Notification about password expiry on VPN Client

Hello everyone.
Our VPN users are connected to VPN with VPN Client. We're using VPN3000 to terminate VPN and ACS 5.1 to authenticate users from its internal identity store. VPN3000 gets info from ACS via RADIUS.
Now I want users to be notified about password expiration at their VPN client and be able to change their password.
I've configured:
- "RADIUS with expiry" at VPN3000
- "Disable user account after X days if password was not changed" and "Display reminder after Y days" at ACS
Now user is blocked when his password is expired after X days and he can't connect. But the reminder is not displayed after Y days and users have not chance to change his own password.
If I check "Change password on next login" user can change his password in VPN Client.
Should this feature (password expiry notification) work with ACS5.1 internal identity store and RADIUS?
I found in ACS5.1 release notes the following:
- Internal identity store enhancements include support for Password expiry
but:
- Expiry of any user (admin or internal) after certain number of days is not supported.
I'm confused with these two phrases.
And one more question. What RADIUS attributes say about password expiration and password notification to check them with radlogin?
Thanks in advance for any help.
Pavel

For what it's worth, I've followed that procedure to successfully reset the administrator password on a VPN 3000 concentrator without any loss of the active configuration.

Similar Messages

Email notification on password Expiry ion AD

Hey All
I wrote a script (probably since Im fresh with powershell its dirty scripting :( ) to email users when their password is about to expire.
Get-ADUser -filter * -properties PasswordLastSet,EmailAddress,GivenName -SearchBase "OU=Users,DC=domain,DC=test" |foreach {
$PasswordSetDate=$_.PasswordLastSet
$maxPasswordAgeTimeSpan = $null
$maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
$today=get-date
$ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
$daysleft=$ExpiryDate-$today
$display=$daysleft.days
$UserName=$_.GivenName
$MyVariable = @"
" Dear $UserName
Your password will expire in $display days.If you are not going to change it you will not be able to connect to Irdeto corporate network.
If you are in Irdeto West HQ building follow the steps below to change your password:
- Press CTRL+ALT+DEL
- On the screen that came choose "Change password"
- Type in your old password and then type the new one (be advised you cannot use one of the previously used passwords)
- After the change is complete you will be prompted with information that passwor has been changed
If you are using VPN:
- Connect your laptop to internet
- On the logon screen to windows connect to CISCO VPN prior to login
- When you will receive successfull connection information login
- At this moment you will be prompted to change your password
With kind Regards
IT Department
*** This is automatically generated email - please do not reply ***
send-mailmessage -to $_.EmailAddress -from [email protected] -Subject "IT Information: Your password will expire in $display days" -body $MyVariable -smtpserver msg001
So basically what it does - it queries domain for users and their selected attributes and then perform action to check when exactly the password will expire.
The thing which I do not know how to put in here would be how to send email only to users which password will expire 7 days or less (greater than 0 of course cause lesss would mean already expired)
If I would use IF would that be sufficient ?
MCSA / MCTS

If should work fine, eg:
Get-ADUser -filter * -properties PasswordLastSet,EmailAddress,GivenName -SearchBase "OU=Users,DC=domain,DC=test" |foreach {
   $PasswordSetDate=$_.PasswordLastSet
   $maxPasswordAgeTimeSpan = $null
   $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
   $today=get-date
   $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
   $daysleft=$ExpiryDate-$today
   $display=$daysleft.days
   $UserName=$_.GivenName
if ($display -lt 7 -and $display -gt 0){
$MyVariable = @"
" Dear $UserName
Your password will expire in $display days.If you are not going to change it you will not be able to connect to Irdeto corporate network.
If you are in Irdeto West HQ building follow the steps below to change your password:
- Press CTRL+ALT+DEL
- On the screen that came choose "Change password"
- Type in your old password and then type the new one (be advised you cannot use one of the previously used passwords)
- After the change is complete you will be prompted with information that passwor has been changed
If you are using VPN:
- Connect your laptop to internet
- On the logon screen to windows connect to CISCO VPN prior to login
- When you will receive successfull connection information login
- At this moment you will be prompted to change your password
With kind Regards
IT Department
*** This is automatically generated email - please do not reply ***
send-mailmessage -to $_.EmailAddress -from [email protected] -Subject "IT Information: Your password will expire in $display days" -body $MyVariable -smtpserver msg001

