NETWORKING: PPTP vpn routing issue.

Similar Messages

• Pptp VPN route : Leopard does not set correct netmask

  Hello
  Today I switched from a MacOSX 10.4.11 (Tiger) PowerBook to a MacOS 10.5.5 (Leopard) MacBook Pro. I configured my pptp VPN settings with the "Internet Connection Tool" and Network-Settings-panel on Leopard identically as on my Tiger PowerBook (option route all traffic over VPN on both systems disabled).
  As far I could connect on the Leopard system to the destination VPN server without any problem, but could only establish a traffic-connection to the VPN server it self. As on my Tiger system the VPN connection worked seamless over several years now I supposed some routing problem.
  In fact on the Tiger system the routing table showed me, that the destination network has a 255.255.0.0 network mask and was correctly received and set on the Tiger routing table, but that the Leopard systems assumes a 255.255.255.0 network mask and set this assumption to the its routing table: (destination LAN has address space 10.50.0.0 - 10.50.255.255 / netmask 255.255.0.0)
  Tiger 10.4.11 :
  10.50/16 ppp0 USc 0 0 ppp0
  Leopard 10.5.5 :
  10.50/24 ppp0 USc 0 0 ppp0
  In the Leopard vpn setting panel, there is also the possibility to set manually the destination ip-address and netmask, but I found it has no effect on the real setting on Leopard. The only way to set the correct route with the correct netmask is under Leopard to do it by the command shell - first deleting the route set by Leopard and setting a new route with a the correct netmask :
  route delete -net 10.50. -interface ppp0
  route add -net 10.50. -interface ppp0 -netmask 255.255.0.0
  I do not understand, why under Tiger (and also on MacOSX 10.3.X) the pptp VPN worked always correct and set the correct netmask, and now Leopard (MacOSX 10.5.X) does some kind of assumption and is not able to set the correct netmask.
  Any Ideas ?

  How did you determine that partial traffic is sent through the VPN?
  Basic principles of VPN is to avoid using a common subnet for your client ip pool. Having an uncommon subnet will solve your #2 issue below. Simply change the 3rd octet on your home network from .1 to something else, .11
  I have a working pptp server configuration on ubuntu 10 with iphone 3g iOS 4.1 connected, invested hours of research, but only a short time configuring the server and iphone vpn client. passing internet traffic through local gateway/router from work wi-fi and accessing local desktop using windows remote desktop lite app.

• PPTP VPN Routing

  Hi,
  I'd like to request an update for an issue raised in another topic re vpn in osx (10.4).
  ref: http://discussions.apple.com/thread.jspa?messageID=722699
  Specifically, the apple PPTP VPN needs to provide a way to specify which IPv4 subnets should be routed along the vpn tunnel.
  For example, my company vpn connects using a 172.16... ip address, however while I need to access some other subnets (administration/fileservers etc) via the vpn tunnel, I don't want to send ALL my internet traffic to the vpn.
  I could probably fix this by messing with the system scripts from the unix commandline, but would much rather have an eta for an apple provided/supported fix.
  Can anyone help.
  Graeme
  Powerbook G4 1.25Ghz Mac OS X (10.4.6)

  I understand wanting a nice Apple solution.
  Seems like it would be pretty easy to do, but
  writing a small script isn't too hard either.
  Here is my /etc/ppp/ip-up which routes traffic to
  10.46.0.0/16 over the PPTP VPN.
  Cheers,
  Steve
  #!/bin/sh
  NET=`echo $5 | cut -d. -f1,2,3`.0
  case $NET in
  10.46.129.0) /sbin/route add -net 10.46.0.0 $5 255.255.0.0;;
  esac
  MacBook   Mac OS X (10.4.6)  

• Lion 10.7.4 PPTP VPN MPPE Issues

  Hey people,
  I recently upgraded my server from Snow Leopard Server to Lion Server, and updated to 10.7.4. I know Lion Server didn't offer a GUI for PPTP configuration before 10.7.3, but after the update I figured I'd give it a shot. I kinda wish I hadn't.
  I've setup VPN through the Server app, basically leaving all the settings to their default. I'm trying to connect to the server locally, so I know port forwarding isn't the issue. I only want to get PPTP working; since one of the L2TP ports is the same as the Back to my Mac through iCloud port (I think it's 4500 or something), I wanted to go with the PPTP so I could also have Back to my Mac (don't ask why I want both).
  Anyway, the issue is in connecting to the server locally, I get an error in the log file about how MPPE is required, but keys are not available. I know what MPPE is, and even followed the support doc from http://support.apple.com/kb/TS4241, but it didn't help. Client-side, I'm getting the error "A connection could not be established to the PPP server. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."
  I've copied the log file below. Please let me know if I missed any information; I'm in a bit of a rush and had to type this quickly. Any help is always appreciated. Thanks!
  2012-05-13 14:29:57 EDT Incoming call... Address given to client = 192.168.1.229
  Sun May 13 14:29:57 2012 : Directory Services Authentication plugin initialized
  Sun May 13 14:29:57 2012 : Directory Services Authorization plugin initialized
  Sun May 13 14:29:57 2012 : PPTP incoming call in progress from '192.168.1.13'...
  Sun May 13 14:29:57 2012 : PPTP connection established.
  Sun May 13 14:29:57 2012 : using link 0
  Sun May 13 14:29:57 2012 : Using interface ppp0
  Sun May 13 14:29:57 2012 : Connect: ppp0 <--> socket[34:17]
  Sun May 13 14:29:57 2012 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x76ed810> <pcomp> <accomp>]
  Sun May 13 14:29:57 2012 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x12cb3fcd> <pcomp> <accomp>]
  Sun May 13 14:29:57 2012 : lcp_reqci: returning CONFACK.
  Sun May 13 14:29:57 2012 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x12cb3fcd> <pcomp> <accomp>]
  Sun May 13 14:29:57 2012 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x76ed810> <pcomp> <accomp>]
  Sun May 13 14:29:57 2012 : sent [LCP EchoReq id=0x0 magic=0x76ed810]
  Sun May 13 14:29:57 2012 : sent [CHAP Challenge id=0x11 <401c36015b2e670f22256c5d415e0a60>, name = "mac-mini-server.local"]
  Sun May 13 14:29:57 2012 : rcvd [LCP EchoReq id=0x0 magic=0x12cb3fcd]
  Sun May 13 14:29:57 2012 : sent [LCP EchoRep id=0x0 magic=0x76ed810]
  Sun May 13 14:29:57 2012 : rcvd [LCP EchoRep id=0x0 magic=0x12cb3fcd]
  Sun May 13 14:29:57 2012 : rcvd [CHAP Response id=0x11 <30ed187d21d0e87dd09b414cc535a12f0000000000000000622d557cb34e3baba02fdf3979d3e4 eef774f2c5192d667d00> , name = "Matt"]
  Sun May 13 14:29:57 2012 : DSAuth plugin: unsupported authen authority: recved ShadowHash;HASHLIST:<SALTED-SHA512,SMB-NT,CRAM-MD5,RECOVERABLE>, want ApplePasswordServer
  Sun May 13 14:29:57 2012 : sent [CHAP Success id=0x11 "S=275C80AAE3A93F8EAEBCC5D14D79D9692DC925AD M=Access granted"]
  Sun May 13 14:29:57 2012 : CHAP peer authentication succeeded for Matt
  Sun May 13 14:29:57 2012 : DSAccessControl plugin: User 'Matt' authorized for access
  Sun May 13 14:29:57 2012 : MPPE required, but keys are not available. Possible plugin problem?
  Sun May 13 14:29:57 2012 : sent [LCP TermReq id=0x2 "MPPE required but not available"]
  Sun May 13 14:29:57 2012 : Connection terminated.
  Sun May 13 14:29:57 2012 : Connect time 0.0 minutes.
  Sun May 13 14:29:57 2012 : Sent 0 bytes, received 0 bytes.
  Sun May 13 14:29:57 2012 : PPTP disconnecting...
  Sun May 13 14:29:57 2012 : PPTP disconnected

  Well, it's been a few days and with no response I thought I'd look for another solution. I've been trying this software called iVPN, apparently it's like a front-end to OS X's built-in VPN server. Anyway, I disabled the VPN Server from the Server app, turned on iVPN and was VPN-ing from my iPhone over 3G in notime. It's a great app, though it kinda ***** that the server can't do what it's built to do. Since VPN was the big reason I got Server in the first place, I'll probably uninstall it and stick with OS X's built-in file sharing and iVPN.

• Internet stops with PPTP VPN connections to ASUS RT-N66U VPN Router

  I have a client with a small office network that has a few people working remotely from Windows 7 and 8 PCs. As an inexpensive solution the client opted to use a VPN router (ASUS RT-N66U) that supports PPTP so remote users could access the shared
  files and SQL DB server. 
  The VPN connectivity for one client was working fine and then stopped working altogether so when the VPN connection is established all Internet and VPN access is stopped. This was especially troubling for me since I work remotely and cannot test or debug after
  the VPN session has been connected. I checked the error logs and found nothing. Also there had been no new programs installed. And finally, I ran a full system antivirus scan with no issues found.
  In case you are facing a similar issue, before trying something remotely that may not work, use the shutdown with reboot command in a COMMAND window and set a timer for something like 3 minutes to reboot in case you get stuck. (e.g. shutdown -r -t 180). 
  Problem: The two symptoms of the VPN connection failure are:
  1) All Internet browsing stops working locally 
  2) No data can pass through the VPN tunnel
  I created a virtual machine on my local network and replicated the client's environment. I experimented with nearly every setting in the VPN dialogue until and came to the final solution. 
  Solution: For the VPN adapter on the remote machines I configured DNS settings and used the remote as the default gateway.
  * VPN adapter Networking IPV4 Properties for:
  - DNS server 1: Main Office VPN Router IP Address
  - DNS server 2: A public DNS server (Google is 8.8.8.8)
  - I also checked the box to "register this connection addresses in DNS"
  Note: Perhaps the local router would also have worked and DNS2 but I didn't test it.
  I have documented this because after reading and searching among many Technical articles and the Microsoft support website, I was unable to find the solution that I came up with so I hope to help someone else. 
  Question1: - Can anyone tell me why the connectivity only works when 'use default gateway on remote network' is checked?
  - I have disabled this option with some business class VPN routers and the connectivity still worked to the remote network but it does not work to the Asus router.
  Question2: From the information provided can I determine where the problem lies?
  Is it the:
  1) Remote client PC
  2) Remote client router
  3) Home office VPN router (Asus RT-N66U)
  If the true culprit cannot be determined yet, what steps do you recommend so I can isolate the true cause of the failure.
  I appreciate any help so that I can be sure my solution is valid and pass along the findings to ASUS if it is their issue.

