP and IPSEC Pass Through.
  Has anyone gotten this to work?

  I have actually gotten this to work. Issues surround this include the ability to get to the VPN if the main DNS is down (it does not fail over to the next DNS in the list).
  If you unselect all of the boxes in the firewall General configuration, you can connect, but if you need to have all of this unchecked, what's the sense of having it?
  Anyway, you can use the DoS Prevention, this is not interfering.
  HTH.

• How can I configure Lion server to accept inbound VPN (L2TP) connections while connected as client to another vpn service?

  I have what I believe to be a unique need;
  I have a MacPro (1,1) running Lion with Server app.
  I require that this particular machine be connected as a client to a VPN server, while at the same time acting as a VPN server for my network.
  The PPTP connection configuration is such that "Send all traffic over VPN connection" is checked.
  If PPTP client is NOT connected, I can connect to Lion as VPN server. As soon as I make the connection from Lion as a client, I can no longer
  connect to Lion VPN server.
  I understand this is because I am forcing all traffic out the virtual interface (tun0) and eth0 is no longer listening on the local network.
  1. Is it possible to bind the VPN client (on Lion Server) to a particular interface? If I could tell the PPTP client to only use eth1 as the interface of choice, my assumption would be that eth0 would then be free to accept incoming connections.
  2. Is it possible to bind the VPN service  (on Lion Server) to a particular interface? if I could tell the vpn serviec to only listen on eth1, and in turn tell the PPTP client to NOT communicate on eth1 but only eth0 then perhaps I could separate the communications?
  In my head, it seems as though both of the above options would be required in order to use Lion as both a VPN server and VPN client
  Any and all help appreciated.

  This is a standard facet of most VPNs - the problem lies in your NAT router since both clients appear to come from the same IP address as far as the VPN server is concerned, and the router can't separate out the traffic.
  There are a couple of solutions.
  First, the built-in VPN server supports L2TP and PPTP protocols. You should be able to connect one system under each protocol, so that gets your two machines connected.
  Second, you can replace your NAT router with one that supports multiple VPN clients (often termed 'VPN passthrough').
  Third, setup a site-to-site tunnel so that your entire LAN is connected to the VPN (this saves you from having to run a separate VPN client on each machine, but is typically only worth it when you have more machines).

• L2TP w/ PSK unable to connect via the phone dataplan, has anyone come across this?

  I have been messing around with this on my Galaxy Nexus with Android 4.0.2 and have confirmed the following settings for VPNs to our corprate firewall.
  PPTP over Dataplan CDMA -- Everything works fine
  PPTP over Dataplan LTE -- Untested due to lack of availability where I live and work, will test at a later date.
  PPTP over WiFi -- Everything works fine
  L2TP over Dataplan CDMA -- Connection timeout
  L2TP over Dataplan LTE -- Untested due to lack of availability where I live and work, will test at a later date.
  L2TP over WiFi -- Everything works fine
  OpenVPN not supported without rooting the phone -- Verizon please add this functionality into your base ROMs for all of your phones.
  The reason I ask about anyone coming across this or having a fix is PPTP may work but it's old/insecure comparitively and may be going away in a future stable tree release of the corprate firewall I work with.  The full support of L2TP and/or OpenVPN/SSL-VPN would make life a lot easier for us techs who need to bounce into a server quickly and do what's needed when having a PC at hand is impossible, ie at a sitdown resturant.  If you need logs of the connect attempt let me know and I'll get them to you.  I did however see this error posted on the Samsung Fascinate forum as well.

  As of yet no, they are on my list of people to call but I won't be able to get to that call until a little later, once I do call Verizon Tech support I will reply with the post here if it hasn't been answered by someone who has come up with a workaround on the issue. 

• WRVS4400N Won't allow L2TP traffic to passthrough

  The latest in a series of issues with the WRVS4400N:
  As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN.  That leaves us with one of two options:
  1)  Obtain iPSecuritas and configure an IPSec tunnel with it.  Problematic for many, but it can be done.  I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi.  This leaves you with solution 2:
  2)  Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
  I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N.  I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
  After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
  L2TP is a problem, though.  Nothing I try gets through this 4400N.  As stated above I have L2TP passthrough enabled.  I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address.  No go, no traffic gets through.
  Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone.  Voila!  L2TP traffic connects as expected.  This proves it is the WRVS4400N not doing its thing.
  I have checked the logs on the WRVS4400N and nothing appears at all.  I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check. 
  I am using Firmware v1.0.16 because v1.1.03 is not stable on my router.  Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
  Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
  /rant:  I have to say I am begining to hate the WRVS4400N.  This temperamental beast has a lot of frustration and long hours over the past two years;  in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.  

