RDP over Easy VPN Server fails, ping works

Similar Messages

• Easy VPN Server? Hmmm.. Not so Easy...

  I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more,  I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.
  One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?
  Current configuration : 12356 bytes
  ! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router-wan
  boot-start-marker
  boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin
  boot-end-marker
  logging buffered 100000000
  enable password xxxxxxxxxx
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  clock timezone EDT -4 0
  dot11 syslog
  no ip source-route
  ip dhcp excluded-address 192.168.1.1 192.168.1.199
  ip dhcp excluded-address 172.16.2.1 172.16.2.199
  ip dhcp excluded-address 172.16.3.1 172.16.3.199
  ip dhcp excluded-address 172.16.4.1 172.16.4.199
  ip dhcp pool 192.168.1.0
  network 192.168.1.0 255.255.255.0
  dns-server 192.168.1.1
  default-router 192.168.1.1
  lease infinite
  ip dhcp pool 172.16.2.0
  network 172.16.2.0 255.255.255.0
  dns-server 172.168.2.1
  default-router 172.168.2.1
  lease 0 4
  ip dhcp pool 172.16.3.0
  network 172.16.3.0 255.255.255.0
  dns-server 172.16.3.1
  default-router 172.16.3.1
  lease infinite
  ip dhcp pool 172.16.4.0
  network 172.16.4.0 255.255.255.0
  dns-server 172.16.4.1
  default-router 172.16.4.1
  lease 0 4
  ip dhcp pool 172.16.5.0
  network 172.16.5.0 255.255.255.0
  dns-server 172.16.5.1
  default-router 172.16.5.1
  lease infinite
  ip cef
  ip domain name robcluett.net
  no ipv6 cef
  multilink bundle-name authenticated
  voice-card 0
  voice service voip
  allow-connections sip to sip
  sip
    registrar server expires max 600 min 60
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-423317436
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-423317436
  revocation-check none
  rsakeypair TP-self-signed-423317436
  archive
  log config
    hidekeys
  vtp domain robcluett.net
  vtp mode transparent
  vtp version 2
  username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.
  redundancy
  vlan 3-5
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group cisco
  key xxxxxxxxxxxxxxxxxxxx
  dns 75.75.75.75
  domain robcluett.net
  pool SDM_POOL_2
  crypto isakmp profile ciscocp-ike-profile-1
     description "VPN Default Profile for Group Cisco"
     match identity group cisco
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address respond
     client configuration group cisco
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set security-association idle-time 86400
  set transform-set ESP-3DES-SHA
  set isakmp-profile ciscocp-ike-profile-1
  interface Loopback0
  description "Circuitless IP Address / Router Source IP"
  ip address 172.16.1.1 255.255.255.254
  interface GigabitEthernet0/0
  description "WAN :: COMCAST via DHCP"
  ip address dhcp client-id GigabitEthernet0/0
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat outside
  ip virtual-reassembly in
  duplex full
  speed 100
  media-type rj45
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  media-type rj45
  no mop enabled
  interface GigabitEthernet1/0
  description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"
  switchport mode trunk
  no ip address
  interface Virtual-Template1 type tunnel
  ip unnumbered GigabitEthernet0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"
  ip address 192.168.1.1 255.255.255.0
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  interface Vlan2
  description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"
  ip address 172.16.2.1 255.255.255.0
  ip access-group 102 in
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  interface Vlan3
  description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"
  ip address 172.16.3.1 255.255.255.0
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  interface Vlan4
  description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"
  ip address 172.16.4.1 255.255.255.0
  ip access-group 104 in
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop
  rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop
  interface Vlan5
  description "EDMZ :: VLAN 5 :: 10.10.10.0"
  ip address 10.10.10.1 255.255.255.0
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  interface Vlan6
  description "IDMZ :: VLAN 6 :: 10.19.19.0"
  ip address 10.19.19.1 255.255.255.0
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  interface Vlan7
  description "LAN :: VLAN 7 :: Voice 172.16.5.0
  ip address 172.16.5.1 255.255.255.0
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254
  ip forward-protocol nd
  ip flow-export source Loopback0
  ip flow-top-talkers
  top 10
  sort-by bytes
  ip dns server
  ip nat inside source list 2 interface GigabitEthernet0/0 overload
  ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80
  ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2
  logging trap debugging
  logging source-interface Loopback0
  access-list 2 remark NAT
  access-list 2 permit 192.168.1.0 0.0.0.255
  access-list 2 permit 172.16.2.0 0.0.0.255
  access-list 2 permit 172.16.3.0 0.0.0.255
  access-list 2 permit 172.16.4.0 0.0.0.255
  access-list 2 permit 172.16.5.0 0.0.0.255
  access-list 2 permit 10.10.10.0 0.0.0.255
  access-list 2 permit 10.19.19.0 0.0.0.255
  access-list 100 remark WAN Firewall Access List
  access-list 100 permit udp any eq bootps any eq bootpc
  access-list 100 permit tcp any any eq www
  access-list 100 permit udp any eq domain any
  access-list 100 permit tcp any any established
  access-list 100 deny   ip any any log-input
  access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks
  access-list 102 deny   ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
  access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
  access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log
  access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log
  access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log
  access-list 102 permit ip any any
  access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks
  access-list 104 deny   ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log
  access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log
  access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log
  access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log
  access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log
  access-list 104 permit ip any any
  access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks
  access-list 105 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
  access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log
  access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log
  access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log
  access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log
  access-list 105 deny   ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log
  access-list 105 permit ip any any
  snmp-server trap-source Loopback0
  snmp-server location xxxxxxxxxxxxxxxxxxxxx
  snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx
  control-plane
  mgcp profile default
  telephony-service
  max-conferences 12 gain -6
  web admin system name cluettr password 11363894
  dn-webedit
  transfer-system full-consult
  line con 0
  line aux 0
  line vty 0 4
  transport input telnet ssh
  transport output all
  line vty 5 15
  transport input telnet ssh
  transport output all
  scheduler allocate 20000 1000
  ntp logging
  ntp source Loopback0
  end
  router-wan#

