NETWORKING: PPTP vpn routing issue.
I tried this on many MACs since 10.4 till my actual 10.8.2.
PPTP connection against atipical subnet 192.168.0.0/23.
The RAS server has a 192.168.1.71 wich is the gateway for the destination 192.168.1.0/24 in my routing table.
The Apple client can only connect to 192.168.1.0/24 subnet, while in the remote 192.168.0.0/23 includes 192.168.0.1-192.168.1.254.
If i manually add the route 192.168.0.0/24 192.168.1.71 it works like a charm.
No matter to say it is a Windows PPTP RAS and that no Windows client of any version (XP-8) has this networking issue.
By now, i'm using a little bash script i send to ppl using MAC that need to connect to the vpn, that adds the route.
Thanks in advance, any help will be highly appreciated!
Just hold comments on this one for the moment. I have stripped the config completely (including not having a Management Interface) and it is working now. Need to test further and get the config back to what it should be.
Similar Messages
-
Pptp VPN route : Leopard does not set correct netmask
Hello
Today I switched from a MacOSX 10.4.11 (Tiger) PowerBook to a MacOS 10.5.5 (Leopard) MacBook Pro. I configured my pptp VPN settings with the "Internet Connection Tool" and Network-Settings-panel on Leopard identically as on my Tiger PowerBook (option route all traffic over VPN on both systems disabled).
As far I could connect on the Leopard system to the destination VPN server without any problem, but could only establish a traffic-connection to the VPN server it self. As on my Tiger system the VPN connection worked seamless over several years now I supposed some routing problem.
In fact on the Tiger system the routing table showed me, that the destination network has a 255.255.0.0 network mask and was correctly received and set on the Tiger routing table, but that the Leopard systems assumes a 255.255.255.0 network mask and set this assumption to the its routing table: (destination LAN has address space 10.50.0.0 - 10.50.255.255 / netmask 255.255.0.0)
Tiger 10.4.11 :
10.50/16 ppp0 USc 0 0 ppp0
Leopard 10.5.5 :
10.50/24 ppp0 USc 0 0 ppp0
In the Leopard vpn setting panel, there is also the possibility to set manually the destination ip-address and netmask, but I found it has no effect on the real setting on Leopard. The only way to set the correct route with the correct netmask is under Leopard to do it by the command shell - first deleting the route set by Leopard and setting a new route with a the correct netmask :
route delete -net 10.50. -interface ppp0
route add -net 10.50. -interface ppp0 -netmask 255.255.0.0
I do not understand, why under Tiger (and also on MacOSX 10.3.X) the pptp VPN worked always correct and set the correct netmask, and now Leopard (MacOSX 10.5.X) does some kind of assumption and is not able to set the correct netmask.
Any Ideas ?How did you determine that partial traffic is sent through the VPN?
Basic principles of VPN is to avoid using a common subnet for your client ip pool. Having an uncommon subnet will solve your #2 issue below. Simply change the 3rd octet on your home network from .1 to something else, .11
I have a working pptp server configuration on ubuntu 10 with iphone 3g iOS 4.1 connected, invested hours of research, but only a short time configuring the server and iphone vpn client. passing internet traffic through local gateway/router from work wi-fi and accessing local desktop using windows remote desktop lite app. -
Hi,
I'd like to request an update for an issue raised in another topic re vpn in osx (10.4).
ref: http://discussions.apple.com/thread.jspa?messageID=722699
Specifically, the apple PPTP VPN needs to provide a way to specify which IPv4 subnets should be routed along the vpn tunnel.
For example, my company vpn connects using a 172.16... ip address, however while I need to access some other subnets (administration/fileservers etc) via the vpn tunnel, I don't want to send ALL my internet traffic to the vpn.
I could probably fix this by messing with the system scripts from the unix commandline, but would much rather have an eta for an apple provided/supported fix.
Can anyone help.
Graeme
Powerbook G4 1.25Ghz Mac OS X (10.4.6)I understand wanting a nice Apple solution.
Seems like it would be pretty easy to do, but
writing a small script isn't too hard either.
Here is my /etc/ppp/ip-up which routes traffic to
10.46.0.0/16 over the PPTP VPN.
Cheers,
Steve
#!/bin/sh
NET=`echo $5 | cut -d. -f1,2,3`.0
case $NET in
10.46.129.0) /sbin/route add -net 10.46.0.0 $5 255.255.0.0;;
esac
MacBook Mac OS X (10.4.6) -
Lion 10.7.4 PPTP VPN MPPE Issues
Hey people,
I recently upgraded my server from Snow Leopard Server to Lion Server, and updated to 10.7.4. I know Lion Server didn't offer a GUI for PPTP configuration before 10.7.3, but after the update I figured I'd give it a shot. I kinda wish I hadn't.
I've setup VPN through the Server app, basically leaving all the settings to their default. I'm trying to connect to the server locally, so I know port forwarding isn't the issue. I only want to get PPTP working; since one of the L2TP ports is the same as the Back to my Mac through iCloud port (I think it's 4500 or something), I wanted to go with the PPTP so I could also have Back to my Mac (don't ask why I want both).
Anyway, the issue is in connecting to the server locally, I get an error in the log file about how MPPE is required, but keys are not available. I know what MPPE is, and even followed the support doc from http://support.apple.com/kb/TS4241, but it didn't help. Client-side, I'm getting the error "A connection could not be established to the PPP server. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."
I've copied the log file below. Please let me know if I missed any information; I'm in a bit of a rush and had to type this quickly. Any help is always appreciated. Thanks!
2012-05-13 14:29:57 EDT Incoming call... Address given to client = 192.168.1.229
Sun May 13 14:29:57 2012 : Directory Services Authentication plugin initialized
Sun May 13 14:29:57 2012 : Directory Services Authorization plugin initialized
Sun May 13 14:29:57 2012 : PPTP incoming call in progress from '192.168.1.13'...
Sun May 13 14:29:57 2012 : PPTP connection established.
Sun May 13 14:29:57 2012 : using link 0
Sun May 13 14:29:57 2012 : Using interface ppp0
Sun May 13 14:29:57 2012 : Connect: ppp0 <--> socket[34:17]
Sun May 13 14:29:57 2012 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x76ed810> <pcomp> <accomp>]
Sun May 13 14:29:57 2012 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x12cb3fcd> <pcomp> <accomp>]
Sun May 13 14:29:57 2012 : lcp_reqci: returning CONFACK.
Sun May 13 14:29:57 2012 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x12cb3fcd> <pcomp> <accomp>]
Sun May 13 14:29:57 2012 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x76ed810> <pcomp> <accomp>]
Sun May 13 14:29:57 2012 : sent [LCP EchoReq id=0x0 magic=0x76ed810]
Sun May 13 14:29:57 2012 : sent [CHAP Challenge id=0x11 <401c36015b2e670f22256c5d415e0a60>, name = "mac-mini-server.local"]
Sun May 13 14:29:57 2012 : rcvd [LCP EchoReq id=0x0 magic=0x12cb3fcd]
Sun May 13 14:29:57 2012 : sent [LCP EchoRep id=0x0 magic=0x76ed810]
Sun May 13 14:29:57 2012 : rcvd [LCP EchoRep id=0x0 magic=0x12cb3fcd]
Sun May 13 14:29:57 2012 : rcvd [CHAP Response id=0x11 <30ed187d21d0e87dd09b414cc535a12f0000000000000000622d557cb34e3baba02fdf3979d3e4 eef774f2c5192d667d00> , name = "Matt"]
Sun May 13 14:29:57 2012 : DSAuth plugin: unsupported authen authority: recved ShadowHash;HASHLIST:<SALTED-SHA512,SMB-NT,CRAM-MD5,RECOVERABLE>, want ApplePasswordServer
Sun May 13 14:29:57 2012 : sent [CHAP Success id=0x11 "S=275C80AAE3A93F8EAEBCC5D14D79D9692DC925AD M=Access granted"]
Sun May 13 14:29:57 2012 : CHAP peer authentication succeeded for Matt
Sun May 13 14:29:57 2012 : DSAccessControl plugin: User 'Matt' authorized for access
Sun May 13 14:29:57 2012 : MPPE required, but keys are not available. Possible plugin problem?
Sun May 13 14:29:57 2012 : sent [LCP TermReq id=0x2 "MPPE required but not available"]
Sun May 13 14:29:57 2012 : Connection terminated.
Sun May 13 14:29:57 2012 : Connect time 0.0 minutes.
Sun May 13 14:29:57 2012 : Sent 0 bytes, received 0 bytes.
Sun May 13 14:29:57 2012 : PPTP disconnecting...