SSL VPN Client Error

I setup a Cisco ASA 5510 SSL VPN with the folowing;
IOS 7.2
SSL VPN CLient sslclient-win-1.1.1.164.pkg
Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
IBM Thinkpad T40
Windows XP SP 2
Internet Explorer 7
All patches up-to-date
All drivers up-to-date
SSL VPN Client connection process;
- User login with valid account and password
- The SSL VPN Client package will automatically download and installed.
- User will then be connected to SSL VPN
The ERRORS;
1. GUI (Cisco SSL VPN Client installation process)
"The SSL VPN Client driver has Encountered an Error"
2. Event Viewer
The only error in this user event viewer that differs from other users who successfully connected are;
a)
Function: EnableVA
Return code: 0
File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
Line: 310
Description: unknown
b)
Function: EnableVA
Return code: 0xFE080007
File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
Line: 1145
Description: VAMGR_ERROR_ENABLE_VA_FAILED
Anyone know what thus the error means?
BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
Thanks

The Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm

AnyConnect VPN Clients IP Address access rules

I setup ASA5540 for SSL-VPN (clientless) works fine.
But I try to use Client (AnyConnect) to access internal resources, it is failed. It is stiil initiate sessions from remote client IP.
I need to initiate session from client IP assigned by ASA5540 box (same with Cisco VPN client connect to Cat65 SVC module).
How I setup it?

I use Cisco VPN client (remote access VPN)to connect ASA.
There is a configuration setup for group authentication/w password on Cisco VPN client.I do not know to setup on ASA to match this?
Second, remote client connect ASA, I should get the client IP address which I setup on ASA.
It should use this IP to connect ASA internal net,but I failed.( Both Cisco VPN and AnyConnect)
How I setup this ( SSL VPN on this ASA works).

IPhone VPN client issues

1. Even if you key in a password for the VPN client, putting the phone to sleep will cause the password to be cleared, requiring you to retype it the next time you start the client.
2. the only place to type alphanumerics in for the password is on the VPN setup screen, if you just slide the VPN switch to On, you are presented with a numbers only dial pad
3. The PPTP VPN client only recognizes maximum security, setting to either automatic or none will just hop back to maximum on save.
4. The network stack doesn't allow you to easily set up special DNS servers for the VPN connection (the equivalent under OS X is to go into System Preferences, Network and select the VPN (PPTP) adapter and enter the DNS information there.
Since we use VPN to secure our wireless network, that means our iPhone users are unable to use WiFi at the office.
iPhone Windows XP
Dell Optiplex GX620 Windows 2000
iPhone Windows 2000

Scott,
You're correct (mostly). I've experienced the same issues and have tried to work around them as follows:
1) Use a numeric password for the VPN user account. Of course, you'll have to enter it each time (did they even test this?) but at least it works.
4) Depending on your VPN device you should be able to set the DNS addresses via that. I'm using a Cisco ASA and set the DNS via the Group Policy for the DefaultRAGroup.
The bottom line? iPhone and VPN are not friends. Moreover, the iPhone has no EAP support wireless authentication. I'm a huge Apple fan but that is just stupid.

Vpn client radius ad password change

Hi
I've read a few posts about this on the forum and it seems like very few people are able to resolve the issues they are having.
I have a working remote access vpn and I'm trying to add the password-expiry functionality. I've set a test user in AD to "change password at next logon" and when I logon using this user in the vpn client (5.0.07.0410) I am prompted for a box to type my new password twice. This is never written back to the server and the original authentication box pops up again. The password change box has the codes E=648, R=0, V=3 as in the attached image.
Does anyone have this working with radius and AD? A windows password change would normally request the old password to reauthenticate and then the new password twice.
Thanks
Cammy

Cammy,
Are you using radius to authenticate the vpn session or are you using ldap which is pointing to AD for authentication? This will work with radius since you can use mschap v2, however i want to be sure how you have your ASA setup first.
Thanks,
Tarik Admani

Send Email Notification on Password about to Expire

Hello all!!
I am trying to send a email notification to users whose password are about to expire. I have configure the "Default Lighthouse Account Policy" so 7 days before account expiration and email should be sent warning about password expiration; unfortunately I have not been able to make work!
�Have anyone implemented this? �Could anyone please guide me on how to do it?
Many thanks in advanced,
Luis

1) Use "<invoke name='getPasswordExpiry'>" to get the password expiration date of the user
2) Compare the date with password expiry date(tomorrow's date or two days from today etc)
3) Send notification to the user if both dates are equal.