  I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?
  > Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...
  As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty.

• VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

  Hello,
  I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
  881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
  When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
  VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
  Can you help me, how can I debug or troubleshoot this problem ?
  I am unable to update software on ASA5505 side.

  Hello,
  Hire is what my config look like:
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 60 set pfs
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 80 set pfs
  crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 100 set pfs
  crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 120 set pfs
  crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 140 set pfs
  crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
  crypto dynamic-map outside_dyn_map 160 set pfs
  crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 180 set pfs
  crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 200 set pfs
  crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 2
   authentication pre-share
   encryption 3des
   hash sha
   group 1
   lifetime 86400
  crypto isakmp policy 3
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  tunnel-group HW-CLIENT-GROUPR type ipsec-ra
  tunnel-group HW-CLIENT-GROUP general-attributes
   address-pool HW-CLIENT-GROUP-POOL
   default-group-policy HW-CLIENT-GROUP
  tunnel-group HW-CLIENT-GROUP ipsec-attributes
   pre-shared-key *******
  group-policy HW-CLIENT-GROUP internal
  group-policy HW-CLIENT-GROUP attributes
   password-storage enable
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value cisco_splitTunnelAcl
   nem enable

• Cisco 28xx easy vpn server & MS NPS (RADIUS server)