Sun May 13 14:29:57 2012 : PPTP disconnectedWell, it's been a few days and with no response I thought I'd look for another solution. I've been trying this software called iVPN, apparently it's like a front-end to OS X's built-in VPN server. Anyway, I disabled the VPN Server from the Server app, turned on iVPN and was VPN-ing from my iPhone over 3G in notime. It's a great app, though it kinda ***** that the server can't do what it's built to do. Since VPN was the big reason I got Server in the first place, I'll probably uninstall it and stick with OS X's built-in file sharing and iVPN.
-
Internet stops with PPTP VPN connections to ASUS RT-N66U VPN Router
I have a client with a small office network that has a few people working remotely from Windows 7 and 8 PCs. As an inexpensive solution the client opted to use a VPN router (ASUS RT-N66U) that supports PPTP so remote users could access the shared
files and SQL DB server.
The VPN connectivity for one client was working fine and then stopped working altogether so when the VPN connection is established all Internet and VPN access is stopped. This was especially troubling for me since I work remotely and cannot test or debug after
the VPN session has been connected. I checked the error logs and found nothing. Also there had been no new programs installed. And finally, I ran a full system antivirus scan with no issues found.
In case you are facing a similar issue, before trying something remotely that may not work, use the shutdown with reboot command in a COMMAND window and set a timer for something like 3 minutes to reboot in case you get stuck. (e.g. shutdown -r -t 180).
Problem: The two symptoms of the VPN connection failure are:
1) All Internet browsing stops working locally
2) No data can pass through the VPN tunnel
I created a virtual machine on my local network and replicated the client's environment. I experimented with nearly every setting in the VPN dialogue until and came to the final solution.
Solution: For the VPN adapter on the remote machines I configured DNS settings and used the remote as the default gateway.
* VPN adapter Networking IPV4 Properties for:
- DNS server 1: Main Office VPN Router IP Address
- DNS server 2: A public DNS server (Google is 8.8.8.8)
- I also checked the box to "register this connection addresses in DNS"
Note: Perhaps the local router would also have worked and DNS2 but I didn't test it.
I have documented this because after reading and searching among many Technical articles and the Microsoft support website, I was unable to find the solution that I came up with so I hope to help someone else.
Question1: - Can anyone tell me why the connectivity only works when 'use default gateway on remote network' is checked?
- I have disabled this option with some business class VPN routers and the connectivity still worked to the remote network but it does not work to the Asus router.
Question2: From the information provided can I determine where the problem lies?
Is it the:
1) Remote client PC
2) Remote client router
3) Home office VPN router (Asus RT-N66U)
If the true culprit cannot be determined yet, what steps do you recommend so I can isolate the true cause of the failure.
I appreciate any help so that I can be sure my solution is valid and pass along the findings to ASUS if it is their issue.Thank you for the suggestion. I have successfully connected through the VPN router when the one client was unable to get VPN throughput working.
I looked at the routing tables with and without the VPN connection established. The differences are that:
1) when VPN is NOT active, there is a route from the local NIC IP to the Internet IP address of the local gateway
destination 68.109.82.xx
mask 255.255.255.0
gateway 192.168.0.1
interface 192.168.0.11
metric 21
2) when VPN IS active, the route to the Internet IP address of the local gateway is deleted and a persistent route to the VPN router local network has been added
Persistent route:
destination 192.168.21.0
mask 255.255.255.0
gateway 192.168.0.1
interface 192.168.0.11
metric 1 -
How to configure Multiple PPTP VPN Clients on cisco 3g supported Router
I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
here is the config for the one that works:
vpdn-group 1
request-dialin
protocol pptp
rotary-group 0
initiate-to ip xxx.xxx.xxx.xxx
interface Dialer0
mtu 1450
ip address negotiated
ip pim dense-mode
ip nat outside
ip virtual-reassembly
zone-member security private
encapsulation ppp
ip igmp query-interval 125
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no peer neighbor-route
no cdp enable
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap eap chap pap callin
ppp eap refuse
ppp chap hostname xxx@xxx
ppp chap password 7 xxxpassword
But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
here is the config for the one that works:
vpdn-group 1
request-dialin
protocol pptp
rotary-group 0
initiate-to ip xxx.xxx.xxx.xxx
interface Dialer0
mtu 1450
ip address negotiated
ip pim dense-mode
ip nat outside
ip virtual-reassembly
zone-member security private
encapsulation ppp
ip igmp query-interval 125
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no peer neighbor-route
no cdp enable
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap eap chap pap callin
ppp eap refuse
ppp chap hostname xxx@xxx
ppp chap password 7 xxxpassword
But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available. -
Hi.
We have just setup a SA520 at a customer location. It is running firmware version 1.1.65.
It seems to be operating fine, except PPTP VPN.
Looking at the log from the SA520 it forwards port 1723 and 500 to the correct PPTP server in the network. But it seems like this machine it not receiving the PPTP VPN request.
On the server is also running a FTP service which works fine - so the server is alive.
Is there something about we also need to use GRE (Protocol 47) when using PPTP? We have looked everywhere in the SA520, but can't find it.
Any help appreciated, thanks!
/Ulrik
Attached: SA520-log, PPTP-server-log, Firewall-rules.Hi Federico.
I also believe GRE must be used to establish the PPTP connection, but it is not listed as a service under firewall rules or anywhere else in the SA520.
The reason to open port 500 was because we could see a request to the port, when we were trying to connect. It doesn't change anything if the port is open or not.
I don't think it establish the PPTP tunnel at all. The receiving server is just listening for connections as the screenshot of the log shows. It doesn't indicate an established connection.
I am pretty sure GRE is the problem, but they big question is how do enable it in the SA520.
/Ulrik -
Snow Leopard PPTP VPN Client with Microsoft Networks
I have Snow Leopard machine working fine in local Microsoft network, in this environment it's easy setup wins server, in this case i can see and access all windows machines, but when I access my office network via PPTP VPN I can only see windows machines over finder, when i try to access any machine the connection fails, if i use a windows xp or vista it works fine. How i can tell to VPN the wins server address?
I have Snow Leopard machine working fine in local Microsoft network, in this environment it's easy setup wins server, in this case i can see and access all windows machines, but when I access my office network via PPTP VPN I can only see windows machines over finder, when i try to access any machine the connection fails, if i use a windows xp or vista it works fine. How i can tell to VPN the wins server address?
-
Help needed to connect to remote PPTP VPN via PIX 515e
Hello,
A user in our office needs to connect to a client's remote PPTP VPN but can't connect. The user is running Windows 7. We have a Cisco PIX 515e firewall that is running PIX Version 6.3(3) - this is what our user is having to go through to try and make the connection to the client's remote VPN.
The client's network guys have come back and said the issue is at our side. They say that they can see some of our traffic but not all of it. The standard error is shown below, and they say it's symptomatic of the client-side firewall not allowing PPTP traffic:
"A connection between the VPN server and the VPN client XXX.XXX.XXX.XXX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets."
I have very little firewall experience and absolutely no Cisco experience I'm afraid. From looking at the PIX config I can see the following line:
fixup protocol pptp 1723.
Does this mean that the PPTP protcol is enabled on our firewall? Is this for both incoming and outgoing traffic?
I can see no reference to GRE 47 in the PIX config. Can anyone advise me what I should look for to see if this has been enabled or not?
I apologise again for my lack of knowledge. Any help or advice would be very gratefully received.
RosHi Eugene,
Thank you for taking the time to reply to me. Please see our full PIX config below. I've XX'd out names and IP addresses as I'm never comfortable posting those type of details in a public forum. I hope that the information below is still sufficient for you.
Thanks again for your help,
Ros
PIX(config)# en
Not enough arguments.