3015 VPN & Password expiry

Hi, I am currently using a 3015 (ver3.5.5), ACS (3.1) & the VPN client (3.5.1).
I would like to implement password expiry however I do not use the windows domain for authentication - I use the ACS internal database. I don't seem to be able to find anyone else doing this or config examples. Does anyone know if this is possible?
Thanks, John.

John,
ACS (3.1) supports Password expiry configuration.
Cisco Secure ACS supports MS CHAP-based password aging feature which works with the Cisco VPN client (version 3.0 or greater). This feature prompts a user to change his or her password after a login where the user password has expired.
You will need to configure ms-chapv2 password expiration in ACS, and choose "RADIUS with Expiry" on the VPN concentrator.
Oscar

Server 2003 VPN clients can't verify username and password

Hi,
Hoping someone can help or point me in the right direction. I have a Windows Server 2003 R2 standard SP2 running RRAS. It has Dual NIC's and is configured for PPTP VPN. I am using a BT Business Hub 5 for internet access and using the BT Static IP service.
The BT Hub assigns the static IP address chosen to the Server using DHCP. The firewall is configured to port forward PPTP traffic to the 2003 server. This all works correctly.
The 2003 server is on a domain where the DC is a 2008 R2 server. The DC also acts as the DNS and DHCP for the network.
The default gateway for the domain is pointed towards our WinGate proxy server which also acts as a DNS server.
The 2003 server LAN NIC is configured manually, usually I would not configure a deafult gateway on the LAN NIC as the WAN NIC needs the default gateway for the BT Hub.
The problem I am having is if a default gateway is configured on the LAN NIC, I can connect to the VPN and it will logon to the network. Once connected everything works ok. If the connection drops, when trying to reconnect the client can no longer verify
the user name and password against the domain and the connection is refused.
If I do not have a default gateway configured in the LAN NIC the VPN clients can not verify the username and password for the domain at all and I get RPC failure errors in the event viewer with the source dnsapi.
Once this error occurs the only way I can get the clients to reconnect is to disable the WAN NIC, restart the RRAS service and enable the WAN NIC again.
Any insight will be much appreciated.

Hello,
for Networking configuration questions better ask in
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home#forum=winserverNIS&filter=alltypes&sort=lastpostdesc&content=Search
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

I want to know how to setup password expiry notification for outlook 2013 and 2010 in office 365

On cloud mailbox non federated how set password expiry notification for all users which is created on cloud for accepted domain mail box only configure outlook,
any other option on exchange admin center for the same,
I want to know how to setup Outlook 2013 and 2010 to receive PASSWORD EXPIRY NOTIFICATION without log in domain,

Hi
As per the information and details provided by you, to set up password expiry notification, please follow these steps: -
I suggest you run Office 365 desktop apps reffering to the steps below: -
Step1: - Login to Office 365 Portals.
Step 2: - In the right pane, click
Downloads under Resources.
Step 3: - Click Set up under
Set up and configure your Office desktop apps.
Moreover, please confirm the password policy by the
PowerShell cmdlet.
Step 1: - Install Micrsoft Online Services Module and connect to Office 365.
Step 2: - Run Connect-Msolservice command.
Step 3: - Get a password policy by the following PowerShell cmdlet:
Get-MsolPasswordPolicy –DomainName yourdomain.com
I hope this information will be helpful for you.
Thanks and regards
Shweta@G

VPN Client Accounts: "Username and passwords must consist of numbers or letters"

I am configuring a username in the VPN Client Accounts withing a Cisco WRVS4400N.
The username I must enter is in the form: [email protected]
Unfortunately, when I input that username, the system informs me that I cannot have anything other than numbers an letters.
The instructions from my University require us to use that FULL email format.
http://net-services.ufl.edu/provided_services/vpn/anyconnect/legacy-install.html
Is there a way to fix this?

Any solution for this? How can I pass in a blank domain parameter so I am automatically logged in instead of receiving the log-in dialog asking for the domain?