  Здравстуйте.
  Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
  Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
  На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
  Ниже выдежка из сонфига cisco 2821:
  aaa new-model
  aaa authentication login rausrs local
  aaa authentication login VPN-XAUTH group radius
  aaa authorization network ragrps local
  aaa authorization network VPN-GROUP local
  aaa session-id common
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp client configuration address-pool local RAPOOL
  crypto isakmp client configuration group ra1grp
  key key-for-remote-access
  domain domain.local
  pool RAPOOL
  acl split-acl
  split-dns 192.168.11.9
  crypto isakmp client configuration group EasyVPN
  key qwerty123456
  domain domain.local
  pool RAPOOL
  acl split-acl
  split-dns 192.168.11.9
  crypto isakmp profile RA-profile
     description profile for remote access VPN
     match identity group ra1grp
     client authentication list rausrs
     isakmp authorization list ragrps
     client configuration address respond
  crypto isakmp profile VPN-IKMP-PROFILE
     description profile for remote access VPN via RADIUS
     match identity group EasyVPN
     client authentication list VPN-XAUTH
     isakmp authorization list VPN-GROUP
     client configuration address respond
  crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
  crypto dynamic-map dyn-cmap 100
  set transform-set tset1
  set isakmp-profile RA-profile
  reverse-route
  crypto dynamic-map dyn-cmap 101
  set transform-set tset1
  set isakmp-profile VPN-IKMP-PROFILE
  reverse-route
  crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
  int Gi0/1
  descrition -- to WAN --
  crypto map stat-cmap
  В результате на cisco вылезает следующая ошибка (выделено жирным):
  RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
  RADIUS:  AAA Unsupported Attr: interface         [157] 14
  RADIUS:   31 39 34 2E 38 38 2E 31 33 39 2E 31              [194.88.139.1]
  RADIUS(000089E0): Config NAS IP: 192.168.11.1
  RADIUS/ENCODE(000089E0): acct_session_id: 35296
  RADIUS(000089E0): sending
  RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
  RADIUS:  authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
  RADIUS:  User-Name           [1]   9   "EasyVPN"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  Calling-Station-Id  [31]  16  "aaa.bbb.ccc.137"
  RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  RADIUS:  NAS-Port            [5]   6   1
  RADIUS:  NAS-Port-Id         [87]  16  "aaa.bbb.ccc.136"
  RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  RADIUS:  NAS-IP-Address      [4]   6   192.168.11.1
  RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
  RADIUS:  authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
  RADIUS(000089E0): Received from id 1645/61
  MS NAS выдает ошибку 6273:
  Сервер сетевых политик отказал пользователю в доступе.
  За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
  Пользователь:
      ИД безопасности:            domain\VladimirK
      Имя учетной записи:            VladimirK
      Домен учетной записи:           domain
      Полное имя учетной записи:   domain.local/Users/VladimirK
  Компьютер клиента:
      ИД безопасности:            NULL SID
      Имя учетной записи:            -
      Полное имя учетной записи:    -
      Версия ОС:            -
      Идентификатор вызываемой станции:        -
      Идентификатор вызывающей станции:       aaa.bbb.ccc.137
  NAS:
      Адрес IPv4 NAS:        192.168.11.1
      Адрес IPv6 NAS:        -
      Идентификатор NAS:            -
      Тип порта NAS:            Виртуальная
      Порт NAS:            0
  RADIUS-клиент:
      Понятное имя клиента:        Cisco2821
      IP-адрес клиента:            192.168.11.1
  Сведения о проверке подлинности:
      Имя политики запроса на подключение:    Использовать проверку подлинности Windows для всех пользователей
      Имя сетевой политики:        Подключения к другим серверам доступа
      Поставщик проверки подлинности:        Windows
      Сервер проверки подлинности:        DC01.domain.local
      Тип проверки подлинности:        PAP
      Тип EAP:            -
      Идентификатор сеанса учетной записи:        -
      Результаты входа в систему:            Сведения об учетных данных были записаны в локальный файл журнала.
      Код причины:            66
      Причина:                Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
  Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
  Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
  Если кто практиковал подобное, прошу дать направление для поиска решения.

  Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
  replace the authorization from radius to local
  and
  changing the encryption type in transform set
  However, in your configuration, your configuration already have those changes.
  Here you can check the same : https://supportforums.cisco.com/thread/2226065
  Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Can't connect to Easy VPN Server using Windows 7 inbuilt VPN client

  Hi Everyone,
  I would like your help to resolve a vpn issue I am having with my Windows 7 inbuilt vpn client. I am trying to connect to an Easy vpn server on a Cisco 2951 ISR G2. Well, I can connect using Cisco vpn client v5.07 but I can't connect using Windows 7 inbuilt vpn client. Is there any configuration that I am missing so that I can connect using Windows 7 inbuilt vpn client to connect to the vpn server?
  Thank you.