Usage: enable password [] [level ] [encrypted]
no enable password level
show enable
PIX(config)# show config
: Saved
: Written by enable_15 at 10:30:31.976 GMT/BDT Mon Apr 4 2011
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password XXX encrypted
passwd XXX encrypted
hostname PIX
domain-name XXX.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name XX.XX.XX.XX Secondary
access-list outside_access_in permit tcp XX.XX.XX.XX 255.255.255.240 host XX.XX.XX.XX eq smtp
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq https
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 993
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 587
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 82
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 8082
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.0.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl deny udp any any eq 135
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_40 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_60 permit ip any XX.XX.XX.XX 255.255.255.0
access-list USER1 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_10 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_20 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_30 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_50 permit ip any XX.XX.XX.XX 255.255.255.0
access-list outside_cryptomap_70 permit ip any XX.XX.XX.XX 255.255.0.0
access-list USER2 permit ip any XX.XX.XX.XX 255.255.255.0
access-list USER3 permit ip any XX.XX.XX.XX 255.255.255.0
access-list USER4 permit ip any XX.XX.XX.XX 255.255.0.0
pager lines 24
logging on
logging host inside XX.XX.XX.XX
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside XX.XX.XX.XX 255.255.255.248
ip address inside XX.XX.XX.XX 255.255.255.0
no ip address DMZ
ip audit info action alarm
ip audit attack action alarm
pdm location XX.XX.XX.XX 255.255.255.255 inside
pdm location XX.XX.XX.XX 255.255.0.0 outside
pdm location XX.XX.XX.XX 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
route inside XX.XX.XX.XX 255.255.0.0 XX.XX.XX.XX 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authenticate
ntp server XX.XX.XX.XX source outside prefer
http server enable
http XX.XX.XX.XX 255.255.0.0 outside
http XX.XX.XX.XX 255.255.255.0 outside
http XX.XX.XX.XX 255.255.255.255 inside
snmp-server host inside XX.XX.XX.XX
no snmp-server location
no snmp-server contact
snmp-server community XXX
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cola 20 set transform-set ESP-3DES-MD5
crypto dynamic-map dod 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp dynamic cola
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer XX.XX.XX.XX
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 25 ipsec-isakmp
crypto map outside_map 25 match address USER1
crypto map outside_map 25 set peer XX.XX.XX.XX
crypto map outside_map 25 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer XX.XX.XX.XX
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer XX.XX.XX.XX
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 50 ipsec-isakmp
crypto map outside_map 50 match address outside_cryptomap_50
crypto map outside_map 50 set peer XX.XX.XX.XX
crypto map outside_map 50 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer XX.XX.XX.XX
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 70 ipsec-isakmp
crypto map outside_map 70 match address outside_cryptomap_70
crypto map outside_map 70 set peer XX.XX.XX.XX
crypto map outside_map 70 set transform-set ESP-3DES-MD5
crypto map outside_map 75 ipsec-isakmp
crypto map outside_map 75 match address USER4
crypto map outside_map 75 set peer XX.XX.XX.XX
crypto map outside_map 75 set transform-set ESP-3DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address USER2
crypto map outside_map 80 set peer XX.XX.XX.XX
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 90 ipsec-isakmp
crypto map outside_map 90 match address USER3
crypto map outside_map 90 set peer XX.XX.XX.XX
crypto map outside_map 90 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet XX.XX.XX.XX 255.255.0.0 outside
telnet XX.XX.XX.XX 255.255.255.255 inside
telnet XX.XX.XX.XX 255.255.255.255 inside
telnet XX.XX.XX.XX 255.255.255.255 inside
telnet timeout 30
ssh XX.XX.XX.XX 255.255.255.248 outside
ssh XX.XX.XX.XX 255.255.255.248 outside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:XXX
PIX(config)# -
PPTP VPN on Server 2008R2 dropping users but acting like it is still connected
Hello,
I'm having a weird problem and I'm at a loss. We have a couple of cloud servers that form our remote office system. Basically, their is 1 DC, 1 Remote Desktop server, and 2 member servers being used as workstations. The users access these
server and resources via a PPTP VPN setup on the DC using RRAS. Everything has worked fairly well for the last year, but recently, my users have complained that they get disconnected at random times over the last couple of weeks. I was able
to observe the behavior yesterday and it goes something like this:
-The user is working fine
-The user tries to access a share, open a web page, tries to open a remote desktop session or notices that their Outlook client is disconnected and finds that nothing can be reached outside of the local machine. I tried pinging the DC address,
www.google.com, and the RDP server without success. From the server, I tried pinging the errant workstation without success. The server shows the connection to be active and the workstation does not disconnect the connection. On
one occasion, the problem just rectified itself and everything started working again. On all other occasions, the VPN had to be disconnected and reconnected. Note that some workstations are not reporting this problem.
-The user disconnects the VPN
-The user reconnects the VPN and usually everything is okay again for awhile, but sometimes they are disconnected within minutes.
This is new behavior, and no changes have been made by me and the Cloud support people tell me they haven't done anything. At this point, I'm not even sure how to go about troubleshooting it. The next time it happened, I was going to pull an ARP table
to see if anything looks amiss, but the only other avenue I have going is a call into the cloud services support to see if they can look for dropped or filtered information between our main office and our cloud server.
The only part of this setup that is a little bit different for me is the IPv4 settings in the RRAS console under properties of the server. Normally in the IPv4 settings, I select DHCP and allow the users to pull from the existing DHCP server. However, the
cloud support recommended against having a DHCP server, so instead of DHCP, I selected "use static IP address pool." I put 10.216.8.197 to 10.216.8.22 and the subnet mask is picking up from the server as 255.255.255.224 and the default gateway is
picking up from the server as 10.216.8.193.
Does anyone have any advice on how to troubleshoot this problem? What to try next if the cloud services support doesn't find anything, etc?
Thanks,
Jeffery SmithHi Jeffery,
According to your description, the VPN clients can connect the server at the beginning, but when we reconnected after going wrong, they were disconnected within minutes. Maybe the next time it happened, we could follow steps below to troubleshoot this issue.
Use ipconfig /all command in the VPN client when we set up VPN connection, to view which IP address the VPN client obtain.
Pull an ARP table from the VPN client to view the IP Address-Physical Address mappings as you said will help to troubleshoot this issue. The assigned IP address maybe used by other computers.
If the static IP address pool range from 10.216.8.197 to 10.216.8.22, due to the subnet is 255.255.255.224, there are 8 subnet in the 10.216.8.0/27 network. If the static IP address pool consists of ranges of IP addresses that are for a separate subnet,
then we need to either enable an IP routing protocol on the remote access server computer or add static IP routes consisting of the {IP Address, Mask} of each range to the routers of the intranet. If the routes are not added, then remote access clients can’t
receive traffic from resources on the intranet.
Best Regards,
Tina -
UM175 - Not able to connect to office network with VPN
I am having trouble connecting to my office network using this wireless card, UM175, and connecting with a VPN. I have the VPN set up the same as many other computers connecting to our server. Currently when I start VZAccess, I can access the internet and everything works fine. When I start my VPN to connect to my office server, it takes multiple tries with error 691 being returned. After two or three tries it connects. I can ping my computer from the server. I can ping my router and my server from my notebook with the UM175. However, I cannot do anything with the server. I cannot access the internet, access files from the server, or access any software on the server. I contacted IT and our administrators and they tested the system and VPN and state that there is a problem with the modem UM175. Is there some setting that I must set to make this work correctly. This is an urgent matter and must be working, or I will have to purchase another type of modem.
Where are you located? I'm in the Bay Area, CA and I was using the UM175 with my PPTP VPN without any problems. However, I recently upgraded to the new 4G on Wednesday and now the PPTP VPN won't authenticate...errors on verifying user name and password. I did a packet trace and found GRE packets are being dropped. This is a Verizon issue and it appears their 4G upgrades have directly caused this problem.
There is another thread about this issue located here: http://community.vzw.com/t5/Broadband-Netbook-MiFi-Devices/LG-LTE-Modem-VPN-Not-Working/td-p/349846 -
IVPN starts, but "the pptp-vpn server did not respond. Try reconnecting."
Hi. I am new to VPN, and I just got the software iVPN from Macserve, and the server starts successfully, using either PPTP or L2TP:
But the connections from my network do not connect. Every time I click on "connect" for either network connection, I get the error "the pptp-vpn server did not respond. Try reconnecting."
I set up both connections in my Network Preferences according to the support page (http://macserve.org.uk/support/ivpn/):
My Airport Express configurations have never given me any problems with my home network:
And I think that I forwarded the ports properly (even though my firewall is not activated):
What am I doing wrong?The Apple routers can be a problem on vpn passthrough.
Ports that are required for vpn are more complicated ..
See earlier post.. eg How do I set up L2TP VPN?
Ports for PPTP which you have opened manually.. are not valid for L2TP.. so you need several more ports opened.
The problematic ones are GRE and ESP which are protocols not ports.
I think you can pretty well assume the apple router running anything that has BTMM in it won't work.. since it will need the port 500 for itself.
On the old express try going back to 7.6.1 firmware.. I have to say I don't use the express.. lots of extreme and TC.. so their firmware issues are slightly different so firmware versions for the express are somewhat different.
Try not to use both port forwards (mapping if you must).. and DMZ.. they can fight each other.. if DMZ doesn't work it is better to turn it right off and forward all the required ports.
Let me recommend a test.