  Thank you for the suggestion. I have successfully connected through the VPN router when the one client was unable to get VPN throughput working.
  I looked at the routing tables with and without the VPN connection established. The differences are that:
  1) when VPN is NOT active, there is a route from the local NIC IP to the Internet IP address of the local gateway
  destination 68.109.82.xx
  mask 255.255.255.0
  gateway 192.168.0.1
  interface 192.168.0.11
  metric 21
  2) when VPN IS active, the route to the Internet IP address of the local gateway is deleted and a persistent route to the VPN router local network has been added
  Persistent route:
  destination 192.168.21.0
  mask 255.255.255.0
  gateway 192.168.0.1
  interface 192.168.0.11
  metric 1

• How to configure Multiple PPTP VPN Clients on cisco 3g supported Router

  I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
  here is the config for the one that works:
  vpdn-group 1
  request-dialin
  protocol pptp
  rotary-group 0
  initiate-to ip xxx.xxx.xxx.xxx
  interface Dialer0
  mtu 1450
  ip address negotiated
  ip pim dense-mode
  ip nat outside
  ip virtual-reassembly
  zone-member security private
  encapsulation ppp
  ip igmp query-interval 125
  dialer in-band
  dialer idle-timeout 0
  dialer string 123
  dialer vpdn
  dialer-group 1
  no peer neighbor-route
  no cdp enable
  ppp pfc local request
  ppp pfc remote apply
  ppp encrypt mppe auto
  ppp authentication ms-chap-v2 ms-chap eap chap pap callin
  ppp eap refuse
  ppp chap hostname xxx@xxx
  ppp chap password 7 xxxpassword
  But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.

  I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
  here is the config for the one that works:
  vpdn-group 1
  request-dialin
  protocol pptp
  rotary-group 0
  initiate-to ip xxx.xxx.xxx.xxx
  interface Dialer0
  mtu 1450
  ip address negotiated
  ip pim dense-mode
  ip nat outside
  ip virtual-reassembly
  zone-member security private
  encapsulation ppp
  ip igmp query-interval 125
  dialer in-band
  dialer idle-timeout 0
  dialer string 123
  dialer vpdn
  dialer-group 1
  no peer neighbor-route
  no cdp enable
  ppp pfc local request
  ppp pfc remote apply
  ppp encrypt mppe auto
  ppp authentication ms-chap-v2 ms-chap eap chap pap callin
  ppp eap refuse
  ppp chap hostname xxx@xxx
  ppp chap password 7 xxxpassword
  But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.

• SA520 PPTP VPN issue

  Hi.
  We have just setup a SA520 at a customer location. It is running firmware version 1.1.65.
  It seems to be operating fine, except PPTP VPN.
  Looking at the log from the SA520 it forwards port 1723 and 500 to the correct PPTP server in the network. But it seems like this machine it not receiving the PPTP VPN request.
  On the server is also running a FTP service which works fine - so the server is alive.
  Is there something about we also need to use GRE (Protocol 47) when using PPTP? We have looked everywhere in the SA520, but can't find it.
  Any help appreciated, thanks!
  /Ulrik
  Attached: SA520-log, PPTP-server-log, Firewall-rules.

  Hi Federico.
  I also believe GRE must be used to establish the PPTP connection, but it is not listed as a service under firewall rules or anywhere else in the SA520.
  The reason to open port 500 was because we could see a request to the port, when we were trying to connect. It doesn't change anything if the port is open or not.
  I don't think it establish the PPTP tunnel at all. The receiving server is just listening for connections as the screenshot of the log shows. It doesn't indicate an established connection.
  I am pretty sure GRE is the problem, but they big question is how do enable it in the SA520.
  /Ulrik

• Snow Leopard PPTP VPN Client with Microsoft  Networks

  I have Snow Leopard machine working fine in local Microsoft network, in this environment it's easy setup wins server, in this case i can see and access all windows machines, but when I access my office network via PPTP VPN I can only see windows machines over finder, when i try to access any machine the connection fails, if i use a windows xp or vista it works fine. How i can tell to VPN the wins server address?

  I have Snow Leopard machine working fine in local Microsoft network, in this environment it's easy setup wins server, in this case i can see and access all windows machines, but when I access my office network via PPTP VPN I can only see windows machines over finder, when i try to access any machine the connection fails, if i use a windows xp or vista it works fine. How i can tell to VPN the wins server address?

• Help needed to connect to remote PPTP VPN via PIX 515e

  Hello,
  A user in our office needs to connect to a client's remote PPTP VPN but can't connect.  The user is running Windows 7.  We have a Cisco PIX 515e firewall that is running PIX Version 6.3(3) - this is what our user is having to go through to try and make the connection to the client's remote VPN.
  The client's network guys have come back and said the issue is at our side.  They say that they can see some of our traffic but not all of it. The standard error is shown below, and they say it's symptomatic of the client-side firewall not allowing PPTP traffic:
  "A connection between the VPN server and the VPN client XXX.XXX.XXX.XXX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets."
  I have very little firewall experience and absolutely no Cisco experience I'm afraid.  From looking at the PIX config I can see the following line:
  fixup protocol pptp 1723.
  Does this mean that the PPTP protcol is enabled on our firewall?  Is this for both incoming and outgoing traffic?
  I can see no reference to GRE 47 in the PIX config.  Can anyone advise me what I should look for to see if this has been enabled or not?
  I apologise again for my lack of knowledge.  Any help or advice would be very gratefully received.
  Ros

  Hi Eugene,
  Thank you for taking the time to reply to me.  Please see our full PIX config below.  I've XX'd out names and IP addresses as I'm never comfortable posting those type of details in a public forum.  I hope that the information below is still sufficient for you.
  Thanks again for your help,
  Ros
  PIX(config)# en
  Not enough arguments.
  Usage:  enable password [] [level ] [encrypted]
          no enable password level
          show enable
  PIX(config)# show config
  : Saved
  : Written by enable_15 at 10:30:31.976 GMT/BDT Mon Apr 4 2011
  PIX Version 6.3(3)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security10
  enable password XXX encrypted
  passwd XXX encrypted
  hostname PIX
  domain-name XXX.com
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol pptp 1723
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name XX.XX.XX.XX Secondary
  access-list outside_access_in permit tcp XX.XX.XX.XX 255.255.255.240 host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 8082
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
  access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
  access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.0.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl deny udp any any eq 135
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_40 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_60 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER1 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_10 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_20 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_30 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_50 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list outside_cryptomap_70 permit ip any XX.XX.XX.XX 255.255.0.0
  access-list USER2 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER3 permit ip any XX.XX.XX.XX 255.255.255.0
  access-list USER4 permit ip any XX.XX.XX.XX 255.255.0.0
  pager lines 24
  logging on
  logging host inside XX.XX.XX.XX
  icmp permit any outside
  icmp permit any inside
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside XX.XX.XX.XX 255.255.255.248
  ip address inside XX.XX.XX.XX 255.255.255.0
  no ip address DMZ
  ip audit info action alarm
  ip audit attack action alarm
  pdm location XX.XX.XX.XX 255.255.255.255 inside
  pdm location XX.XX.XX.XX 255.255.0.0 outside
  pdm location XX.XX.XX.XX 255.255.255.0 outside
  pdm logging debugging 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
  static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
  route inside XX.XX.XX.XX 255.255.0.0 XX.XX.XX.XX 1
  timeout xlate 3:00:00
  timeout conn 2:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  ntp authenticate
  ntp server XX.XX.XX.XX source outside prefer
  http server enable
  http XX.XX.XX.XX 255.255.0.0 outside
  http XX.XX.XX.XX 255.255.255.0 outside
  http XX.XX.XX.XX 255.255.255.255 inside
  snmp-server host inside XX.XX.XX.XX
  no snmp-server location
  no snmp-server contact
  snmp-server community XXX
  snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map cola 20 set transform-set ESP-3DES-MD5
  crypto dynamic-map dod 10 set transform-set ESP-3DES-MD5
  crypto map outside_map 10 ipsec-isakmp dynamic cola
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer XX.XX.XX.XX
  crypto map outside_map 20 set transform-set ESP-3DES-MD5
  crypto map outside_map 25 ipsec-isakmp
  crypto map outside_map 25 match address USER1
  crypto map outside_map 25 set peer XX.XX.XX.XX
  crypto map outside_map 25 set transform-set ESP-3DES-MD5
  crypto map outside_map 30 ipsec-isakmp
  crypto map outside_map 30 match address outside_cryptomap_30
  crypto map outside_map 30 set peer XX.XX.XX.XX
  crypto map outside_map 30 set transform-set ESP-3DES-MD5
  crypto map outside_map 40 ipsec-isakmp
  crypto map outside_map 40 match address outside_cryptomap_40
  crypto map outside_map 40 set peer XX.XX.XX.XX
  crypto map outside_map 40 set transform-set ESP-3DES-MD5
  crypto map outside_map 50 ipsec-isakmp
  crypto map outside_map 50 match address outside_cryptomap_50
  crypto map outside_map 50 set peer XX.XX.XX.XX
  crypto map outside_map 50 set transform-set ESP-3DES-MD5
  crypto map outside_map 60 ipsec-isakmp
  crypto map outside_map 60 match address outside_cryptomap_60
  crypto map outside_map 60 set peer XX.XX.XX.XX
  crypto map outside_map 60 set transform-set ESP-3DES-MD5
  crypto map outside_map 70 ipsec-isakmp
  crypto map outside_map 70 match address outside_cryptomap_70
  crypto map outside_map 70 set peer XX.XX.XX.XX
  crypto map outside_map 70 set transform-set ESP-3DES-MD5
  crypto map outside_map 75 ipsec-isakmp
  crypto map outside_map 75 match address USER4
  crypto map outside_map 75 set peer XX.XX.XX.XX
  crypto map outside_map 75 set transform-set ESP-3DES-MD5
  crypto map outside_map 80 ipsec-isakmp
  crypto map outside_map 80 match address USER2
  crypto map outside_map 80 set peer XX.XX.XX.XX
  crypto map outside_map 80 set transform-set ESP-3DES-MD5
  crypto map outside_map 90 ipsec-isakmp
  crypto map outside_map 90 match address USER3
  crypto map outside_map 90 set peer XX.XX.XX.XX
  crypto map outside_map 90 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  telnet XX.XX.XX.XX 255.255.0.0 outside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet XX.XX.XX.XX 255.255.255.255 inside
  telnet timeout 30
  ssh XX.XX.XX.XX 255.255.255.248 outside
  ssh XX.XX.XX.XX 255.255.255.248 outside
  ssh timeout 30
  management-access inside
  console timeout 0
  terminal width 80
  Cryptochecksum:XXX
  PIX(config)#