  Hi MindaugasKa,
  Base on your description, your case must is the NPS client can’t pass the NPS policy.
  The NPS client can’t connect the network may have many reason, such as the Network Access Protection Agent service not started successful, the certificate not issued properly,
  please offer us information when your Windows 7 client denied, such as event id, original error information, screenshot.
  More information:
  Extensible Authentication Protocol (EAP) Settings for Network Access
  http://technet.microsoft.com/en-us/library/hh945104.aspx
  Network Access Protection in NPS
  http://msdn.microsoft.com/en-us/library/cc754378.aspx
  Appendix A: NAP Requirements
  http://technet.microsoft.com/en-us/library/dd125301(v=ws.10).aspx
  802.1X Authenticated Wireless Access Overview
  http://technet.microsoft.com/en-us/library/hh994700.aspx
  Connecting to Wireless Networks with Windows 7
  http://technet.microsoft.com/library/ff802404.aspx
  The related thread:
  NPS 2012 rejects windows 7 clients after upgrade from 2008 R2. Requested EAP methods not available
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/44af171f-6155-4f2e-b6c7-f89a2d755908/nps-2012-rejects-windows-7-clients-after-upgrade-from-2008-r2-requested-eap-methods-not-available?forum=winserverNAP
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• The negotiation with the VPN server failed. Verify the server address and try reconnecting

  Hi folks,
  I am unable to connect VPN, While connecting error occurred. Can anyone advice how to solve this issue.
  "The negotiation with the VPN server failed. Verify the server address and try reconnecting"
  Thanks
  Vinoth

  This might help, at least from Harald's post onwards.

• 10.6 VPN client - 10.5.8 VPN server - Cant ping past server on l2tp or pptp

  Since installing 10.6 on my macbook and my mini, i can authenticate to MacPro 10.5.8 server over either l2tp or pptp. I cannot access any clients or ping any ip past the server on the local net.
  I can connect and ping from win machine at work and ping and connect to all machines on local net.
  Server vpn log shows authentification and connected with 10.6 machines. 10.5.8 machines work fine. Win machines work fine. Only 10.6 machines have issues.
  Any help would be appreciated

  After a complete rebuild of the sever, I have determined that the problem is related to setting client information. I rebuilt the server, added the vpn, and it worked with L2TP from 10.6 machines. I went back and added the client information exactly the way it worked with 10.5 machines and the vpn would fail. I have removed the information from the client information screen on the server, and it is workin fine with both 10.5 and 10.6 machines.

• Setting up VPN Server fails in Windows 8.1

  Hello Folks
  I'm trying to set up VPN server in my Windows 8.1 box to receive incoming connections. It fails at the last step (http://www.diaryofaninja.com/blog/2012/09/11/setting-up-a-vpn-server-on-windows-7-or-windows-8-ndash-secure-your-internet-use-while-away)
  of the process (Allow Access) with the following error. I binged a lot but none of the trouble shooting mechanisms worked for me. I made sure that concerned service (Routing and Remote Access) can be started and stopped manually. Also, the same step works
  in Windows 7.
  Please see attached for error details.
  Highly appreciate any help for fixing the issue.
  Cheers
  Manohar

  Hi  Manooh,
  Besides disabling IP v6, try reset the TCP/IP in the way below:
  Open the command line windows as an administrator and type the command “nets hint ip reset” hit enter, or you can try the fix it below:
  http://support.microsoft.com/kb/299357
  We usually modify the default RDP port 3389 to another value, if you followed this too, you should add an port exception through a firewall in the way below:
  1.Open Windows Firewall
  2.In the left pane, click Advanced settings. 
  3.In the Windows Firewall with Advanced Security dialog box, in the left pane, click Inbound Rules, and then, in the right pane, click New Rule.
  4. Choose “port” and input the port number as allowed to connect.
  Regards
  Wade Liu
  TechNet Community Support