  gv wrote:
  1. Never ever forward L2TP port 1701. That's a security risk. Port 1701 is not supposed to be accessible from the internet.
  2. Running an IPSec server behind a NAT gateway is a very bad idea and is either very difficult or impossible depending on the server software and kernel version on the server machine. In particular you usually see a lot of problems if the client as well is behind a NAT gateway.
  3. Turn off the L2TP and IPSec passthrough options. Passthrough is difficult because NAT will modify the packets passing. When you disable the passthrough options the VPN client and server should switch to encapsulation through UDP port 4500.
  Thanks for the reply.  Comments/follow-up on each of your numbered responses:
   1)  Port 1701 is off.  Plenty of sites insist it must be open, so I tried it out of desperation.  Lots of bad information on the internet, as we all know.
   2a)   My IPSec server has always been the NAT gateway itself (the WRVS4400N).  That's not the problem.  My issue with leaving the setup that way is that Linksys has ZERO support for Mac OS X to connect to the WRVS4400N's IPSec VPN.  QuickVPN is only offered for Windows OS, and Cisco VPN Client for OS X will not connect with the WRVS4400N.  THis leaves me with having to use 3rd partyclient  solutions which work flawlessly and completely with other hardware but not with the WRVS4400N.  
  I'd actually be happy with that solution if I could route all traffic (web and email especially) over the VPN tunnel.  THis won't work with the only solutions I have to using IPSec on a Mac to connect to the network.  I've considered establishing SSH tunnels binding the various ports, but proxies, slower performance and other issues make that less than desirable.  Very frustrating.
  I guess since L2TP uses IPSec, your point is relevant, but I don't understand why, if IPSec behind a NAT gateway is such a bad idea, EVERY router on the market offers IPSec passthrough in its specs.  
  If it's so problematic, and such a bad idea, why allow it?   Especially on devices marketed to SOHO consumers who are bound to have less networking savvy?  In fact, the Linksys products ship with these options ENABLED by default. 
  3)  I've done all that.  
  Here are log entries from the WRVS4400N for a few combinations of passthrough and port forwarding:
  Passthrough disabled, ports forwarded
  Dec 7 07:38:40 - Drop by Port Scan UDP
  Dec 7 07:41:25 - UDP Packet - Source:xxx.xxx.xxx.xxx,500 Destination:192.168.2.11,500 - [Firewall Log-IPSecPass Fail]
  Dec 7 07:41:30 - [VPN Log]: shutting down
  Dec 7 07:41:30 - IPSEC EVENT: KLIPS device ipsec0 shut down.
  Dec 7 07:41:32 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
  Dec 7 07:41:32 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
  Dec 7 07:41:32 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
  Dec 7 07:41:32 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
  Dec 7 07:41:32 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
  Dec 7 07:41:32 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
  Dec 7 07:41:32 - [VPN Log]: starting up 1 cryptographic helpers
  Dec 7 07:41:32 - [VPN Log]: started helper pid=11543 (fd:5)
  Dec 7 07:41:32 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
  Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
  Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
  Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
  Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
  Dec 7 07:41:32 - [VPN Log]: Warning: empty directory
  passthrough enabled, ports not forwarded
  Dec 7 07:47:28 - [VPN Log]: shutting down
  Dec 7 07:47:28 - IPSEC EVENT: KLIPS device ipsec0 shut down.
  Dec 7 07:47:31 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
  Dec 7 07:47:31 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
  Dec 7 07:47:31 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
  Dec 7 07:47:31 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
  Dec 7 07:47:31 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
  Dec 7 07:47:31 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
  Dec 7 07:47:31 - [VPN Log]: starting up 1 cryptographic helpers
  Dec 7 07:47:31 - [VPN Log]: started helper pid=12590 (fd:5)
  Dec 7 07:47:31 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
  Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
  Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
  Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
  Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
  Dec 7 07:47:31 - [VPN Log]: Warning: empty directory
  passthrough enabled, ports forwarded
  BLANK LOG!  Not a single entry in the WRVS4400N's log files.
  Remember, there is nothing wrong with my client or server software, as demonstrated by bypassing the WRVS4400N.  L2TP connections work fine until the WRVS4400N is in the mix. 
  So, I'm back to the same original question:
   How do I enable L2TP traffic to an L2TP server behind a WRVS4400N in a manner that actually works...? 
  Message Edited by DistortedLoop on 12-07-2008 08:02 AM

• Could somebody explain to me how to set up a VPN on my iMac and access it on iPhone and computer?

  I'm mainly using it to bypass an internet block. Could you explain in detail how to set up a vpn that will also work on iPhone? Do you have any recommended applications for me to install? Thank you

  To run a public VPN server behind an NAT gateway, you need to do the following:
  1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
  2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
  3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
  If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
  Allow incoming IPSec authentication
  if it's not already checked, and save the change.
  With a third-party router, there may be a similar setting.
  4. Configure any firewall in use to pass this traffic.
  5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
  6. "Back to My Mac" on the server is incompatible with the VPN service.
  If the server is directly connected to the Internet, see this blog post.