• PPTP VPN on Server 2008R2 dropping users but acting like it is still connected

  Hello,
  I'm having a weird problem and I'm at a loss.  We have a couple of cloud servers that form our remote office system.  Basically, their is 1 DC, 1 Remote Desktop server, and 2 member servers being used as workstations.  The users access these
  server and resources via a PPTP VPN setup on the DC using RRAS.  Everything has worked fairly well for the last year, but recently, my users have complained that they get disconnected at random times over the last couple of weeks.  I was able
  to observe the behavior yesterday and it goes something like this:
  -The user is working fine
  -The user tries to access a share, open a web page, tries to open a remote desktop session or notices that their Outlook client is disconnected and finds that nothing can be reached outside of the local machine.  I tried pinging the DC address,
  www.google.com, and the RDP server without success. From the server, I tried pinging the errant workstation without success. The server shows the connection to be active and the workstation does not disconnect the connection. On
  one occasion, the problem just rectified itself and everything started working again. On all other occasions, the VPN had to be disconnected and reconnected. Note that some workstations are not reporting this problem.
  -The user disconnects the VPN
  -The user reconnects the VPN and usually everything is okay again for awhile, but sometimes they are disconnected within minutes.
  This is new behavior, and no changes have been made by me and the Cloud support people tell me they haven't done anything.  At this point, I'm not even sure how to go about troubleshooting it. The next time it happened, I was going to pull an ARP table
  to see if anything looks amiss, but the only other avenue I have going is a call into the cloud services support to see if they can look for dropped or filtered information between our main office and our cloud server.
  The only part of this setup that is a little bit different for me is the IPv4 settings in the RRAS console under properties of the server. Normally in the IPv4 settings, I select DHCP and allow the users to pull from the existing DHCP server. However, the
  cloud support recommended against having a DHCP server, so instead of DHCP, I selected "use static IP address pool." I put 10.216.8.197 to 10.216.8.22 and the subnet mask is picking up from the server as 255.255.255.224 and the default gateway is
  picking up from the server as 10.216.8.193.
  Does anyone have any advice on how to troubleshoot this problem?  What to try next if the cloud services support doesn't find anything, etc?
  Thanks,
  Jeffery Smith

  Hi Jeffery,
  According to your description, the VPN clients can connect the server at the beginning, but when we reconnected after going wrong, they were disconnected within minutes. Maybe the next time it happened, we could follow steps below to troubleshoot this issue.
  Use ipconfig /all command in the VPN client when we set up VPN connection, to view which IP address the VPN client obtain.
  Pull an ARP table from the VPN client to view the IP Address-Physical Address mappings as you said will help to troubleshoot this issue. The assigned IP address maybe used by other computers.
  If the static IP address pool range from 10.216.8.197 to 10.216.8.22, due to the subnet is 255.255.255.224, there are 8 subnet in the 10.216.8.0/27 network. If the static IP address pool consists of ranges of IP addresses that are for a separate subnet,
  then we need to either enable an IP routing protocol on the remote access server computer or add static IP routes consisting of the {IP Address, Mask} of each range to the routers of the intranet. If the routes are not added, then remote access clients can’t
  receive traffic from resources on the intranet.
  Best Regards,
  Tina

• UM175 - Not able to connect to office network with VPN

  I am having trouble connecting to my office network using this wireless card, UM175, and connecting with a VPN. I have the VPN set up the same as many other computers connecting to our server. Currently when I start VZAccess, I can access the internet and everything works fine. When I start my VPN to connect to my office server, it takes multiple tries with error 691 being returned. After two or three tries it connects. I can ping my computer from the server. I can ping my router and my server from my notebook with the UM175. However, I cannot do anything with the server. I cannot access the internet, access files from the server, or access any software on the server. I contacted IT and our administrators and they tested the system and VPN and state that there is a problem with the modem UM175. Is there some setting that I must set to make this work correctly. This is an urgent matter and must be working, or I will have to purchase another type of modem.

  Where are you located?  I'm in the Bay Area, CA and I was using the UM175 with my PPTP VPN without any problems.  However, I recently upgraded to the new 4G on Wednesday and now the PPTP VPN won't authenticate...errors on verifying user name and password.  I did a packet trace and found GRE packets are being dropped.  This is a Verizon issue and it appears their 4G upgrades have directly caused this problem.
  There is another thread about this issue located here: http://community.vzw.com/t5/Broadband-Netbook-MiFi-Devices/LG-LTE-Modem-VPN-Not-Working/td-p/349846

• IVPN starts, but "the pptp-vpn server did not respond. Try reconnecting."

  Hi. I am new to VPN, and I just got the software iVPN from Macserve, and the server starts successfully, using either PPTP or L2TP:
  But the connections from my network do not connect. Every time I click on "connect" for either network connection, I get the error "the pptp-vpn server did not respond. Try reconnecting."
  I set up both connections in my Network Preferences according to the support page (http://macserve.org.uk/support/ivpn/):
  My Airport Express configurations have never given me any problems with my home network:
  And I think that I forwarded the ports properly (even though my firewall is not activated):
  What am I doing wrong?

  The Apple routers can be a problem on vpn passthrough.
  Ports that are required for vpn are more complicated ..
  See earlier post.. eg How do I set up L2TP VPN?
  Ports for PPTP which you have opened manually.. are not valid for L2TP.. so you need several more ports opened.
  The problematic ones are GRE and ESP which are protocols not ports.
  I think you can pretty well assume the apple router running anything that has BTMM in it won't work.. since it will need the port 500 for itself.
  On the old express try going back to 7.6.1 firmware.. I have to say I don't use the express.. lots of extreme and TC.. so their firmware issues are slightly different so firmware versions for the express are somewhat different.
  Try not to use both port forwards (mapping if you must).. and DMZ.. they can fight each other.. if DMZ doesn't work it is better to turn it right off and forward all the required ports.
  Let me recommend a test.
  Plug your cable modem directly into the computer running the VPN.. so you have no NAT router in front of it.
  Pay attention to the local firewall that apple runs and what ports you will need to open on it to get vpn to work.. this is your best chance to get remote vpn running. If you fail with the public IP on the computer it will certainly fail through NAT.. and generally local firewall will be an issue.
  You should of course test that a client in the local lan can connect by the vpn.. it is always worth testing from the easiest configuration to the most complex.
  So local lan just as you have now..
  Then direct cable connection to the computer.
  Then NAT router.. but you can pretty well assume apple routers are going to be problematic because apple want to dally at BTMM using same ports as IPSEC uses for L2TP.
  My email is live.. roll your mouse over it and talk to me direct..

• IPad and PPTP VPN - Internet access (e-mail & Safari) not working

  Hi there!
  I've got an iPad2 (WiFi only) and need to configure it to use Witopia PPTP VPN, which is the VPN provider I've been using for a long time on my desktop and netbook.
  Configure the iPad was an easy task, and I was able to successfuly authenticate and establish a PPTP session with any of the Witopia servers.
  The problem is that once established the PPTP session, if the "send all traffic" option is ON, I have no Internet access at all (no e-mail neither browsing with Safari). Then, if I stop VPN, turn OFF the "send all traffic" option in the iPad, and start VPN again, I have Internet communication back and everything starts working fine. I've been fiddling with this in my home network (D-Link Dir-655 router using the IP 192.168.0.1 addressing scheme for my LAN).
  Obviously, I decided to leave the "send all traffic" option OFF, but then I discovered that doing this my Safari traffic is not encrypted and my IP is not masked, i.e. the VPN is up and running, I have normal Internet traffic, but the service to be provided by the VPN for some inknown reason is not happening.
  Does anyone have a clue about what's going on ?
  TIA
  RTadeu

  Have you tried a battery pull?  If not, give that a try and then try again. 
  1. Please thank those who help you by clicking the "Like" button at the bottom of the post that helped you.
  2. If your issue has been solved, please resolve it by marking the post "Solution?" which solved it for you!