Plug your cable modem directly into the computer running the VPN.. so you have no NAT router in front of it.
Pay attention to the local firewall that apple runs and what ports you will need to open on it to get vpn to work.. this is your best chance to get remote vpn running. If you fail with the public IP on the computer it will certainly fail through NAT.. and generally local firewall will be an issue.
You should of course test that a client in the local lan can connect by the vpn.. it is always worth testing from the easiest configuration to the most complex.
So local lan just as you have now..
Then direct cable connection to the computer.
Then NAT router.. but you can pretty well assume apple routers are going to be problematic because apple want to dally at BTMM using same ports as IPSEC uses for L2TP.
My email is live.. roll your mouse over it and talk to me direct.. -
IPad and PPTP VPN - Internet access (e-mail & Safari) not working
Hi there!
I've got an iPad2 (WiFi only) and need to configure it to use Witopia PPTP VPN, which is the VPN provider I've been using for a long time on my desktop and netbook.
Configure the iPad was an easy task, and I was able to successfuly authenticate and establish a PPTP session with any of the Witopia servers.
The problem is that once established the PPTP session, if the "send all traffic" option is ON, I have no Internet access at all (no e-mail neither browsing with Safari). Then, if I stop VPN, turn OFF the "send all traffic" option in the iPad, and start VPN again, I have Internet communication back and everything starts working fine. I've been fiddling with this in my home network (D-Link Dir-655 router using the IP 192.168.0.1 addressing scheme for my LAN).
Obviously, I decided to leave the "send all traffic" option OFF, but then I discovered that doing this my Safari traffic is not encrypted and my IP is not masked, i.e. the VPN is up and running, I have normal Internet traffic, but the service to be provided by the VPN for some inknown reason is not happening.
Does anyone have a clue about what's going on ?
TIA
RTadeuHave you tried a battery pull? If not, give that a try and then try again.
1. Please thank those who help you by clicking the "Like" button at the bottom of the post that helped you.
2. If your issue has been solved, please resolve it by marking the post "Solution?" which solved it for you! -
Confused with this ASA - VPN config issue
Hello. Can anyone help me here? I am new to the ASA config and commands. Everything works well, enough, on this ASA except the VPN. A client can connect but cannot access anything inside or outside. Here is the config. Can someone please take a look and tell me why VPN is not working? I don't want to set up split-tunneling, I would prefer everything to go through the firewall. Also, if you see something else wrong (or have a better implementation) then please let me know.
ASA Version 8.4(2)
hostname FIREWALL_NAME
enable password Some_X's_here encrypted
passwd Some_X's_here encrypted
names
interface Ethernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/0.22
description Public Internet space via VLAN 22
vlan 22
nameif Public_Internet
security-level 0
ip address 1.3.3.7 255.255.255.248
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/1.42
description Private LAN space via VLAN 42
shutdown
vlan 42
nameif Private_CDATA
security-level 100
ip address 10.30.136.1 255.255.255.0
interface Ethernet0/1.69
description Private LAN space via VLAN 69
vlan 69
nameif Private_ODATA
security-level 100
ip address 10.30.133.1 255.255.255.0
interface Ethernet0/1.95
description Private LAN space via VLAN 95
shutdown
vlan 95
nameif Private_OVOICE
security-level 100
ip address 192.168.102.254 255.255.255.0
interface Ethernet0/1.96
description Private LAN space via VLAN 96
shutdown
vlan 96
nameif Private_CVOICE
security-level 100
ip address 192.168.91.254 255.255.255.0
interface Ethernet0/1.3610
description Private LAN subnet via VLAN 3610
shutdown
vlan 3610
nameif Private_CeDATA
security-level 100
ip address 10.10.100.18 255.255.255.240
interface Ethernet0/1.3611
description Private LAN space via VLAN 3611
shutdown
vlan 3611
nameif Private_CeVOICE
security-level 100
ip address 10.10.100.66 255.255.255.252
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.69.1 255.255.255.0
management-only
banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
banner exec
banner exec ,
banner exec .';
banner exec .-'` .'
banner exec ,`.-'-.`\
banner exec ; / '-'
banner exec | \ ,-,
banner exec \ '-.__ )_`'._ \|/
banner exec '. ``` ``'--._[]--------------*
banner exec .-' , `'-. /|\
banner exec '-'`-._ (( o )
banner exec `'--....(`- ,__..--'
banner exec '-'`
banner exec
banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CD_3610-GW
host 10.10.100.17
description First hop to 3610
object network CV_3611-GW
host 10.10.100.65
description First hop to 3611
object network GW_22-EXT
host 1.3.3.6
description First hop to 22
object service MS-RDC
service tcp source range 1024 65535 destination eq 3389
description Microsoft Remote Desktop Connection
object network HDC-LAN
subnet 192.168.200.0 255.255.255.0
description DC LAN subnet
object network HAM-LAN
subnet 192.168.110.0 255.255.255.0
description HAM LAN subnet
object service MSN
service tcp source range 1 65535 destination eq 1863
description MSN Messenger
object network BCCs
host 2.1.8.1
description BCCs server access
object network ODLW-EXT
host 7.1.1.5
description OTTDl
object network SWINDS-INT
host 10.30.133.67
description SWINDS server
object network SWINDS(192.x.x.x)-INT
host 192.168.100.67
description SWINDS server
object service YMSG
service tcp source range 1 65535 destination eq 5050
description Yahoo Messenger
object service c.b.ca1
service tcp source range 1 65535 destination eq citrix-ica
description Connections to the bc portal.
object service c.b.ca2
service tcp source range 1 65535 destination eq 2598
description Connections to the bc portal.
object service HTTP-EXT(7001)
service tcp source range 1 65535 destination eq 7001
description HTTP Extended on port 7001.
object service HTTP-EXT(8000-8001)
service tcp source range 1 65535 destination range 8000 8001
description HTTP Extended on ports 8000-8001.
object service HTTP-EXT(8080-8081)
service tcp source range 1 65535 destination range 8080 8081
description HTTP Extended on ports 8080-8081.
object service HTTP-EXT(8100)
service tcp source range 1 65535 destination eq 8100
description HTTP Extended on port 8100.
object service HTTP-EXT(8200)
service tcp source range 1 65535 destination eq 8200
description HTTP Extended on port 8200.
object service HTTP-EXT(8888)
service tcp source range 1 65535 destination eq 8888
description HTTP Extended on port 8888.
object service HTTP-EXT(9080)
service tcp source range 1 65535 destination eq 9080
description HTTP Extended on port 9080.
object service ntp
service tcp source range 1 65535 destination eq 123
description TCP NTP on port 123.
object network Pl-EXT
host 7.1.1.2
description OPl box.
object service Pl-Admin
service tcp source range 1 65535 destination eq 8443
description Pl Admin portal
object network FW-EXT
host 1.3.3.7
description External/Public interface IP address of firewall.
object network Rs-EXT
host 7.1.1.8
description Rs web portal External/Public IP.
object network DWDM-EXT
host 2.1.2.1
description DWDM.
object network HM_VPN-EXT
host 6.2.9.7
description HAM Man.
object network SIM_MGMT
host 2.1.1.1
description SIM Man.
object network TS_MGMT
host 2.1.1.4
description TS Man.
object network TS_MGMT
host 2.1.2.2
description TS Man.
object service VPN-TCP(1723)
service tcp source range 1 65535 destination eq pptp
description For PPTP control path.
object service VPN-UDP(4500)
service udp source range 1 65535 destination eq 4500
description For L2TP(IKEv1) and IKEv2.
object service VPN-TCP(443)
service tcp source range 1 65535 destination eq https
description For SSTP control and data path.
object service VPN-UDP(500)
service udp source range 1 65535 destination eq isakmp
description For L2TP(IKEv1) and IKEv2.
object network RCM
host 6.1.8.2
description RCM
object network RCM_Y
host 6.1.8.9
description RCM Y
object network r.r.r.c163
host 2.1.2.63
description RCV IP.
object network r.r.r.c227
host 2.1.2.27
description RCV IP.
object network v.t.c-EXT
host 2.5.1.2
description RTICR
object service VPN-TCP(10000)
service tcp source range 1 65535 destination eq 10000
description For TCP VPN over port 1000.