Subnet mask 255.255.255.255 assigned to VPN client - can't ping LAN

Hi,
I configured PIX 501 with PPTP VPN to connect to the small office (PIX FW, Win 2000 Server, several Win clients, LAN IP 10.0.0.X/24):
ip local pool mypool 10.0.0.101-10.0.0.105
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username xxxx password *********
vpdn enable outside
I can connect to the office using Win VPN client, but I can't ping any hosts in the office network. I suspect that the reason for that is subnet mask assigned to the VPN client: 255.255.255.255. ipconfig of the VPN client:
PPP adapter Office:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Default GW is missing too, but I think this is not the main problem.
Any way, what is wrong with my config? How to fix subnet mask assigned to clients? Or may be my assumption is wrong and this mask is ok? What is wrong then?
Any input will be greatly appreciated!
George

Thanks for the prompt reply.
Here it does:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname OSTBERG-PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq pptp
access-list inbound permit gre any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.189.xxx.xxx 255.255.252.0
ip address inside 10.0.0.23 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 10.0.0.101-10.0.0.105
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.15 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 66.189.yyy.yyy 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 10.0.0.23 255.255.255.255 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username ********* password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxx
: end
There are remnants of old config, I just recently took over this network, some lines look odd to me, but I did not touch what works. VPN config is all mine.
PIX internal 10.0.0.23 - is a gateway for the network. DNS server in LAN - 10.0.0.15.
I've been reading about the problem and came across several posts that this subnet mask is normal, but it puzzles me - how can this host communicate with anyone else if there is no room for other hosts in this network (according to the mask)?!
Thanks again!
George

Strange issue with 3.6.3 VPN Client and IOS firewall

I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
Router is running 12.2(13)T.
Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
You Cisco gurus have any thoughts?
Thanks,
Jamey
Config below:
jamey#wr t
Building configuration...
Current configuration : 3947 bytes
! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname "jamey"
no logging buffered
no logging console
username XXXX password 7 XXXXX
clock timezone GMT 0
aaa new-model
aaa authentication login tac local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name firewall http java-list 3
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group XXXX
key XXXXXXX
dns x.x.x.x
domain xxx.com
pool ipsec-pool
acl 191
crypto ipsec security-association lifetime kilobytes 536870911
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set foxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set foxset
crypto map clientmap client authentication list tac
crypto map clientmap isakmp authorization list XXXXX
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback10
description just for test purposes
ip address 172.16.45.1 255.255.255.0
interface Ethernet0/0
description "Internet"
ip address x.x.x.x 255.255.255.224
ip access-group 103 in
ip inspect myfw out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
interface Ethernet0/1
description "LAN"
ip address 192.168.45.89 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
ip local pool ipsec-pool 192.168.100.1 192.168.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no logging trap
access-list 3 permit any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
access-list 103 permit icmp any any log
access-list 103 permit udp any eq isakmp any log
access-list 103 permit esp any any log
access-list 103 permit ahp any any log
access-list 103 permit udp any any eq non500-isakmp log
access-list 103 permit tcp any any eq 1723 log
access-list 103 permit udp any any eq 1723 log
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server authorization permit missing Service-Type
call rsvp-sync
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password XXXXXX
line vty 5 15
end
Some debugging info:
At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
.Jan 22 01:27:38.284: ICMP type=8, code=0
.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:38.288: ICMP type=0, code=0
.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
40, access denied
.Jan 22 01:27:38.637: UDP src=2301, dst=2301
.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
40, rcvd 2
.Jan 22 01:27:38.641: UDP src=2301, dst=2301
.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:38.765: ICMP type=8, code=0
.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:38.765: ICMP type=0, code=0
.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:39.286: ICMP type=8, code=0
.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:39.290: ICMP type=0, code=0
.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:39.767: ICMP type=8, code=0
.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:39.767: ICMP type=0, code=0
.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:40.287: ICMP type=8, code=0
.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:40.291: ICMP type=0, code=0
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
from a host on the internal side (LAN) (192.168.45.1)
.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
g=2.2.2.2, len 44, forward
.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
SYN
.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
here is where by VPN connection breaks
.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Ok..I found the bug ID for this:
CSCdz46552
the workaround says to configure an ACL on the dynamic ACL.
I don't understand what that means.
I found this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
and they talk about it, but I'm having a hard time decoding what this means:
"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

VPN Client 5.0.00.0340 on Vista says connected when not

Hi all,
I'm using VPN Client 5.0.00.0340 on Windows Vista to connect to one of our customers.
When I go to connect and type in my password, it always seems to authenticate correctly and connect to the VPN successfully.
However, about 75% of the time, even though it says it is connected, I do not actually have a connection to the customer network. I can't even ping the servers.
If I disconnect and reconnect repeatedly, on about the third or fourth attempt, I will actually get a connection that works, allowing me to access the remote network.
Does anyone know why this might be? Could it be an issue with my network settings, a setting in the VPN Client software, or even something at the customer end that is set up incorrectly?
Any help would be greatly appreciated.
Chris

Hi,
There's quite a few bugs related to version 5 and Vista. You might want to check the bug toolkit to see if there's anything relevant (including CSCsq34291 which may or may not be related).
Does it work on XP and have you tried rolling back the VPN client version to 4.x to see if it improves things (I've had to do this before).
Please rate useful posts..