• Confused with this ASA - VPN config issue

  Hello. Can anyone help me here? I am new to the ASA config and commands. Everything works well, enough, on this ASA except the VPN. A client can connect but cannot access anything inside or outside. Here is the config. Can someone please take a look and tell me why VPN is not working? I don't want to set up split-tunneling, I would prefer everything to go through the firewall. Also, if you see something else wrong (or have a better implementation) then please let me know.
  ASA Version 8.4(2)
  hostname FIREWALL_NAME
  enable password Some_X's_here encrypted
  passwd Some_X's_here encrypted
  names
  interface Ethernet0/0
  speed 100
  duplex full
  no nameif
  no security-level
  no ip address
  interface Ethernet0/0.22
  description Public Internet space via VLAN 22
  vlan 22
  nameif Public_Internet
  security-level 0
  ip address 1.3.3.7 255.255.255.248
  interface Ethernet0/1
  speed 100
  duplex full
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1.42
  description Private LAN space via VLAN 42
  shutdown
  vlan 42
  nameif Private_CDATA
  security-level 100
  ip address 10.30.136.1 255.255.255.0
  interface Ethernet0/1.69
  description Private LAN space via VLAN 69
  vlan 69
  nameif Private_ODATA
  security-level 100
  ip address 10.30.133.1 255.255.255.0
  interface Ethernet0/1.95
  description Private LAN space via VLAN 95
  shutdown
  vlan 95
  nameif Private_OVOICE
  security-level 100
  ip address 192.168.102.254 255.255.255.0
  interface Ethernet0/1.96
  description Private LAN space via VLAN 96
  shutdown
  vlan 96
  nameif Private_CVOICE
  security-level 100
  ip address 192.168.91.254 255.255.255.0
  interface Ethernet0/1.3610
  description Private LAN subnet via VLAN 3610
  shutdown
  vlan 3610
  nameif Private_CeDATA
  security-level 100
  ip address 10.10.100.18 255.255.255.240
  interface Ethernet0/1.3611
  description Private LAN space via VLAN 3611
  shutdown
  vlan 3611
  nameif Private_CeVOICE
  security-level 100
  ip address 10.10.100.66 255.255.255.252
  interface Ethernet0/2
  shutdown
  no nameif
  security-level 0
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.69.1 255.255.255.0
  management-only
  banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
  extent of the law.
  banner exec
  banner exec                                    ,
  banner exec                                  .';
  banner exec                              .-'` .'
  banner exec                            ,`.-'-.`\
  banner exec                           ; /     '-'
  banner exec                           | \       ,-,
  banner exec                           \  '-.__   )_`'._                      \|/
  banner exec                            '.     ```      ``'--._[]--------------*
  banner exec                           .-' ,                   `'-.           /|\
  banner exec                            '-'`-._           ((   o   )
  banner exec                                   `'--....(`- ,__..--'
  banner exec                                            '-'`
  banner exec
  banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
  banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
  extent of the law.
  banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
  extent of the law.
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network CD_3610-GW
  host 10.10.100.17
  description First hop to 3610
  object network CV_3611-GW
  host 10.10.100.65
  description First hop to 3611
  object network GW_22-EXT
  host 1.3.3.6
  description First hop to 22
  object service MS-RDC
  service tcp source range 1024 65535 destination eq 3389
  description Microsoft Remote Desktop Connection
  object network HDC-LAN
  subnet 192.168.200.0 255.255.255.0
  description DC LAN subnet
  object network HAM-LAN
  subnet 192.168.110.0 255.255.255.0
  description HAM LAN subnet
  object service MSN
  service tcp source range 1 65535 destination eq 1863
  description MSN Messenger
  object network BCCs
  host 2.1.8.1
  description BCCs server access
  object network ODLW-EXT
  host 7.1.1.5
  description OTTDl
  object network SWINDS-INT
  host 10.30.133.67
  description SWINDS server
  object network SWINDS(192.x.x.x)-INT
  host 192.168.100.67
  description SWINDS server
  object service YMSG
  service tcp source range 1 65535 destination eq 5050
  description Yahoo Messenger
  object service c.b.ca1
  service tcp source range 1 65535 destination eq citrix-ica
  description Connections to the bc portal.
  object service c.b.ca2
  service tcp source range 1 65535 destination eq 2598
  description Connections to the bc portal.
  object service HTTP-EXT(7001)
  service tcp source range 1 65535 destination eq 7001
  description HTTP Extended on port 7001.
  object service HTTP-EXT(8000-8001)
  service tcp source range 1 65535 destination range 8000 8001
  description HTTP Extended on ports 8000-8001.
  object service HTTP-EXT(8080-8081)
  service tcp source range 1 65535 destination range 8080 8081
  description HTTP Extended on ports 8080-8081.
  object service HTTP-EXT(8100)
  service tcp source range 1 65535 destination eq 8100
  description HTTP Extended on port 8100.
  object service HTTP-EXT(8200)
  service tcp source range 1 65535 destination eq 8200
  description HTTP Extended on port 8200.
  object service HTTP-EXT(8888)
  service tcp source range 1 65535 destination eq 8888
  description HTTP Extended on port 8888.
  object service HTTP-EXT(9080)
  service tcp source range 1 65535 destination eq 9080
  description HTTP Extended on port 9080.
  object service ntp
  service tcp source range 1 65535 destination eq 123
  description TCP NTP on port 123.
  object network Pl-EXT
  host 7.1.1.2
  description OPl box.
  object service Pl-Admin
  service tcp source range 1 65535 destination eq 8443
  description Pl Admin portal
  object network FW-EXT
  host 1.3.3.7
  description External/Public interface IP address of firewall.
  object network Rs-EXT
  host 7.1.1.8
  description Rs web portal External/Public IP.
  object network DWDM-EXT
  host 2.1.2.1
  description DWDM.
  object network HM_VPN-EXT
  host 6.2.9.7
  description HAM Man.
  object network SIM_MGMT
  host 2.1.1.1
  description SIM Man.
  object network TS_MGMT
  host 2.1.1.4
  description TS Man.
  object network TS_MGMT
  host 2.1.2.2
  description TS Man.
  object service VPN-TCP(1723)
  service tcp source range 1 65535 destination eq pptp
  description For PPTP control path.
  object service VPN-UDP(4500)
  service udp source range 1 65535 destination eq 4500
  description For L2TP(IKEv1) and IKEv2.
  object service VPN-TCP(443)
  service tcp source range 1 65535 destination eq https
  description For SSTP control and data path.
  object service VPN-UDP(500)
  service udp source range 1 65535 destination eq isakmp
  description For L2TP(IKEv1) and IKEv2.
  object network RCM
  host 6.1.8.2
  description RCM
  object network RCM_Y
  host 6.1.8.9
  description RCM Y
  object network r.r.r.c163
  host 2.1.2.63
  description RCV IP.
  object network r.r.r.c227
  host 2.1.2.27
  description RCV IP.
  object network v.t.c-EXT
  host 2.5.1.2
  description RTICR
  object service VPN-TCP(10000)
  service tcp source range 1 65535 destination eq 10000
  description For TCP VPN over port 1000.
  object service BGP-JY
  service tcp source range 1 65535 destination eq 21174
  description BPG
  object network KooL
  host 192.168.100.100
  description KooL
  object network FW_Test
  host 1.3.3.7
  description Testing other External IP
  object network AO_10-30-133-0-LAN
  range 10.30.133.0 10.30.133.229
  description OLS 10.30.133.0/24
  object network AC_10-30-136-0-LAN
  subnet 10.30.136.0 255.255.255.0
  description CLS 10.30.136.0/24
  object network NETWORK_OBJ_192.168.238.0_27
  subnet 192.168.238.0 255.255.255.224
  object-group network All_Private_Interfaces
  description All private interfaces
  network-object 10.30.133.0 255.255.255.0
  network-object 10.30.136.0 255.255.255.0
  network-object 10.10.100.16 255.255.255.240
  network-object 10.10.100.64 255.255.255.252
  network-object 192.168.102.0 255.255.255.0
  network-object 192.168.91.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service cb.ca
  description All ports required for cb.ca connections.
  service-object object c.b.ca1
  service-object object c.b.ca2
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq https
  service-object udp destination eq snmp
  object-group service FTP
  description All FTP ports (20 + 21)
  service-object tcp destination eq ftp
  service-object tcp destination eq ftp-data
  object-group service HTTP-EXT
  description HTTP Extended port ranges.
  service-object object HTTP-EXT(7001)
  service-object object HTTP-EXT(8000-8001)
  service-object object HTTP-EXT(8080-8081)
  service-object object HTTP-EXT(8100)
  service-object object HTTP-EXT(8200)
  service-object object HTTP-EXT(8888)
  service-object object HTTP-EXT(9080)
  object-group service ICMP_Any
  description ICMP: Any Type, Any Code
  service-object icmp alternate-address
  service-object icmp conversion-error
  service-object icmp echo
  service-object icmp echo-reply
  service-object icmp information-reply
  service-object icmp information-request
  service-object icmp mask-reply
  service-object icmp mask-request
  service-object icmp mobile-redirect
  service-object icmp parameter-problem
  service-object icmp redirect
  service-object icmp router-advertisement
  service-object icmp router-solicitation
  service-object icmp source-quench
  service-object icmp time-exceeded
  service-object icmp timestamp-reply
  service-object icmp timestamp-request
  service-object icmp traceroute