• VPN server does not work when a second network adapter is enabled

  I have an Xserve providing DNS, filesharing, and VPN services on an office LAN. The server sits behind a gateway router and is set as a DMZ host.
  VPN has been working absoluely flawlessly on the server for some time. However, I've recently discovered that this all changes when the Xserve's second ethernet adapter is enabled.
  To illustrate:
  en0: static IP 192.168.2.250
  en1: disabled
  VPN works perfectly
  en0: static IP 192.168.2.250
  en1: static IP 192.168.2.251
  DNS settings unchanged, DMZ host unchanged
  VPN doesn't work
  The above is even true when attempting to connect internally.
  VPN is configured for L2TP, and when the second NIC is connected the VPN server logs the following (below). There are a number of other users of Lion Server users that seem to be experiencing the same log pattern, but there doesn't seem to be a definitive solution.
  I was wondering if anyone has any advice on how I could solve this problem? Is it possible to bind the VPN server to a specified network adapter?
  Thanks in advance for any help or ideas.
  (And to preempt the question of "why do you need to use both NICs", the two interfaces are to be used for load balancing. See https://discussions.apple.com/message/17655599?ac_cid=142432)
  Wed Feb 22 15:53:53 2012 : Directory Services Authentication plugin initialized
  Wed Feb 22 15:53:53 2012 : Directory Services Authorization plugin initialized
  Wed Feb 22 15:53:53 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
  Wed Feb 22 15:53:53 2012 : L2TP received SCCRQ
  Wed Feb 22 15:53:53 2012 : L2TP sent SCCRP
  2012-02-22 15:53:54 GMT          Incoming call... Address given to client = 192.168.2.229
  Wed Feb 22 15:53:54 2012 : Directory Services Authentication plugin initialized
  Wed Feb 22 15:53:54 2012 : Directory Services Authorization plugin initialized
  Wed Feb 22 15:53:54 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
  Wed Feb 22 15:53:54 2012 : L2TP received SCCRQ
  Wed Feb 22 15:53:54 2012 : L2TP sent SCCRP
  2012-02-22 15:53:56 GMT          Incoming call... Address given to client = 192.168.2.220
  Wed Feb 22 15:53:56 2012 : Directory Services Authentication plugin initialized
  Wed Feb 22 15:53:56 2012 : Directory Services Authorization plugin initialized
  Wed Feb 22 15:53:56 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
  Wed Feb 22 15:53:56 2012 : L2TP received SCCRQ
  Wed Feb 22 15:53:56 2012 : L2TP sent SCCRP
  2012-02-22 15:54:00 GMT          Incoming call... Address given to client = 192.168.2.221
  Wed Feb 22 15:54:00 2012 : Directory Services Authentication plugin initialized
  Wed Feb 22 15:54:00 2012 : Directory Services Authorization plugin initialized
  Wed Feb 22 15:54:00 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
  Wed Feb 22 15:54:00 2012 : L2TP received SCCRQ
  Wed Feb 22 15:54:00 2012 : L2TP sent SCCRP
  2012-02-22 15:54:04 GMT          Incoming call... Address given to client = 192.168.2.222
  Wed Feb 22 15:54:04 2012 : Directory Services Authentication plugin initialized
  Wed Feb 22 15:54:04 2012 : Directory Services Authorization plugin initialized
  Wed Feb 22 15:54:04 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
  Wed Feb 22 15:54:04 2012 : L2TP received SCCRQ
  Wed Feb 22 15:54:04 2012 : L2TP sent SCCRP
  2012-02-22 15:54:08 GMT          Incoming call... Address given to client = 192.168.2.226
  Wed Feb 22 15:54:08 2012 : Directory Services Authentication plugin initialized
  Wed Feb 22 15:54:08 2012 : Directory Services Authorization plugin initialized
  Wed Feb 22 15:54:08 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
  Wed Feb 22 15:54:08 2012 : L2TP received SCCRQ
  Wed Feb 22 15:54:08 2012 : L2TP sent SCCRP
  2012-02-22 15:54:12 GMT          Incoming call... Address given to client = 192.168.2.223
  Wed Feb 22 15:54:12 2012 : Directory Services Authentication plugin initialized
  Wed Feb 22 15:54:12 2012 : Directory Services Authorization plugin initialized
  Wed Feb 22 15:54:12 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
  Wed Feb 22 15:54:12 2012 : L2TP received SCCRQ
  Wed Feb 22 15:54:12 2012 : L2TP sent SCCRP
  2012-02-22 15:54:13 GMT             --> Client with address = 192.168.2.228 has hungup
  2012-02-22 15:54:14 GMT             --> Client with address = 192.168.2.229 has hungup
  2012-02-22 15:54:16 GMT             --> Client with address = 192.168.2.220 has hungup
  2012-02-22 15:54:20 GMT             --> Client with address = 192.168.2.221 has hungup
  2012-02-22 15:54:24 GMT             --> Client with address = 192.168.2.222 has hungup
  2012-02-22 15:54:28 GMT             --> Client with address = 192.168.2.226 has hungup
  2012-02-22 15:54:32 GMT             --> Client with address = 192.168.2.223 has hungup

  Try switching the order of the services in System Preferences > Network.
  Put the second one at the top.
  HTH,
  b.