object service BGP-JY
service tcp source range 1 65535 destination eq 21174
description BPG
object network KooL
host 192.168.100.100
description KooL
object network FW_Test
host 1.3.3.7
description Testing other External IP
object network AO_10-30-133-0-LAN
range 10.30.133.0 10.30.133.229
description OLS 10.30.133.0/24
object network AC_10-30-136-0-LAN
subnet 10.30.136.0 255.255.255.0
description CLS 10.30.136.0/24
object network NETWORK_OBJ_192.168.238.0_27
subnet 192.168.238.0 255.255.255.224
object-group network All_Private_Interfaces
description All private interfaces
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
network-object 10.10.100.16 255.255.255.240
network-object 10.10.100.64 255.255.255.252
network-object 192.168.102.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service cb.ca
description All ports required for cb.ca connections.
service-object object c.b.ca1
service-object object c.b.ca2
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq snmp
object-group service FTP
description All FTP ports (20 + 21)
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group service HTTP-EXT
description HTTP Extended port ranges.
service-object object HTTP-EXT(7001)
service-object object HTTP-EXT(8000-8001)
service-object object HTTP-EXT(8080-8081)
service-object object HTTP-EXT(8100)
service-object object HTTP-EXT(8200)
service-object object HTTP-EXT(8888)
service-object object HTTP-EXT(9080)
object-group service ICMP_Any
description ICMP: Any Type, Any Code
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object icmp
object-group service NTP
description TCP and UPD NTP protocol
service-object object ntp
service-object udp destination eq ntp
object-group service DM_INLINE_SERVICE_3
group-object FTP
group-object HTTP-EXT
group-object ICMP_Any
group-object NTP
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object ip
object-group service DM_INLINE_SERVICE_4
group-object NTP
service-object tcp destination eq daytime
object-group network SWINDS
description Both Internal IP addresses (192 + 10)
network-object object SWINDS-INT
network-object object SWINDS(192.x.x.x)-INT
object-group service IM_Types
description All messenger type applications
service-object object MSN
service-object object YMSG
service-object tcp-udp destination eq talk
service-object tcp destination eq aol
service-object tcp destination eq irc
object-group service SNMP
description Both poll and trap ports.
service-object udp destination eq snmp
service-object udp destination eq snmptrap
object-group service DM_INLINE_SERVICE_2
group-object FTP
service-object object MS-RDC
service-object object Pl-Admin
group-object SNMP
object-group network DM_INLINE_NETWORK_1
network-object object FW-EXT
network-object object Rs-EXT
object-group network AMV
description connections for legacy AM
network-object object DWDM-EXT
network-object object HAM_MGMT
network-object object SIM_MGMT
network-object object TS_MGMT
network-object object TS_MGMT
object-group service IKEv2_L2TP
description IKEv2 and L2TP VPN configurations
service-object esp
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
object-group service PPTP
description PPTP VPN configuration
service-object gre
service-object object VPN-TCP(1723)
object-group service SSTP
description SSTP VPN configuration
service-object object VPN-TCP(443)
object-group network RvIPs
description Rv IP addresses
network-object object RCM
network-object object RCM_Y
network-object object r.r.r.c163
network-object object r.r.r.c227
network-object object v.t.c-EXT
object-group service Rvs
description Rv configuration.
service-object object VPN-TCP(10000)
service-object object VPN-UDP(500)
object-group service DM_INLINE_SERVICE_5
service-object object BGP-JY
service-object tcp destination eq bgp
object-group network Local_Private_Subnets
description OandCl DATA
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
access-list Public/Internet_access_out remark Block all IM traffic out.
access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
access-list Public/Internet_access_out remark Allow access to BMC portal
access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
access-list Public/Internet_access_out remark Allow basic services out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow WhoIS traffic out.
access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
access-list Public/Internet_access_out remark Allow Network Time protocols out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
access-list Public/Internet_access_out remark Allow BPG traffic out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow Kool server out.
access-list Public/Internet_access_out extended permit ip object KooL any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging mail notifications
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu Public_Internet 1500
mtu Private_CDATA 1500
mtu Private_ODATA 1500
mtu Private_OVOICE 1500
mtu Private_CVOICE 1500
mtu Private_CeDATA 1500
mtu Private_CeVOICE 1500
mtu management 1500
ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
ip verify reverse-path interface Public_Internet
ip verify reverse-path interface Private_CDATA
ip verify reverse-path interface Private_ODATA
ip verify reverse-path interface Private_OVOICE
ip verify reverse-path interface Private_CVOICE
ip verify reverse-path interface Private_CeDATA
ip verify reverse-path interface Private_CeVOICE
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Public_Internet
no asdm history enable
arp timeout 14400
nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
access-group Public/Internet_access_out out interface Public_Internet
route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (Private_ODATA) host 10.30.133.21
timeout 5
nt-auth-domain-controller Cool_Transformer_Name
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.69.0 255.255.255.0 management
snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
snmp-server location OT
snmp-server contact [email protected]
snmp-server community Some_*s_here
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
sysopt noproxyarp Public_Internet
sysopt noproxyarp Private_CDATA
sysopt noproxyarp Private_ODATA
sysopt noproxyarp Private_OVOICE
sysopt noproxyarp Private_CVOICE
sysopt noproxyarp Private_CeDATA
sysopt noproxyarp Private_CeVOICE
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Public_Internet_map interface Public_Internet
crypto ikev1 enable Public_Internet
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 10.30.133.0 255.255.255.0 Private_ODATA
ssh 192.168.69.0 255.255.255.0 management
ssh timeout 2
ssh version 2
console timeout 5
dhcprelay server 10.30.133.13 Private_ODATA
dhcprelay enable Private_CDATA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.30.133.13 prefer
ntp server 132.246.11.227
ntp server 10.30.133.21
webvpn
group-policy AO-VPN_Tunnel internal
group-policy AO-VPN_Tunnel attributes
dns-server value 10.30.133.21 10.30.133.13
vpn-tunnel-protocol ikev1
default-domain value ao.local
username helpme password Some_X's_here encrypted privilege 1
username helpme attributes
service-type nas-prompt
tunnel-group AO-VPN_Tunnel type remote-access
tunnel-group AO-VPN_Tunnel general-attributes
address-pool AO-VPN_Pool
authentication-server-group AD
default-group-policy AO-VPN_Tunnel
tunnel-group AO-VPN_Tunnel ipsec-attributes
ikev1 pre-shared-key Some_*s_here
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
smtp-server 192.168.200.25
prompt hostname context
no call-home reporting anonymous
Thanks,
Jeff.I tried those commands but this started getting messy and so I looked at the current config and it was not the same as what I originally posted. Looks like some changes were implemented but not saved so the config that I posted what slightly different. Thank you for all your suggestions. Here is the new config, confirmed as the current running and saved config. Same situation as before though. I can connect using the Cisco VPN client but can only ping myself and can't get out to the Internet or access anything internal. If someone can take a look it would be greatly appreciated. The main difference is the VPN pool has been set as a subset of the 10.30.133.0 network instead of using a separate subnet (VPN pool is 10.30.133.200 - 10.30.133.230).
ASA Version 8.4(2)
hostname FIREWALL_NAME
enable password Some_X's_here encrypted
passwd Some_X's_here encrypted
names
interface Ethernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/0.22
description Public Internet space via VLAN 22
vlan 22
nameif Public_Internet
security-level 0
ip address 1.3.3.7 255.255.255.248
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/1.42
description Private LAN space via VLAN 42
shutdown
vlan 42
nameif Private_CDATA
security-level 100
ip address 10.30.136.1 255.255.255.0
interface Ethernet0/1.69
description Private LAN space via VLAN 69
vlan 69
nameif Private_ODATA
security-level 100
ip address 10.30.133.1 255.255.255.0
interface Ethernet0/1.95
description Private LAN space via VLAN 95
shutdown
vlan 95
nameif Private_OVOICE
security-level 100
ip address 192.168.102.254 255.255.255.0
interface Ethernet0/1.96
description Private LAN space via VLAN 96
shutdown
vlan 96
nameif Private_CVOICE
security-level 100
ip address 192.168.91.254 255.255.255.0
interface Ethernet0/1.3610
description Private LAN subnet via VLAN 3610
shutdown
vlan 3610
nameif Private_CeDATA
security-level 100
ip address 10.10.100.18 255.255.255.240
interface Ethernet0/1.3611
description Private LAN space via VLAN 3611
shutdown
vlan 3611
nameif Private_CeVOICE
security-level 100
ip address 10.10.100.66 255.255.255.252
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.69.1 255.255.255.0
management-only
banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
banner exec
banner exec ,
banner exec .';
banner exec .-'` .'