  service-object icmp unreachable
  service-object icmp6 echo
  service-object icmp6 echo-reply
  service-object icmp6 membership-query
  service-object icmp6 membership-reduction
  service-object icmp6 membership-report
  service-object icmp6 neighbor-advertisement
  service-object icmp6 neighbor-redirect
  service-object icmp6 neighbor-solicitation
  service-object icmp6 packet-too-big
  service-object icmp6 parameter-problem
  service-object icmp6 router-advertisement
  service-object icmp6 router-renumbering
  service-object icmp6 router-solicitation
  service-object icmp6 time-exceeded
  service-object icmp6 unreachable
  service-object icmp
  object-group service NTP
  description TCP and UPD NTP protocol
  service-object object ntp
  service-object udp destination eq ntp
  object-group service DM_INLINE_SERVICE_3
  group-object FTP
  group-object HTTP-EXT
  group-object ICMP_Any
  group-object NTP
  service-object tcp-udp destination eq domain
  service-object tcp-udp destination eq www
  service-object tcp destination eq https
  service-object tcp destination eq ssh
  service-object ip
  object-group service DM_INLINE_SERVICE_4
  group-object NTP
  service-object tcp destination eq daytime
  object-group network SWINDS
  description Both Internal IP addresses (192 + 10)
  network-object object SWINDS-INT
  network-object object SWINDS(192.x.x.x)-INT
  object-group service IM_Types
  description All messenger type applications
  service-object object MSN
  service-object object YMSG
  service-object tcp-udp destination eq talk
  service-object tcp destination eq aol
  service-object tcp destination eq irc
  object-group service SNMP
  description Both poll and trap ports.
  service-object udp destination eq snmp
  service-object udp destination eq snmptrap
  object-group service DM_INLINE_SERVICE_2
  group-object FTP
  service-object object MS-RDC
  service-object object Pl-Admin
  group-object SNMP
  object-group network DM_INLINE_NETWORK_1
  network-object object FW-EXT
  network-object object Rs-EXT
  object-group network AMV
  description connections for legacy AM
  network-object object DWDM-EXT
  network-object object HAM_MGMT
  network-object object SIM_MGMT
  network-object object TS_MGMT
  network-object object TS_MGMT
  object-group service IKEv2_L2TP
  description IKEv2 and L2TP VPN configurations
  service-object esp
  service-object object VPN-UDP(4500)
  service-object object VPN-UDP(500)
  object-group service PPTP
  description PPTP VPN configuration
  service-object gre
  service-object object VPN-TCP(1723)
  object-group service SSTP
  description SSTP VPN configuration
  service-object object VPN-TCP(443)
  object-group network RvIPs
  description Rv IP addresses
  network-object object RCM
  network-object object RCM_Y
  network-object object r.r.r.c163
  network-object object r.r.r.c227
  network-object object v.t.c-EXT
  object-group service Rvs
  description Rv configuration.
  service-object object VPN-TCP(10000)
  service-object object VPN-UDP(500)
  object-group service DM_INLINE_SERVICE_5
  service-object object BGP-JY
  service-object tcp destination eq bgp
  object-group network Local_Private_Subnets
  description OandCl DATA
  network-object 10.30.133.0 255.255.255.0
  network-object 10.30.136.0 255.255.255.0
  access-list Public/Internet_access_out remark Block all IM traffic out.
  access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
  access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
  access-list Public/Internet_access_out remark Allow access to BMC portal
  access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
  access-list Public/Internet_access_out remark Allow basic services out.
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
  access-list Public/Internet_access_out remark Allow WhoIS traffic out.
  access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
  access-list Public/Internet_access_out remark Allow Network Time protocols out.
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
  access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
  access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
  access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
  access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
  access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
  access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
  access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
  access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
  access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
  access-list Public/Internet_access_out remark Allow BPG traffic out.
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
  access-list Public/Internet_access_out remark Allow Kool server out.
  access-list Public/Internet_access_out extended permit ip object KooL any
  pager lines 24
  logging enable
  logging history informational
  logging asdm informational
  logging mail notifications
  logging from-address [email protected]
  logging recipient-address [email protected] level errors
  mtu Public_Internet 1500
  mtu Private_CDATA 1500
  mtu Private_ODATA 1500
  mtu Private_OVOICE 1500
  mtu Private_CVOICE 1500
  mtu Private_CeDATA 1500
  mtu Private_CeVOICE 1500
  mtu management 1500
  ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
  ip verify reverse-path interface Public_Internet
  ip verify reverse-path interface Private_CDATA
  ip verify reverse-path interface Private_ODATA
  ip verify reverse-path interface Private_OVOICE
  ip verify reverse-path interface Private_CVOICE
  ip verify reverse-path interface Private_CeDATA
  ip verify reverse-path interface Private_CeVOICE
  ip verify reverse-path interface management
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any Public_Internet
  no asdm history enable
  arp timeout 14400
  nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
  nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
  nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
  access-group Public/Internet_access_out out interface Public_Internet
  route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
  route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
  route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
  route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
  route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
  route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
  route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
  route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
  route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
  route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
  route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
  route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
  route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
  route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
  route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
  route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
  route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
  route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server AD protocol nt
  aaa-server AD (Private_ODATA) host 10.30.133.21
  timeout 5
  nt-auth-domain-controller Cool_Transformer_Name
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authentication serial console LOCAL
  http server enable
  http 192.168.69.0 255.255.255.0 management
  snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
  snmp-server location OT
  snmp-server contact [email protected]
  snmp-server community Some_*s_here
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change fru-insert fru-remove
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps remote-access session-threshold-exceeded
  snmp-server enable traps connection-limit-reached
  snmp-server enable traps cpu threshold rising
  snmp-server enable traps ikev2 start stop
  snmp-server enable traps nat packet-discard
  sysopt noproxyarp Public_Internet
  sysopt noproxyarp Private_CDATA
  sysopt noproxyarp Private_ODATA
  sysopt noproxyarp Private_OVOICE
  sysopt noproxyarp Private_CVOICE
  sysopt noproxyarp Private_CeDATA
  sysopt noproxyarp Private_CeVOICE
  sysopt noproxyarp management
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map Public_Internet_map interface Public_Internet
  crypto ikev1 enable Public_Internet
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet timeout 5
  ssh 10.30.133.0 255.255.255.0 Private_ODATA
  ssh 192.168.69.0 255.255.255.0 management
  ssh timeout 2
  ssh version 2
  console timeout 5
  dhcprelay server 10.30.133.13 Private_ODATA
  dhcprelay enable Private_CDATA
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 10.30.133.13 prefer
  ntp server 132.246.11.227
  ntp server 10.30.133.21
  webvpn
  group-policy AO-VPN_Tunnel internal
  group-policy AO-VPN_Tunnel attributes
  dns-server value 10.30.133.21 10.30.133.13
  vpn-tunnel-protocol ikev1
  default-domain value ao.local
  username helpme password Some_X's_here encrypted privilege 1
  username helpme attributes
  service-type nas-prompt
  tunnel-group AO-VPN_Tunnel type remote-access
  tunnel-group AO-VPN_Tunnel general-attributes
  address-pool AO-VPN_Pool
  authentication-server-group AD
  default-group-policy AO-VPN_Tunnel
  tunnel-group AO-VPN_Tunnel ipsec-attributes
  ikev1 pre-shared-key Some_*s_here
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  class class-default
    user-statistics accounting
  service-policy global_policy global
  smtp-server 192.168.200.25
  prompt hostname context
  no call-home reporting anonymous
  Thanks,
  Jeff.                  