• Trying to get my yahoo mail on new iPod. Keep getting message that server failed. Works fine on my iPad.

  Trying to setup my yahoo mail on my new iPod touch.  I keep getting the message "failed to connect with server". It works fine on my iPad though.

  See if this previous discussion helps:
                                                                                                     Re: Yahoo server unavailable. I am not able to get into yahoo account. iPhone 4S                                            

• 871 Easy VPN server

  Can establish VPN connection and can ping the 871 internal IP address but cannot ping all others devices in same subnet.

  These are the troubleshooting methodologies :
  Be aware of any changes to an active Cisco Easy VPN Remote configuration or IP address changes to the involved interfaces.
  Enable debugging of the Cisco Easy VPN Remote feature using the debug crypto ipsec client ezvpn command.
  Enable debugging of IKE events using the debug crypto ipsec and debug crypto isakmp commands.
  Display the active IPsec VPN connections using the show crypto engine connections active command.
  To reset the VPN connection, use the clear crypto ipsec client ezvpn command.
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml
  http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1192045

• EASY VPN hardware client not working.

  Hello,
  I'm experiencing an issue. I have the following topology:
  192.168.12.0 /24 --- inside192.168.12.1(ASA5502)192.168.1.71 dhcp ---192.168.1.254 ISP GATEWAY ===201.144.194.226 PEER --Inside 192.168.0.0
  I have VPNCLIENT configured correctly but can't seem to pass traffic or get the tunnel up. I'm attaching debug crypto isakmp 10, debug crypto ipsec 10, logging debug messages. Also find the config attached.
  I'm trying to reach from 192.168.12.10 to a server 192.168.1.200 on remote.
  Running version 8.2(5)
  Any idea of what i have configured wrong?
  Thanks
  Tony

  Couple of quick comments:
  1. I do not see 192.168.0.0 part of that inside_outbound_nat0_acl ACL.
  2. I see a crypto map instance 40 with "incomplete" crypto map, which is actually missing a match address.
  crypto map outside_map 40 ipsec-isakmp
  crypto map outside_map 40 set peer 216.27.161.109
  crypto map outside_map 40 set transform-set ESP-DES-MD5
  ! Incomplete
  Not sure if this is the current configuration from the pix. If there is a crypto map instance with a incomplete match address, all traffic will be encrypted.
  Regards,
  Arul

• Mail, iCal Server and iChat server will not work over VPN

  I have an Airport Extreme Base Station at the office running the network. Behind it sits a Mac Mini Snow Leopard server running 10.6.3. The ports necessary for Mail, iCal Server and iChat work fine through that external connection. I can also connect with VPN from my 10.6.3 clients.
  HOWEVER, when I connect with the VPN clients, I am suddenly unable to access the Mail, iCal Server, Wiki server and iChat server. All connections time out. I can ping the server and I can do other things that do NOT work on the public Airport like ssh or VNC. ssh and VNC are closed at the airport extreme.
  So it's pretty odd. When I'm connected via the VPN, all ports that are forwarded to the Snow Leopard server time out over the VPN.
  I've tried various and sundry configurations with the VPN client. This includes trying to send all traffic over the VPN, moving it up in the service order, etc. etc. Nothing fixes it. DNS resolution is working fine, however when I do a wireshark capture of ppp0 traffic, I notice that SSL and TLSv1 handshakes appear to occur on the public IP address instead of the private network IP address... and they're all resets.
  Has anyone gotten this to work successfully? Like I said, all ports that are NOT forwarded through the Airport work fine over the VPN, but will not work when connected to the VPN. It's really bizarre.

  New data: any ports that are normally forwarded on the Airport Extreme to the Mac Mini server will not work when connected to the VPN.
  For instance, if I have imaps/993 forwarded from the Airport Extreme to the Mac Mini, it works fine over the Internet. If I connect to the VPN, I can connect to all OTHER services on the Mac Mini, but Mail, for instance, will not work.