• Help setting up Leopard Server(Standard) and VPN

  Hello,
  Here is my set up:
  We have a static IP.
  ADSL Netgear Router takes in the internet connection. (Not sure what the version is, but it had a VPN wizard).
  Latest Aiport BS serves just the wireless.
  Leopard Server in Standard Mode.
  For the life of me I can't get the VPN working. I can't even make the server public. Granted I am out of my depth, but I am endeavoring to learn but there seems to be so many boxes to tick with servers that I never even know where I am up to.
  On the 3 items in my setup above, what should the settings be starting to look like.
  If I type our servers FQDN into Safari I am told that the server does not exist, but I can't work out how to make it available to the public. I am guessing that if I can't see the server via a browser then I am never going to be able to connect via VPN?
  If you know of any other questions that I should be asking too, please let me know. My googling is getting me no where. I have even been doing the lynda.com tutorials on Leopard Server. So I promise that I am trying.

  Hi
  Perhaps if I broke it down in these two ways.
  (a) There is nothing stopping you from using the built in Routing Services in Leopard Server. To make things clearer these 'Routing' Services would be VPN, Firewall, NAT, DHCP and possibly DNS. Basically and simply if your server (by that I mean the hardware you are using to be your server) has two ethernet ports and if your ISP supplied broadband service is by DSL Cable Modem then you don't need a 3rd-Party Router. You can simply connect the ethernet cable from your Cable Modem directly into one ethernet port (this would be the WAN/Public/External connection. The other ethernet port can be connected directly to your network switch/hub (switch would be better). This would be your LAN/Private/Internal connection. Running Gateway Assistant will help you configure the Server (simply to begin with) to 'share' the internet connection on your WAN port with any client computer configured to use your LAN port. It is NAT that basically fulfils this function. The Firewall Service will allow any request that comes from your 'trusted' LAN access to the Internet using the WAN port. Any 'untrusted' request trying to gain access to your LAN from the Internet is blocked by your Firewall unless you configure your Firewall to allow it through. The VPN Service along with the DHCP Service can be configured to allow trusted remote clients to access your Server as well as the private network as if that remote client was actually at your Server's location. Remote client access is achieved by simply keying in the fixed external IP Address that is used at your Server's location in Internet Connect as well as a name and password that is configured on the Server.
  (b) You purchase a 3rd Party Router to this all for you and dispense with the built in tools on the Server. Simply configure the Router to allow VPN passthrough. There are 3 basic VPN connection methods: PPTP, L2TP and IPSec (ISKAMP). Each of them offer increasingly more secure methods. Depending on which method you finally decide on may mean using additional 'client' software not available as standard on the client OS.
  Back to (a): If your internet connection is down a phone line then you would need to use an ADSL Modem Router anyway. For me it does not make much sense to connect the LAN side of this Router to your Server and to further configure the Server to do something the Router can already do for you in most cases better and simpler. Why complicate things trying to do this server side when by your own admission 'I am not getting it/anything'
  There is some excellent advice on these forums regarding VPN have you searched for them? If you have and you are still struggling to understand this then perhaps it may be more beneficial as well as being cost effective to get a professional in to do this for you. You would benefit enormously as not only will you see how it gets done but you will also be able to ask questions that may make the whole concept of VPN and networking in general more understandable.
  Hope this helps, Tony

• L2TP | Logon Failure with domain name but success with .local

  Hi,
  I am trying to use L2TP and failing. When trying within the work LAN using myserver.local it works a treat. When I try myserver.company.co.uk it asks me to log-in then fails with a very brief message giving nothing away.
  I managed to get PPTP to work fine (once I had opened the AFP port on my firewalled router) but would prefer to use L2TP. I have seen others are having the same problem but can find no solution to sort it for me.
  SETUP:
  10.5.6 fully updated server plugged into switch running usual standalone services plus DNS. Netgear ADSL router plugged into switch and providing firewall, DHCP and NAT. Ports open and passing to myserver: 4500 UDP, 500 UDP, 1701 UDP (and 1723 TCP).
  myserver.company.co.uk is pointing to our static IP, from our ISPs DNS.
  Any help would be appreciated.
  Thanks.

  I'M NO EXPERT BUT IF YOU ARE USING KERBEROS TO LOG IN AND YOU ARE GETTING GENERIC DNS THROUGH YOUR ISP THEN YOULL HAVE TO USE CHAP TO LOGIN. I DON'T KNOW IF THIS APPLIES TO YOUR SITUATION BUT THOSE ARE ACOUPLE OF THINGS I CAN THINK OF.
  BEST,
  EMACKIII