  I tried those commands but this started getting messy and so I looked at the current config and it was not the same as what I originally posted.  Looks like some changes were implemented but not saved so the config that I posted what slightly different.  Thank you for all your suggestions.  Here is the new config, confirmed as the current running and saved config.  Same situation as before though.  I can connect using the Cisco VPN client but can only ping myself and can't get out to the Internet or access anything internal.  If someone can take a look it would be greatly appreciated.  The main difference is the VPN pool has been set as a subset of the 10.30.133.0 network instead of using a separate subnet (VPN pool is 10.30.133.200 - 10.30.133.230).
  ASA Version 8.4(2)
  hostname FIREWALL_NAME
  enable password Some_X's_here encrypted
  passwd Some_X's_here encrypted
  names
  interface Ethernet0/0
  speed 100
  duplex full
  no nameif
  no security-level
  no ip address
  interface Ethernet0/0.22
  description Public Internet space via VLAN 22
  vlan 22
  nameif Public_Internet
  security-level 0
  ip address 1.3.3.7 255.255.255.248
  interface Ethernet0/1
  speed 100
  duplex full
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1.42
  description Private LAN space via VLAN 42
  shutdown
  vlan 42
  nameif Private_CDATA
  security-level 100
  ip address 10.30.136.1 255.255.255.0
  interface Ethernet0/1.69
  description Private LAN space via VLAN 69
  vlan 69
  nameif Private_ODATA
  security-level 100
  ip address 10.30.133.1 255.255.255.0
  interface Ethernet0/1.95
  description Private LAN space via VLAN 95
  shutdown
  vlan 95
  nameif Private_OVOICE
  security-level 100
  ip address 192.168.102.254 255.255.255.0
  interface Ethernet0/1.96
  description Private LAN space via VLAN 96
  shutdown
  vlan 96
  nameif Private_CVOICE
  security-level 100
  ip address 192.168.91.254 255.255.255.0
  interface Ethernet0/1.3610
  description Private LAN subnet via VLAN 3610
  shutdown
  vlan 3610
  nameif Private_CeDATA
  security-level 100
  ip address 10.10.100.18 255.255.255.240
  interface Ethernet0/1.3611
  description Private LAN space via VLAN 3611
  shutdown
  vlan 3611
  nameif Private_CeVOICE
  security-level 100
  ip address 10.10.100.66 255.255.255.252
  interface Ethernet0/2
  shutdown
  no nameif
  security-level 0
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.69.1 255.255.255.0
  management-only
  banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
  banner exec
  banner exec                                    ,
  banner exec                                  .';
  banner exec                              .-'` .'
  banner exec                            ,`.-'-.`\
  banner exec                           ; /     '-'
  banner exec                           | \       ,-,
  banner exec                           \  '-.__   )_`'._                      \|/
  banner exec                            '.     ```      ``'--._[]--------------*
  banner exec                           .-' ,                   `'-.           /|\
  banner exec                            '-'`-._           ((   o   )
  banner exec                                   `'--....(`- ,__..--'
  banner exec                                            '-'`
  banner exec
  banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
  banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
  banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network CD_3610-GW
  host 10.10.100.17
  description First hop to 3610
  object network CV_3611-GW
  host 10.10.100.65
  description First hop to 3611
  object network GW_22-EXT
  host 1.3.3.6
  description First hop to 22
  object network Ts-LAN
  host 192.168.100.4
  description TS
  object service MS-RDC
  service tcp source range 1024 65535 destination eq 3389
  description Microsoft Remote Desktop Connection
  object network HDC-LAN
  subnet 192.168.200.0 255.255.255.0
  description DC LAN subnet
  object network HAM-LAN
  subnet 192.168.110.0 255.255.255.0
  description HAM LAN subnet
  object service MSN
  service tcp source range 1 65535 destination eq 1863
  description MSN Messenger
  object network BCCs
  host 2.1.8.1
  description BCCs server access
  object network ODLW-EXT
  host 7.1.1.5
  description OTTDl
  object network SWINDS-INT
  host 10.30.133.67
  description SWINDS server
  object network SWINDS(192.x.x.x)-INT
  host 192.168.100.67
  description SWINDS server
  object service YMSG
  service tcp source range 1 65535 destination eq 5050
  description Yahoo Messenger
  object service c.b.ca1
  service tcp source range 1 65535 destination eq citrix-ica
  description Connections to the bc portal.
  object service c.b.ca2
  service tcp source range 1 65535 destination eq 2598
  description Connections to the bc portal.
  object service HTTP-EXT(7001)
  service tcp source range 1 65535 destination eq 7001
  description HTTP Extended on port 7001.
  object service HTTP-EXT(8000-8001)
  service tcp source range 1 65535 destination range 8000 8001
  description HTTP Extended on ports 8000-8001.
  object service HTTP-EXT(8080-8081)
  service tcp source range 1 65535 destination range 8080 8081
  description HTTP Extended on ports 8080-8081.
  object service HTTP-EXT(8100)
  service tcp source range 1 65535 destination eq 8100
  description HTTP Extended on port 8100.
  object service HTTP-EXT(8200)
  service tcp source range 1 65535 destination eq 8200
  description HTTP Extended on port 8200.
  object service HTTP-EXT(8888)
  service tcp source range 1 65535 destination eq 8888
  description HTTP Extended on port 8888.
  object service HTTP-EXT(9080)
  service tcp source range 1 65535 destination eq 9080
  description HTTP Extended on port 9080.
  object service ntp
  service tcp source range 1 65535 destination eq 123
  description TCP NTP on port 123.
  object network Pl-EXT
  host 7.1.1.2
  description OPl box.
  object service Pl-Admin
  service tcp source range 1 65535 destination eq 8443
  description Pl Admin portal
  object network FW-EXT
  host 1.3.3.7
  description External/Public interface IP address of firewall.
  object network Rs-EXT
  host 7.1.1.8
  description Rs web portal External/Public IP.
  object network DWDM-EXT
  host 2.1.2.1
  description DWDM.
  object network HM_VPN-EXT
  host 6.2.9.7
  description HAM Man.
  object network SIM_MGMT
  host 2.1.1.1
  description SIM Man.
  object network TS_MGMT
  host 2.1.1.4
  description TS Man.
  object network TS_MGMT
  host 2.1.2.2
  description TS Man.
  object service VPN-TCP(1723)
  service tcp source range 1 65535 destination eq pptp
  description For PPTP control path.
  object service VPN-UDP(4500)
  service udp source range 1 65535 destination eq 4500
  description For L2TP(IKEv1) and IKEv2.
  object service VPN-TCP(443)
  service tcp source range 1 65535 destination eq https
  description For SSTP control and data path.
  object service VPN-UDP(500)
  service udp source range 1 65535 destination eq isakmp
  description For L2TP(IKEv1) and IKEv2.
  object network RCM
  host 6.1.8.2
  description RCM
  object network RCM_Y
  host 6.1.8.9
  description RCM Y
  object network r.r.r.c163
  host 2.1.2.63
  description RCV IP.
  object network r.r.r.c227
  host 2.1.2.27
  description RCV IP.
  object network v.t.c-EXT
  host 2.5.1.2
  description RTICR
  object service VPN-TCP(10000)
  service tcp source range 1 65535 destination eq 10000
  description For TCP VPN over port 1000.
  object service BGP-JY
  service tcp source range 1 65535 destination eq 21174
  description BPG
  object network KooL
  host 192.168.100.100
  description KooL
  object network FW_Test
  host 1.3.3.7
  description Testing other External IP
  object network AO_10-30-133-0-LAN
  subnet 10.30.133.0 255.255.255.0
  description OLS 10.30.133.0/24
  object network AC_10-30-136-0-LAN
  subnet 10.30.136.0 255.255.255.0
  description CLS 10.30.136.0/24
  object-group network All_Private_Interfaces
  description All private interfaces
  network-object 10.30.133.0 255.255.255.0
  network-object 10.30.136.0 255.255.255.0
  network-object 10.10.100.16 255.255.255.240
  network-object 10.10.100.64 255.255.255.252
  network-object 192.168.102.0 255.255.255.0
  network-object 192.168.91.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service cb.ca
  description All ports required for cb.ca connections.
  service-object object c.b.ca1
  service-object object c.b.ca2
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq https
  service-object udp destination eq snmp
  object-group service FTP
  description All FTP ports (20 + 21)
  service-object tcp destination eq ftp
  service-object tcp destination eq ftp-data
  object-group service HTTP-EXT
  description HTTP Extended port ranges.
  service-object object HTTP-EXT(7001)
  service-object object HTTP-EXT(8000-8001)
  service-object object HTTP-EXT(8080-8081)
  service-object object HTTP-EXT(8100)
  service-object object HTTP-EXT(8200)
  service-object object HTTP-EXT(8888)
  service-object object HTTP-EXT(9080)
  object-group service ICMP_Any
  description ICMP: Any Type, Any Code
  service-object icmp alternate-address
  service-object icmp conversion-error
  service-object icmp echo
  service-object icmp echo-reply
  service-object icmp information-reply
  service-object icmp information-request
  service-object icmp mask-reply
  service-object icmp mask-request
  service-object icmp mobile-redirect
  service-object icmp parameter-problem
  service-object icmp redirect
  service-object icmp router-advertisement
  service-object icmp router-solicitation
  service-object icmp source-quench
  service-object icmp time-exceeded
  service-object icmp timestamp-reply
  service-object icmp timestamp-request
  service-object icmp traceroute
  service-object icmp unreachable
  service-object icmp6 echo
  service-object icmp6 echo-reply