banner exec ,`.-'-.`\
banner exec ; / '-'
banner exec | \ ,-,
banner exec \ '-.__ )_`'._ \|/
banner exec '. ``` ``'--._[]--------------*
banner exec .-' , `'-. /|\
banner exec '-'`-._ (( o )
banner exec `'--....(`- ,__..--'
banner exec '-'`
banner exec
banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CD_3610-GW
host 10.10.100.17
description First hop to 3610
object network CV_3611-GW
host 10.10.100.65
description First hop to 3611
object network GW_22-EXT
host 1.3.3.6
description First hop to 22
object network Ts-LAN
host 192.168.100.4
description TS
object service MS-RDC
service tcp source range 1024 65535 destination eq 3389
description Microsoft Remote Desktop Connection
object network HDC-LAN
subnet 192.168.200.0 255.255.255.0
description DC LAN subnet
object network HAM-LAN
subnet 192.168.110.0 255.255.255.0
description HAM LAN subnet
object service MSN
service tcp source range 1 65535 destination eq 1863
description MSN Messenger
object network BCCs
host 2.1.8.1
description BCCs server access
object network ODLW-EXT
host 7.1.1.5
description OTTDl
object network SWINDS-INT
host 10.30.133.67
description SWINDS server
object network SWINDS(192.x.x.x)-INT
host 192.168.100.67
description SWINDS server
object service YMSG
service tcp source range 1 65535 destination eq 5050
description Yahoo Messenger
object service c.b.ca1
service tcp source range 1 65535 destination eq citrix-ica
description Connections to the bc portal.
object service c.b.ca2
service tcp source range 1 65535 destination eq 2598
description Connections to the bc portal.
object service HTTP-EXT(7001)
service tcp source range 1 65535 destination eq 7001
description HTTP Extended on port 7001.
object service HTTP-EXT(8000-8001)
service tcp source range 1 65535 destination range 8000 8001
description HTTP Extended on ports 8000-8001.
object service HTTP-EXT(8080-8081)
service tcp source range 1 65535 destination range 8080 8081
description HTTP Extended on ports 8080-8081.
object service HTTP-EXT(8100)
service tcp source range 1 65535 destination eq 8100
description HTTP Extended on port 8100.
object service HTTP-EXT(8200)
service tcp source range 1 65535 destination eq 8200
description HTTP Extended on port 8200.
object service HTTP-EXT(8888)
service tcp source range 1 65535 destination eq 8888
description HTTP Extended on port 8888.
object service HTTP-EXT(9080)
service tcp source range 1 65535 destination eq 9080
description HTTP Extended on port 9080.
object service ntp
service tcp source range 1 65535 destination eq 123
description TCP NTP on port 123.
object network Pl-EXT
host 7.1.1.2
description OPl box.
object service Pl-Admin
service tcp source range 1 65535 destination eq 8443
description Pl Admin portal
object network FW-EXT
host 1.3.3.7
description External/Public interface IP address of firewall.
object network Rs-EXT
host 7.1.1.8
description Rs web portal External/Public IP.
object network DWDM-EXT
host 2.1.2.1
description DWDM.
object network HM_VPN-EXT
host 6.2.9.7
description HAM Man.
object network SIM_MGMT
host 2.1.1.1
description SIM Man.
object network TS_MGMT
host 2.1.1.4
description TS Man.
object network TS_MGMT
host 2.1.2.2
description TS Man.
object service VPN-TCP(1723)
service tcp source range 1 65535 destination eq pptp
description For PPTP control path.
object service VPN-UDP(4500)
service udp source range 1 65535 destination eq 4500
description For L2TP(IKEv1) and IKEv2.
object service VPN-TCP(443)
service tcp source range 1 65535 destination eq https
description For SSTP control and data path.
object service VPN-UDP(500)
service udp source range 1 65535 destination eq isakmp
description For L2TP(IKEv1) and IKEv2.
object network RCM
host 6.1.8.2
description RCM
object network RCM_Y
host 6.1.8.9
description RCM Y
object network r.r.r.c163
host 2.1.2.63
description RCV IP.
object network r.r.r.c227
host 2.1.2.27
description RCV IP.
object network v.t.c-EXT
host 2.5.1.2
description RTICR
object service VPN-TCP(10000)
service tcp source range 1 65535 destination eq 10000
description For TCP VPN over port 1000.
object service BGP-JY
service tcp source range 1 65535 destination eq 21174
description BPG
object network KooL
host 192.168.100.100
description KooL
object network FW_Test
host 1.3.3.7
description Testing other External IP
object network AO_10-30-133-0-LAN
subnet 10.30.133.0 255.255.255.0
description OLS 10.30.133.0/24
object network AC_10-30-136-0-LAN
subnet 10.30.136.0 255.255.255.0
description CLS 10.30.136.0/24
object-group network All_Private_Interfaces
description All private interfaces
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
network-object 10.10.100.16 255.255.255.240
network-object 10.10.100.64 255.255.255.252
network-object 192.168.102.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service cb.ca
description All ports required for cb.ca connections.
service-object object c.b.ca1
service-object object c.b.ca2
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq snmp
object-group service FTP
description All FTP ports (20 + 21)
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group service HTTP-EXT
description HTTP Extended port ranges.
service-object object HTTP-EXT(7001)
service-object object HTTP-EXT(8000-8001)
service-object object HTTP-EXT(8080-8081)
service-object object HTTP-EXT(8100)
service-object object HTTP-EXT(8200)
service-object object HTTP-EXT(8888)
service-object object HTTP-EXT(9080)
object-group service ICMP_Any
description ICMP: Any Type, Any Code
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object icmp
object-group service NTP
description TCP and UPD NTP protocol
service-object object ntp
service-object udp destination eq ntp
object-group service DM_INLINE_SERVICE_3
group-object FTP
group-object HTTP-EXT
group-object ICMP_Any
group-object NTP
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object ip
object-group service DM_INLINE_SERVICE_4
group-object NTP
service-object tcp destination eq daytime
object-group network SWINDS
description Both Internal IP addresses (192 + 10)
network-object object SWINDS-INT
network-object object SWINDS(192.x.x.x)-INT
object-group service IM_Types
description All messenger type applications
service-object object MSN
service-object object YMSG
service-object tcp-udp destination eq talk
service-object tcp destination eq aol
service-object tcp destination eq irc
object-group service SNMP
description Both poll and trap ports.
service-object udp destination eq snmp
service-object udp destination eq snmptrap
object-group service DM_INLINE_SERVICE_2
group-object FTP
service-object object MS-RDC
service-object object Pl-Admin
group-object SNMP
object-group network DM_INLINE_NETWORK_1
network-object object FW-EXT
network-object object Rs-EXT
object-group network AMV
description connections for legacy AM
network-object object DWDM-EXT
network-object object HAM_MGMT
network-object object SIM_MGMT
network-object object TS_MGMT
network-object object TS_MGMT
object-group service IKEv2_L2TP
description IKEv2 and L2TP VPN configurations
service-object esp
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
object-group service PPTP
description PPTP VPN configuration
service-object gre
service-object object VPN-TCP(1723)
object-group service SSTP
description SSTP VPN configuration
service-object object VPN-TCP(443)
object-group network RvIPs
description Rv IP addresses
network-object object RCM
network-object object RCM_Y
network-object object r.r.r.c163
network-object object r.r.r.c227
network-object object v.t.c-EXT
object-group service Rvs
description Rv configuration.
service-object object VPN-TCP(10000)
service-object object VPN-UDP(500)
object-group service DM_INLINE_SERVICE_5
service-object object BGP-JY
service-object tcp destination eq bgp
object-group network Local_Private_Subnets
description OandCl DATA
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
object-group service IPSec
description IPSec traffic
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
access-list Public/Internet_access_out remark Block all IM traffic out.
access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
access-list Public/Internet_access_out remark Allow access to BMC portal
access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
access-list Public/Internet_access_out remark Allow basic services out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow WhoIS traffic out.
access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
access-list Public/Internet_access_out remark Allow Network Time protocols out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
access-list Public/Internet_access_out remark Allow BPG traffic out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow Kool server out.