Problems w/ VPN Server & Cisco VPN Client on same machine

I really wish that I read about how the developer of the program iVPN no longer supports his work BEFORE I paid for it. It's a great, simple, GUI frontend to the existing Leopard VPN server built in to regular (non-server) OSX...
Anyway, on my Mac that stays @ home:
(1) - I have the iVPN server set up & running to allow me to connect (from my iphone or another computer on the road) to my Mac @ home using L2TP.
(2) - When I'm @ home and need to connect to my company's network, I need to use the Cisco VPN Client (which uses IPSec etc).
So, I found out that when I need to use my Mac to connect to work, I first have to open up the iVPN server to click "Stop Server" (which has me enter my password twice sometimes). Now I close iVPN until I'm done, then open up Activity Monitor for the purpose of finding the still-running process "racoon". I realized this not because it's published info, but because if I don't do this, and try to connect to work using the Cisco VPN Client, it simply will not connect. So, I quit the process "racoon" (which also has me enter my password because it's running as root yada yada). NOW, I can load Cisco VPN Client and successfully connect to my company's network. When I'm finished here, I disconnect the C.V.C., then reopen iVPN Server and restart my server (enter password again).
Is there any way I can make the process "racoon" quit automatically when I turn off the iVPN server? I'd email the developer but I guess that's a lost cause now. It's a shame because he did a fabulous job making iVPN & gave the less computer-networking-literate-user the ability to create their own VPN server without using Terminal.
I thought about the possibility of using iVPN to create a PPTP connection instead of L2TP - thinking that would allow me to keep my iVPN PPTP server running at all times, even when I wanted to use the CVC to connect OUT to work - but:
(1) - I would like the increased security of L2TP.
(2) - When I tried running a PPTP server, and connecting to it from iPhone or other computer, I was NOT able to access the other devices on my network, or the internet. I couldn't even open up a webpage to check whatismyip.com (while sending all traffic over VPN). And yes, the IP Address Range that I have iVPN handing out is within my normal home network's range.
My end goal for all of this when using my Mac is to be able to leave my iVPN server running at all times, while still being able to run the Cisco VPN CLIENT to connect to my company's network.
Or, at least not having to open up Activity Monitor to quit the process racoon... let alone having to enter my password 3 times after opening up iVPN, again to stop the server, again to quit the process racoon. Then a forth when I'm all done and need to start the iVPN server again.
Am I going about this the wrong way? Is there an easier way to accomplish these secure connections? There is a slight possibility of me upgrading and running a dedicated Mac Mini server of some sort perhaps with the real OSX Server. But not right now. I think I'm over complicating this. I mean, my needs are pretty simple:
(1) - Need to connect TO my Mac from IPhone / someone else's Mac or PC for: VNC over SSH, SSH/SFTP file level access, in the future shared network volumes (time capsule). I'd use Back To My Mac for all of this but I don't always connect FROM a Mac.
(2) - Need to connect FROM my Mac to work VPN for: VNC to my work PC to access our company's Windows-only program (dual booting into boot camp or using a virtual machine is out of the question), using Mocha for AS400 access, thinking about using file sharing on work PC but not needed so far.
So it's really just VNC and sometimes SFTP. The "S" being important to me. That's why I don't like the idea of doing away with my iVPN server and just forwarding the outside ports. I use the Vine VNC Server which when checked, only allows access over SSH. The only other remote-logins are used from my iphone using an app called BriefCase (SSH to browse files on remote machine), or using an SFTP client on a computer.
Thank you for reading all of this, and in advance for any insight you can offer.

If the two servers need the same ports, then hosting two different VPN packages on the same box usually won't work.
A firewall-based VPN service can be an option; that external box can deal with NAT and routing and other such and can field incoming or LAN-to-LAN VPNs, and your internal Mac boxes located "behind" that box can be free to initiate outbound VPNs.

Notification about password expiry on VPN Client

Similar Messages

Maybe you are looking for