  service-object icmp6 membership-query
  service-object icmp6 membership-reduction
  service-object icmp6 membership-report
  service-object icmp6 neighbor-advertisement
  service-object icmp6 neighbor-redirect
  service-object icmp6 neighbor-solicitation
  service-object icmp6 packet-too-big
  service-object icmp6 parameter-problem
  service-object icmp6 router-advertisement
  service-object icmp6 router-renumbering
  service-object icmp6 router-solicitation
  service-object icmp6 time-exceeded
  service-object icmp6 unreachable
  service-object icmp
  object-group service NTP
  description TCP and UPD NTP protocol
  service-object object ntp
  service-object udp destination eq ntp
  object-group service DM_INLINE_SERVICE_3
  group-object FTP
  group-object HTTP-EXT
  group-object ICMP_Any
  group-object NTP
  service-object tcp-udp destination eq domain
  service-object tcp-udp destination eq www
  service-object tcp destination eq https
  service-object tcp destination eq ssh
  service-object ip
  object-group service DM_INLINE_SERVICE_4
  group-object NTP
  service-object tcp destination eq daytime
  object-group network SWINDS
  description Both Internal IP addresses (192 + 10)
  network-object object SWINDS-INT
  network-object object SWINDS(192.x.x.x)-INT
  object-group service IM_Types
  description All messenger type applications
  service-object object MSN
  service-object object YMSG
  service-object tcp-udp destination eq talk
  service-object tcp destination eq aol
  service-object tcp destination eq irc
  object-group service SNMP
  description Both poll and trap ports.
  service-object udp destination eq snmp
  service-object udp destination eq snmptrap
  object-group service DM_INLINE_SERVICE_2
  group-object FTP
  service-object object MS-RDC
  service-object object Pl-Admin
  group-object SNMP
  object-group network DM_INLINE_NETWORK_1
  network-object object FW-EXT
  network-object object Rs-EXT
  object-group network AMV
  description connections for legacy AM
  network-object object DWDM-EXT
  network-object object HAM_MGMT
  network-object object SIM_MGMT
  network-object object TS_MGMT
  network-object object TS_MGMT
  object-group service IKEv2_L2TP
  description IKEv2 and L2TP VPN configurations
  service-object esp
  service-object object VPN-UDP(4500)
  service-object object VPN-UDP(500)
  object-group service PPTP
  description PPTP VPN configuration
  service-object gre
  service-object object VPN-TCP(1723)
  object-group service SSTP
  description SSTP VPN configuration
  service-object object VPN-TCP(443)
  object-group network RvIPs
  description Rv IP addresses
  network-object object RCM
  network-object object RCM_Y
  network-object object r.r.r.c163
  network-object object r.r.r.c227
  network-object object v.t.c-EXT
  object-group service Rvs
  description Rv configuration.
  service-object object VPN-TCP(10000)
  service-object object VPN-UDP(500)
  object-group service DM_INLINE_SERVICE_5
  service-object object BGP-JY
  service-object tcp destination eq bgp
  object-group network Local_Private_Subnets
  description OandCl DATA
  network-object 10.30.133.0 255.255.255.0
  network-object 10.30.136.0 255.255.255.0
  object-group service IPSec
  description IPSec traffic
  service-object object VPN-UDP(4500)
  service-object object VPN-UDP(500)
  access-list Public/Internet_access_out remark Block all IM traffic out.
  access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
  access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
  access-list Public/Internet_access_out remark Allow access to BMC portal
  access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
  access-list Public/Internet_access_out remark Allow basic services out.
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
  access-list Public/Internet_access_out remark Allow WhoIS traffic out.
  access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
  access-list Public/Internet_access_out remark Allow Network Time protocols out.
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
  access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
  access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
  access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
  access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
  access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
  access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
  access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
  access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
  access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
  access-list Public/Internet_access_out remark Allow BPG traffic out.
  access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
  access-list Public/Internet_access_out remark Allow Kool server out.
  access-list Public/Internet_access_out extended permit ip object KooL any
  pager lines 24
  logging enable
  logging history informational
  logging asdm informational
  logging mail notifications
  logging from-address [email protected]
  logging recipient-address [email protected] level errors
  mtu Public_Internet 1500
  mtu Private_CDATA 1500
  mtu Private_ODATA 1500
  mtu Private_OVOICE 1500
  mtu Private_CVOICE 1500
  mtu Private_CeDATA 1500
  mtu Private_CeVOICE 1500
  mtu management 1500
  ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
  ip verify reverse-path interface Public_Internet
  ip verify reverse-path interface Private_CDATA
  ip verify reverse-path interface Private_ODATA
  ip verify reverse-path interface Private_OVOICE
  ip verify reverse-path interface Private_CVOICE
  ip verify reverse-path interface Private_CeDATA
  ip verify reverse-path interface Private_CeVOICE
  ip verify reverse-path interface management
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any Public_Internet
  no asdm history enable
  arp timeout 14400
  nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
  nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
  nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
  access-group Public/Internet_access_out out interface Public_Internet
  route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
  route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
  route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
  route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
  route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
  route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
  route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.11.29 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
  route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
  route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
  route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
  route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
  route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
  route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
  route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
  route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
  route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
  route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
  route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
  route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
  route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server AD protocol nt
  aaa-server AD (Private_ODATA) host 10.30.133.21
  timeout 5
  nt-auth-domain-controller Cool_Transformer_Name
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authentication serial console LOCAL
  http server enable
  http 192.168.69.0 255.255.255.0 management
  snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
  snmp-server location OT
  snmp-server contact [email protected]
  snmp-server community Some_*s_here
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change fru-insert fru-remove
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps remote-access session-threshold-exceeded
  snmp-server enable traps connection-limit-reached
  snmp-server enable traps cpu threshold rising
  snmp-server enable traps ikev2 start stop
  snmp-server enable traps nat packet-discard
  sysopt noproxyarp Public_Internet
  sysopt noproxyarp Private_CDATA
  sysopt noproxyarp Private_ODATA
  sysopt noproxyarp Private_OVOICE
  sysopt noproxyarp Private_CVOICE
  sysopt noproxyarp Private_CeDATA
  sysopt noproxyarp Private_CeVOICE
  sysopt noproxyarp management
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map Public_Internet_map interface Public_Internet
  crypto ikev1 enable Public_Internet
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet timeout 5
  ssh 10.30.133.0 255.255.255.0 Private_ODATA
  ssh 192.168.69.0 255.255.255.0 management
  ssh timeout 2
  ssh version 2
  console timeout 5
  dhcprelay server 10.30.133.13 Private_ODATA
  dhcprelay enable Private_CDATA
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 10.30.133.13 prefer
  ntp server 132.246.11.227
  ntp server 10.30.133.21
  webvpn
  group-policy AO-VPN_Tunnel internal
  group-policy AO-VPN_Tunnel attributes
  dns-server value 10.30.133.21 10.30.133.13
  vpn-tunnel-protocol ikev1
  default-domain value ao.local
  username helpme password Some_X's_here encrypted privilege 1
  username helpme attributes
  service-type nas-prompt
  tunnel-group AO-VPN_Tunnel type remote-access
  tunnel-group AO-VPN_Tunnel general-attributes
  address-pool AO-VPN_Pool
  authentication-server-group AD
  default-group-policy AO-VPN_Tunnel
  tunnel-group AO-VPN_Tunnel ipsec-attributes
  ikev1 pre-shared-key Some_*s_here
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  class class-default
  user-statistics accounting
  service-policy global_policy global
  smtp-server 192.168.200.25
  prompt hostname context
  no call-home reporting anonymous
  Thanks in advance,
  Jeff.