access-list Public/Internet_access_out extended permit ip object KooL any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging mail notifications
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu Public_Internet 1500
mtu Private_CDATA 1500
mtu Private_ODATA 1500
mtu Private_OVOICE 1500
mtu Private_CVOICE 1500
mtu Private_CeDATA 1500
mtu Private_CeVOICE 1500
mtu management 1500
ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
ip verify reverse-path interface Public_Internet
ip verify reverse-path interface Private_CDATA
ip verify reverse-path interface Private_ODATA
ip verify reverse-path interface Private_OVOICE
ip verify reverse-path interface Private_CVOICE
ip verify reverse-path interface Private_CeDATA
ip verify reverse-path interface Private_CeVOICE
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Public_Internet
no asdm history enable
arp timeout 14400
nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
access-group Public/Internet_access_out out interface Public_Internet
route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.29 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (Private_ODATA) host 10.30.133.21
timeout 5
nt-auth-domain-controller Cool_Transformer_Name
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.69.0 255.255.255.0 management
snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
snmp-server location OT
snmp-server contact [email protected]
snmp-server community Some_*s_here
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
sysopt noproxyarp Public_Internet
sysopt noproxyarp Private_CDATA
sysopt noproxyarp Private_ODATA
sysopt noproxyarp Private_OVOICE
sysopt noproxyarp Private_CVOICE
sysopt noproxyarp Private_CeDATA
sysopt noproxyarp Private_CeVOICE
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Public_Internet_map interface Public_Internet
crypto ikev1 enable Public_Internet
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 10.30.133.0 255.255.255.0 Private_ODATA
ssh 192.168.69.0 255.255.255.0 management
ssh timeout 2
ssh version 2
console timeout 5
dhcprelay server 10.30.133.13 Private_ODATA
dhcprelay enable Private_CDATA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.30.133.13 prefer
ntp server 132.246.11.227
ntp server 10.30.133.21
webvpn
group-policy AO-VPN_Tunnel internal
group-policy AO-VPN_Tunnel attributes
dns-server value 10.30.133.21 10.30.133.13
vpn-tunnel-protocol ikev1
default-domain value ao.local
username helpme password Some_X's_here encrypted privilege 1
username helpme attributes
service-type nas-prompt
tunnel-group AO-VPN_Tunnel type remote-access
tunnel-group AO-VPN_Tunnel general-attributes
address-pool AO-VPN_Pool
authentication-server-group AD
default-group-policy AO-VPN_Tunnel
tunnel-group AO-VPN_Tunnel ipsec-attributes
ikev1 pre-shared-key Some_*s_here
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
smtp-server 192.168.200.25
prompt hostname context
no call-home reporting anonymous
Thanks in advance,
Jeff. -
[Solved] NetworkManager-pptp VPN not working after update to 0.9.10
Hello,
I have a PPTP VPN set up and it's been working for a long time. However, after I updated last night to networkmanager-0.9.10, it is no longer able to connect to the remote network. I can activate the VPN connection, enter my password, but after a short period of time, the connection reports: "Error: Connection activation failed: the VPN service returned invalid configuration." As I mentioned before, this VPN was working right before the update and I didn't change the configuration on either my computer or the destination network so I'm pretty sure that this is something to do with the update. I'm wondering if anybody else has run into this problem and if they've been able to find a solution. I've been searching all over these forums and the internet for some hours now and I haven't found anything yet. I'm hoping that somebody might be able to point me in the right direction or maybe know of something that might have changed with the new update.
Here is my VPN configuration (using NetworkManager-PPTP. I've also obscured the public IP address):
[connection]
id=MyVPN
uuid=fe6e6265-1a79-4a69-b6d1-8b47e9d4c948
type=vpn
permissions=user:greyseal96:;
autoconnect=false
timestamp=1408950986
[vpn]
service-type=org.freedesktop.NetworkManager.pptp
gateway=192.168.146.114
require-mppe=yes
user=greyseal96
password-flags=3
[ipv6]
method=auto
[ipv4]
method=auto
route1=10.17.0.0/16,10.17.1.1,1
never-default=true
Here are my logs during the time that I tried to connect:
Aug 24 23:44:15 MyArchBox NetworkManager[578]: <info> Starting VPN service 'pptp'...
Aug 24 23:44:15 MyArchBox NetworkManager[578]: <info> VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 1938
Aug 24 23:44:15 MyArchBox NetworkManager[578]: <info> VPN service 'pptp' appeared; activating connections
Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> VPN connection 'MyVPN' (ConnectInteractive) reply received.
Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> VPN plugin state changed: starting (3)
Aug 24 23:44:21 MyArchBox NetworkManager[578]: ** Message: pppd started with pid 1945
Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> VPN connection 'MyVPN' (Connect) reply received.
Aug 24 23:44:21 MyArchBox pppd[1945]: Plugin /usr/lib/pppd/2.4.6/nm-pptp-pppd-plugin.so loaded.
Aug 24 23:44:21 MyArchBox NetworkManager[578]: Plugin /usr/lib/pppd/2.4.6/nm-pptp-pppd-plugin.so loaded.
Aug 24 23:44:21 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (plugin_init): initializing
Aug 24 23:44:21 MyArchBox pppd[1945]: pppd 2.4.6 started by root, uid 0
Aug 24 23:44:21 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
Aug 24 23:44:21 MyArchBox pppd[1945]: Using interface ppp0
Aug 24 23:44:21 MyArchBox pppd[1945]: Connect: ppp0 <--> /dev/pts/2
Aug 24 23:44:21 MyArchBox NetworkManager[578]: Using interface ppp0
Aug 24 23:44:21 MyArchBox NetworkManager[578]: Connect: ppp0 <--> /dev/pts/2
Aug 24 23:44:21 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> (ppp0): new Generic device (driver: 'unknown' ifindex: 10)
Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> (ppp0): exported as /org/freedesktop/NetworkManager/Devices/9
Aug 24 23:44:21 MyArchBox pptp[1947]: nm-pptp-service-1938 log[main:pptp.c:333]: The synchronous pptp option is NOT activated
Aug 24 23:44:21 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 1 'Start-Control-Connection-Request'
Aug 24 23:44:21 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_disp:pptp_ctrl.c:758]: Received Start Control Connection Reply
Aug 24 23:44:21 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_disp:pptp_ctrl.c:792]: Client connection established.
Aug 24 23:44:22 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 7 'Outgoing-Call-Request'
Aug 24 23:44:22 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_disp:pptp_ctrl.c:877]: Received Outgoing Call Reply.
Aug 24 23:44:22 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_disp:pptp_ctrl.c:916]: Outgoing call established (call ID 0, peer's call ID 50048).
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 6 / phase 'authenticate'
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (get_credentials): passwd-hook, requesting credentials...
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (get_credentials): got credentials from NetworkManager-pptp
Aug 24 23:44:25 MyArchBox pppd[1945]: CHAP authentication succeeded
Aug 24 23:44:25 MyArchBox NetworkManager[578]: CHAP authentication succeeded
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 8 / phase 'network'
Aug 24 23:44:25 MyArchBox pppd[1945]: MPPE 128-bit stateless compression enabled
Aug 24 23:44:25 MyArchBox NetworkManager[578]: MPPE 128-bit stateless compression enabled
Aug 24 23:44:25 MyArchBox pppd[1945]: Cannot determine ethernet address for proxy ARP
Aug 24 23:44:25 MyArchBox pppd[1945]: local IP address 10.17.10.3
Aug 24 23:44:25 MyArchBox pppd[1945]: remote IP address 10.17.10.1
Aug 24 23:44:25 MyArchBox pppd[1945]: primary DNS address 10.17.2.22
Aug 24 23:44:25 MyArchBox pppd[1945]: secondary DNS address 10.17.2.23
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> VPN connection 'MyVPN' (IP4 Config Get) reply received from old-style plugin.
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> VPN Gateway: 192.168.146.114
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Tunnel Device: ppp0
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> IPv4 configuration:
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Internal Address: 10.17.10.3
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Internal Prefix: 32
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Internal Point-to-Point Address: 10.17.10.1
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Maximum Segment Size (MSS): 0
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Static Route: 10.17.0.0/16 Next Hop: 10.17.1.1
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Forbid Default Route: yes
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Internal DNS: 10.17.2.22
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Internal DNS: 10.17.2.23
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> DNS Domain: '(none)'
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> No IPv6 configuration
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <error> [1408949065.481618] [platform/nm-linux-platform.c:1716] add_object(): Netlink error adding 10.17.0.0/16 via 10.17.1.1 dev ppp0 metric 1 mss 0 src user: Unspecific failure
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <warn> VPN connection 'MyVPN' did not receive valid IP config information.
Aug 24 23:44:25 MyArchBox NetworkManager[578]: Cannot determine ethernet address for proxy ARP
Aug 24 23:44:25 MyArchBox NetworkManager[578]: local IP address 10.17.10.3
Aug 24 23:44:25 MyArchBox NetworkManager[578]: remote IP address 10.17.10.1
Aug 24 23:44:25 MyArchBox NetworkManager[578]: primary DNS address 10.17.2.22
Aug 24 23:44:25 MyArchBox NetworkManager[578]: secondary DNS address 10.17.2.23
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 9 / phase 'running'
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_ip_up): ip-up event
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_ip_up): sending Ip4Config to NetworkManager-pptp...