• [Solved] NetworkManager-pptp VPN not working after update to 0.9.10

  Hello,
  I have a PPTP VPN set up and it's been working for a long time.  However, after I updated last night to networkmanager-0.9.10, it is no longer able to connect to the remote network.  I can activate the VPN connection, enter my password, but after a short period of time, the connection reports:  "Error: Connection activation failed: the VPN service returned invalid configuration."  As I mentioned before, this VPN was working right before the update and I didn't change the configuration on either my computer or the destination network so I'm pretty sure that this is something to do with the update.  I'm wondering if anybody else has run into this problem and if they've been able to find a solution.  I've been searching all over these forums and the internet for some hours now and I haven't found anything yet.  I'm hoping that somebody might be able to point me in the right direction or maybe know of something that might have changed with the new update.
  Here is my VPN configuration (using NetworkManager-PPTP.  I've also obscured the public IP address):
  [connection]
  id=MyVPN
  uuid=fe6e6265-1a79-4a69-b6d1-8b47e9d4c948
  type=vpn
  permissions=user:greyseal96:;
  autoconnect=false
  timestamp=1408950986
  [vpn]
  service-type=org.freedesktop.NetworkManager.pptp
  gateway=192.168.146.114
  require-mppe=yes
  user=greyseal96
  password-flags=3
  [ipv6]
  method=auto
  [ipv4]
  method=auto
  route1=10.17.0.0/16,10.17.1.1,1
  never-default=true
  Here are my logs during the time that I tried to connect:
  Aug 24 23:44:15 MyArchBox NetworkManager[578]: <info> Starting VPN service 'pptp'...
  Aug 24 23:44:15 MyArchBox NetworkManager[578]: <info> VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 1938
  Aug 24 23:44:15 MyArchBox NetworkManager[578]: <info> VPN service 'pptp' appeared; activating connections
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> VPN connection 'MyVPN' (ConnectInteractive) reply received.
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> VPN plugin state changed: starting (3)
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: ** Message: pppd started with pid 1945
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> VPN connection 'MyVPN' (Connect) reply received.
  Aug 24 23:44:21 MyArchBox pppd[1945]: Plugin /usr/lib/pppd/2.4.6/nm-pptp-pppd-plugin.so loaded.
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: Plugin /usr/lib/pppd/2.4.6/nm-pptp-pppd-plugin.so loaded.
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (plugin_init): initializing
  Aug 24 23:44:21 MyArchBox pppd[1945]: pppd 2.4.6 started by root, uid 0
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
  Aug 24 23:44:21 MyArchBox pppd[1945]: Using interface ppp0
  Aug 24 23:44:21 MyArchBox pppd[1945]: Connect: ppp0 <--> /dev/pts/2
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: Using interface ppp0
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: Connect: ppp0 <--> /dev/pts/2
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> (ppp0): new Generic device (driver: 'unknown' ifindex: 10)
  Aug 24 23:44:21 MyArchBox NetworkManager[578]: <info> (ppp0): exported as /org/freedesktop/NetworkManager/Devices/9
  Aug 24 23:44:21 MyArchBox pptp[1947]: nm-pptp-service-1938 log[main:pptp.c:333]: The synchronous pptp option is NOT activated
  Aug 24 23:44:21 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 1 'Start-Control-Connection-Request'
  Aug 24 23:44:21 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_disp:pptp_ctrl.c:758]: Received Start Control Connection Reply
  Aug 24 23:44:21 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_disp:pptp_ctrl.c:792]: Client connection established.
  Aug 24 23:44:22 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 7 'Outgoing-Call-Request'
  Aug 24 23:44:22 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_disp:pptp_ctrl.c:877]: Received Outgoing Call Reply.
  Aug 24 23:44:22 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_disp:pptp_ctrl.c:916]: Outgoing call established (call ID 0, peer's call ID 50048).
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 6 / phase 'authenticate'
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (get_credentials): passwd-hook, requesting credentials...
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (get_credentials): got credentials from NetworkManager-pptp
  Aug 24 23:44:25 MyArchBox pppd[1945]: CHAP authentication succeeded
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: CHAP authentication succeeded
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 8 / phase 'network'
  Aug 24 23:44:25 MyArchBox pppd[1945]: MPPE 128-bit stateless compression enabled
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: MPPE 128-bit stateless compression enabled
  Aug 24 23:44:25 MyArchBox pppd[1945]: Cannot determine ethernet address for proxy ARP
  Aug 24 23:44:25 MyArchBox pppd[1945]: local  IP address 10.17.10.3
  Aug 24 23:44:25 MyArchBox pppd[1945]: remote IP address 10.17.10.1
  Aug 24 23:44:25 MyArchBox pppd[1945]: primary   DNS address 10.17.2.22
  Aug 24 23:44:25 MyArchBox pppd[1945]: secondary DNS address 10.17.2.23
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> VPN connection 'MyVPN' (IP4 Config Get) reply received from old-style plugin.
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> VPN Gateway: 192.168.146.114
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> Tunnel Device: ppp0
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> IPv4 configuration:
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   Internal Address: 10.17.10.3
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   Internal Prefix: 32
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   Internal Point-to-Point Address: 10.17.10.1
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   Maximum Segment Size (MSS): 0
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   Static Route: 10.17.0.0/16   Next Hop: 10.17.1.1
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   Forbid Default Route: yes
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   Internal DNS: 10.17.2.22
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   Internal DNS: 10.17.2.23
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info>   DNS Domain: '(none)'
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <info> No IPv6 configuration
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <error> [1408949065.481618] [platform/nm-linux-platform.c:1716] add_object(): Netlink error adding 10.17.0.0/16 via 10.17.1.1 dev ppp0 metric 1 mss 0 src user: Unspecific failure
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <warn> VPN connection 'MyVPN' did not receive valid IP config information.
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: Cannot determine ethernet address for proxy ARP
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: local  IP address 10.17.10.3
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: remote IP address 10.17.10.1
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: primary   DNS address 10.17.2.22
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: secondary DNS address 10.17.2.23
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 9 / phase 'running'
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_ip_up): ip-up event
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_ip_up): sending Ip4Config to NetworkManager-pptp...
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: PPTP service (IP Config Get) reply received.
  Aug 24 23:44:25 MyArchBox pppd[1945]: Terminating on signal 15
  Aug 24 23:44:25 MyArchBox pppd[1945]: Modem hangup
  Aug 24 23:44:25 MyArchBox pptp[1954]: nm-pptp-service-1938 log[callmgr_main:pptp_callmgr.c:245]: Closing connection (unhandled)
  Aug 24 23:44:25 MyArchBox pptp[1954]: nm-pptp-service-1938 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 12 'Call-Clear-Request'
  Aug 24 23:44:25 MyArchBox pptp[1954]: nm-pptp-service-1938 log[call_callback:pptp_callmgr.c:84]: Closing connection (call state)
  Aug 24 23:44:25 MyArchBox pppd[1945]: Connect time 0.0 minutes.
  Aug 24 23:44:25 MyArchBox pppd[1945]: Sent 0 bytes, received 0 bytes.
  Aug 24 23:44:25 MyArchBox pppd[1945]: MPPE disabled
  Aug 24 23:44:25 MyArchBox pppd[1945]: Connection terminated.
  Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
  Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
  Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
  Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
  Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: inet 10.17.0.0/16 table main
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: priority 0x1 protocol static
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: nexthop via 10.17.1.1 dev 10
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <error> [1408949065.487073] [platform/nm-linux-platform.c:2252] link_change(): Netlink error changing link 10:  <DOWN> mtu 0 (1) driver 'unknown' udi '/sys/devices/virtual/net/ppp0': No such device
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: <error> [1408949065.487153] [platform/nm-linux-platform.c:1777] delete_object(): Netlink error deleting 10.17.10.3/32 lft forever pref forever lifetime 1862-0[4294967295,4294967295] dev ppp0 src kernel: No such device (-31)
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: Terminated ppp daemon with PID 1945.
  Aug 24 23:44:25 MyArchBox kernel: Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias netdev- instead.
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: Terminating on signal 15
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: Modem hangup
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 8 / phase 'network'
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: Connect time 0.0 minutes.
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: Sent 0 bytes, received 0 bytes.
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: MPPE disabled
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 10 / phase 'terminate'
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: Connection terminated.
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead'
  Aug 24 23:44:25 MyArchBox dbus[579]: [system] Rejected send message, 10 matched rules; type="error", sender=":1.51" (uid=0 pid=1938 comm="/usr/lib/networkmanager/nm-pptp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.52" (uid=0 pid=1945 comm="/sbin/pppd pty /sbin/pptp 192.168.146.114 --nolaunc")
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** Message: nm-pptp-ppp-plugin: (nm_exit_notify): cleaning up
  Aug 24 23:44:25 MyArchBox pppd[1945]: Exit.
  Aug 24 23:44:25 MyArchBox NetworkManager[578]: ** (nm-pptp-service:1938): WARNING **: pppd exited with error code 16
  Aug 24 23:44:45 MyArchBox NetworkManager[578]: <info> VPN service 'pptp' disappeared
  If you've gotten this far, thank you for taking the time to read through all this!  Any help that you can give would be much appreciated.
  Last edited by greyseal96 (2014-08-27 15:20:02)

  Hmm, not sure about the 3.16 series kernel, but I found that when I upgraded to kernel 3.18 the PPTP VPN also stopped working.  This time, though, it was because, for some reason, there was a change in kernel 3.18 where the firewall kernel modules necessary for the VPN don't get loaded so the firewall won't allow some of the PPTP traffic from the remote side back in.  Since the firewall is stateful, these modules need to be loaded so that the firewall can know that the incoming PPTP traffic from the remote side is part of an existing connection.  Here's what my network manager logs looked like:
  NetworkManager[619]: <info> Starting VPN service 'pptp'...
  NetworkManager[619]: <info> VPN service 'pptp' started (org.freedesktop.NetworkManager.pptp), PID 31139
  NetworkManager[619]: <info> VPN service 'pptp' appeared; activating connections
  NetworkManager[619]: <info> VPN connection 'MyVPN' (ConnectInteractive) reply received.
  NetworkManager[619]: <info> VPN plugin state changed: starting (3)
  NetworkManager[619]: ** Message: pppd started with pid 31148
  NetworkManager[619]: <info> VPN connection 'MyVPN' (Connect) reply received.
  pppd[31148]: Plugin /usr/lib/pppd/2.4.7/nm-pptp-pppd-plugin.so loaded.
  NetworkManager[619]: Plugin /usr/lib/pppd/2.4.7/nm-pptp-pppd-plugin.so loaded.
  NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (plugin_init): initializing
  pppd[31148]: pppd 2.4.7 started by root, uid 0
  NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
  pppd[31148]: Using interface ppp0
  pppd[31148]: Connect: ppp0 <--> /dev/pts/5
  NetworkManager[619]: Using interface ppp0
  NetworkManager[619]: Connect: ppp0 <--> /dev/pts/5
  NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
  NetworkManager[619]: <info> (ppp0): new Generic device (driver: 'unknown' ifindex: 7)
  NetworkManager[619]: <info> (ppp0): exported as /org/freedesktop/NetworkManager/Devices/6
  pptp[31150]: nm-pptp-service-31139 log[main:pptp.c:333]: The synchronous pptp option is NOT activated
  pptp[31157]: nm-pptp-service-31139 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 1 'Start-Control-Connection-Request'
  pptp[31157]: nm-pptp-service-31139 log[ctrlp_disp:pptp_ctrl.c:758]: Received Start Control Connection Reply
  pptp[31157]: nm-pptp-service-31139 log[ctrlp_disp:pptp_ctrl.c:792]: Client connection established.
  pptp[31157]: nm-pptp-service-31139 log[ctrlp_rep:pptp_ctrl.c:258]: Sent control packet type is 7 'Outgoing-Call-Request'
  pptp[31157]: nm-pptp-service-31139 log[ctrlp_disp:pptp_ctrl.c:877]: Received Outgoing Call Reply.
  pptp[31157]: nm-pptp-service-31139 log[ctrlp_disp:pptp_ctrl.c:916]: Outgoing call established (call ID 0, peer's call ID 25344).
  pppd[31148]: LCP: timeout sending Config-Requests <===HERE IS WHERE THE CONNECTION FAILS BECAUSE THE MODULES AREN'T LOADED.
  pppd[31148]: Connection terminated.
  NetworkManager[619]: LCP: timeout sending Config-Requests
  NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
  NetworkManager[619]: Connection terminated.
  NetworkManager[619]: <warn> VPN plugin failed: connect-failed (1)
  NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead'
  pppd[31148]: Modem hangup
  pppd[31148]: Exit.
  NetworkManager[619]: <warn> VPN plugin failed: connect-failed (1)
  NetworkManager[619]: Modem hangup
  NetworkManager[619]: ** Message: nm-pptp-ppp-plugin: (nm_exit_notify): cleaning up
  NetworkManager[619]: <warn> VPN plugin failed: connect-failed (1)
  NetworkManager[619]: <info> VPN plugin state changed: stopped (6)
  NetworkManager[619]: <info> VPN plugin state change reason: unknown (0)
  NetworkManager[619]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
  NetworkManager[619]: ** (nm-pptp-service:31139): WARNING **: pppd exited with error code 16
  NetworkManager[619]: <info> VPN service 'pptp' disappeared
  To fix this, I had to add a file to the /etc/modules-load.d directory to have the modules loaded into the kernel at boot.  I just created a file called netfilter.conf and put the following in it:
  nf_nat_pptp
  nf_conntrack_pptp
  nf_conntrack_proto_gre
  Not sure if this addresses your problem or not, but maybe it's worth a look.