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: PPTP service (IP Config Get) reply received.
Aug 24 23:44:25 MyArchBox pppd[1945]: Terminating on signal 15
Aug 24 23:44:25 MyArchBox pppd[1945]: Modem hangup
Aug 24 23:44:25 MyArchBox pptp[1954]: nm-pptp-service-1938 log[callmgr_main:pptp_callmgr.c:245]: Closing connection (unhandled)
Aug 24 23:44:25 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 12 'Call-Clear-Request'
Aug 24 23:44:25 MyArchBox pptp[1954]: nm-pptp-service-1938 log[call_callback:pptp_callmgr.c:84]: Closing connection (call state)
Aug 24 23:44:25 MyArchBox pppd[1945]: Connect time 0.0 minutes.
Aug 24 23:44:25 MyArchBox pppd[1945]: Sent 0 bytes, received 0 bytes.
Aug 24 23:44:25 MyArchBox pppd[1945]: MPPE disabled
Aug 24 23:44:25 MyArchBox pppd[1945]: Connection terminated.
Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
Aug 24 23:44:25 MyArchBox NetworkManager[578]: inet 10.17.0.0/16 table main
Aug 24 23:44:25 MyArchBox NetworkManager[578]: priority 0x1 protocol static
Aug 24 23:44:25 MyArchBox NetworkManager[578]: nexthop via 10.17.1.1 dev 10
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <error> [1408949065.487073] [platform/nm-linux-platform.c:2252] link_change(): Netlink error changing link 10: <DOWN> mtu 0 (1) driver 'unknown' udi '/sys/devices/virtual/net/ppp0': No such device
Aug 24 23:44:25 MyArchBox NetworkManager[578]: <error> [1408949065.487153] [platform/nm-linux-platform.c:1777] delete_object(): Netlink error deleting 10.17.10.3/32 lft forever pref forever lifetime 1862-0[4294967295,4294967295] dev ppp0 src kernel: No such device (-31)
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: Terminated ppp daemon with PID 1945.
Aug 24 23:44:25 MyArchBox kernel: Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev- instead.
Aug 24 23:44:25 MyArchBox NetworkManager[578]: Terminating on signal 15
Aug 24 23:44:25 MyArchBox NetworkManager[578]: Modem hangup
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 8 / phase 'network'
Aug 24 23:44:25 MyArchBox NetworkManager[578]: Connect time 0.0 minutes.
Aug 24 23:44:25 MyArchBox NetworkManager[578]: Sent 0 bytes, received 0 bytes.
Aug 24 23:44:25 MyArchBox NetworkManager[578]: MPPE disabled
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 10 / phase 'terminate'
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
Aug 24 23:44:25 MyArchBox NetworkManager[578]: Connection terminated.
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead'
Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_exit_notify): cleaning up
Aug 24 23:44:25 MyArchBox pppd[1945]: Exit.
Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** (nm-pptp-service:1938): WARNING **: pppd exited with error code 16
Aug 24 23:44:45 MyArchBox NetworkManager[578]: <info> VPN service 'pptp' disappeared
If you've gotten this far, thank you for taking the time to read through all this! Any help that you can give would be much appreciated.
Last edited by greyseal96 (2014-08-27 15:20:02)Hmm, not sure about the 3.16 series kernel, but I found that when I upgraded to kernel 3.18 the PPTP VPN also stopped working. This time, though, it was because, for some reason, there was a change in kernel 3.18 where the firewall kernel modules necessary for the VPN don't get loaded so the firewall won't allow some of the PPTP traffic from the remote side back in. Since the firewall is stateful, these modules need to be loaded so that the firewall can know that the incoming PPTP traffic from the remote side is part of an existing connection. Here's what my network manager logs looked like:
NetworkManager[619]: <info> Starting VPN service 'pptp'...
NetworkManager[619]: <info> VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 31139
NetworkManager[619]: <info> VPN service 'pptp' appeared; activating connections
NetworkManager[619]: <info> VPN connection 'MyVPN' (ConnectInteractive) reply received.
NetworkManager[619]: <info> VPN plugin state changed: starting (3)
NetworkManager[619]: ** Message: pppd started with pid 31148
NetworkManager[619]: <info> VPN connection 'MyVPN' (Connect) reply received.
pppd[31148]: Plugin /usr/lib/pppd/2.4.7/nm-pptp-pppd-plugin.so loaded.
NetworkManager[619]: Plugin /usr/lib/pppd/2.4.7/nm-pptp-pppd-plugin.so loaded.
NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (plugin_init): initializing
pppd[31148]: pppd 2.4.7 started by root, uid 0
NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
pppd[31148]: Using interface ppp0
pppd[31148]: Connect: ppp0 <--> /dev/pts/5
NetworkManager[619]: Using interface ppp0
NetworkManager[619]: Connect: ppp0 <--> /dev/pts/5
NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
NetworkManager[619]: <info> (ppp0): new Generic device (driver: 'unknown' ifindex: 7)
NetworkManager[619]: <info> (ppp0): exported as /org/freedesktop/NetworkManager/Devices/6
pptp[31150]: nm-pptp-service-31139 log[main:pptp.c:333]: The synchronous pptp option is NOT activated
pptp[31157]: nm-pptp-service-31139 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 1 'Start-Control-Connection-Request'
pptp[31157]: nm-pptp-service-31139 log[ctrlp_disp:pptp_ctrl.c:758]: Received Start Control Connection Reply
pptp[31157]: nm-pptp-service-31139 log[ctrlp_disp:pptp_ctrl.c:792]: Client connection established.
pptp[31157]: nm-pptp-service-31139 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 7 'Outgoing-Call-Request'
pptp[31157]: nm-pptp-service-31139 log[ctrlp_disp:pptp_ctrl.c:877]: Received Outgoing Call Reply.
pptp[31157]: nm-pptp-service-31139 log[ctrlp_disp:pptp_ctrl.c:916]: Outgoing call established (call ID 0, peer's call ID 25344).
pppd[31148]: LCP: timeout sending Config-Requests <===HERE IS WHERE THE CONNECTION FAILS BECAUSE THE MODULES AREN'T LOADED.
pppd[31148]: Connection terminated.
NetworkManager[619]: LCP: timeout sending Config-Requests
NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
NetworkManager[619]: Connection terminated.
NetworkManager[619]: <warn> VPN plugin failed: connect-failed (1)
NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead'
pppd[31148]: Modem hangup
pppd[31148]: Exit.
NetworkManager[619]: <warn> VPN plugin failed: connect-failed (1)
NetworkManager[619]: Modem hangup
NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_exit_notify): cleaning up
NetworkManager[619]: <warn> VPN plugin failed: connect-failed (1)
NetworkManager[619]: <info> VPN plugin state changed: stopped (6)
NetworkManager[619]: <info> VPN plugin state change reason: unknown (0)
NetworkManager[619]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
NetworkManager[619]: ** (nm-pptp-service:31139): WARNING **: pppd exited with error code 16
NetworkManager[619]: <info> VPN service 'pptp' disappeared
To fix this, I had to add a file to the /etc/modules-load.d directory to have the modules loaded into the kernel at boot. I just created a file called netfilter.conf and put the following in it:
nf_nat_pptp
nf_conntrack_pptp
nf_conntrack_proto_gre
Not sure if this addresses your problem or not, but maybe it's worth a look.
Maybe you are looking for
-
Java 7 Web start fails to download Java 1.6 version
Sorry for the almost exact duplication of a previous thread, but that was closed (Java 7 Web start fails to download Java 1.6 version When launching an application requiring Java 1.6 with a Java 1.7 web start it fails when it tries to download 1.6 wi
-
Delivery schedule line number in make to order
Hi all, i am doing make to order scenario with 20 strategy group. In sales order we r defining the different delivery schedule lines.when i run the MRP and getting the plan orders for all the FG material and semifinished material, the sale order numb
-
Error message from database stored procedures
I would like to have some error message show at client side from stored procedures. I use MS SQL Server and use RAISEERROR, but ColdFusion does not bring the error message just ignore the error continue to run the other part of code. I just want to k
-
Automatic creation of project from Sales Order?
hi.. can someone guide me how to automatically generate PS Projects from SO USING TCODE HBS0? i have been able to generate projects automatically when i use tcode VA41 but my need is to do this for RE using sales browser and creation of Sales Order i
-
hi, i am assuming the problem is with sax parser but i cant be sure. I am parsing a xml file (about 1.4MB) with some data in it. the parser i have created reads the xml file correctly for the most part but when at some point the "public void characte