• Communication problem from the vpn-anyconnect to easy-vpn-remote

  Hi Team,
  I have a communication problem from the vpn-anyconnect to easy-vpn-remote, I´ll explain better bellow and see the attached
  topology:
  1) VPN Tunnel between HQ to Branch Office - That´s OK
  2) VPN Tunnel between Client AnyConnect to HQ - That´s OK
  The idea is that the Client Anyconnect is to reach the LAN at Branch Office, but did not reach.
  The communication is stablished just when I start a session (icmp and/or rdp) from Branch Office to the Client AnyConnect,
  in this way, the communication is OK, but just during a few minutes.
  Could you help me?
  Bellow the IOS version and configurations
  ASA5505 Version 8.4(7)23 (headquarters)
  ASA5505 Version 8.4(7)23 (Branch)
  **************** Configuration Easy VPN Server (HQ) **************** 
  crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set ESP-AES-256-SHA
  crypto map outside-link-2_map 1 ipsec-isakmp dynamic DYNAMIC-MAP
  crypto map outside-link-2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside-link-2_map interface outside-link-2
  access-list ACL_EZVPN standard permit 10.0.0.0 255.255.255.0 
  access-list ACL_EZVPN standard permit 192.168.1.0 255.255.255.0 
  access-list ACL_EZVPN standard permit 192.168.50.0 255.255.255.0 
  access-list ACL_EZVPN standard permit 10.10.0.0 255.255.255.0 
  group-policy EZVPN_GP internal
  group-policy EZVPN_GP attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value ACL_EZVPN
   nem enable 
  tunnel-group EZVPN_TG type remote-access
  tunnel-group EZVPN_TG general-attributes
   default-group-policy EZVPN_GP
  tunnel-group EZVPN_TG ipsec-attributes
   ikev1 pre-shared-key *****
  object-group network Obj_VPN_anyconnect-local
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.15.0 255.255.255.0
  object-group network Obj-VPN-anyconnect-remote
   network-object 192.168.50.0 255.255.255.0
  object-group network NAT_EZVPN_Source
   network-object 192.168.1.0 255.255.255.0
   network-object 10.10.0.0 255.255.255.0
  object-group network NAT_EZVPN_Destination
   network-object 10.0.0.0 255.255.255.0
  nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
  anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
  nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination 
  NAT_EZVPN_Destination no-proxy-arp route-lookup
  nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static 
  NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup
  **************** Configuration VPN AnyConnect (HQ) **************** 
  webvpn
   enable outside-link-2
   default-idle-timeout 60
   anyconnect-essentials
   anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
   anyconnect profiles Remote_Connection_for_TS_Users disk0:/remote_connection_for_ts_users.xml
   anyconnect enable
   tunnel-group-list enable
  access-list split-tunnel standard permit 192.168.1.0 255.255.255.0 
  access-list split-tunnel standard permit 192.168.15.0 255.255.255.0 
  access-list split-tunnel standard permit 10.0.0.0 255.255.255.0 
  group-policy clientgroup internal
  group-policy clientgroup attributes
   wins-server none
   dns-server value 192.168.1.41
   vpn-tunnel-protocol ssl-client 
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value split-tunnel
   default-domain value ipconnection.com.br
   webvpn       
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect profiles value Remote_Connection_for_TS_Users type user
    anyconnect ask none default anyconnect
  tunnel-group sslgroup type remote-access
  tunnel-group sslgroup general-attributes
   address-pool vpnpool
   authentication-server-group DC03
   default-group-policy clientgroup
  tunnel-group sslgroup webvpn-attributes
   group-alias IPConnection-vpn-anyconnect enable
  object-group network Obj_VPN_anyconnect-local
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.15.0 255.255.255.0
  object-group network Obj-VPN-anyconnect-remote
   network-object 192.168.50.0 255.255.255.0
  object-group network NAT_EZVPN_Source
   network-object 192.168.1.0 255.255.255.0
   network-object 10.10.0.0 255.255.255.0
  object-group network NAT_EZVPN_Destination
   network-object 10.0.0.0 255.255.255.0
  nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
  anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
  nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination 
  NAT_EZVPN_Destination no-proxy-arp route-lookup
  nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static 
  NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup

  Hi,
  the communication works when you send traffic from easyvpn branch side because it froms the IPSEC SA for local subnet and anyconnect HQ pool. The SA will only form when branch initiates the connection as this is dynamic peer connection to HQ ASA.
  when there no SA between branch and HQ for this traffic, HQ ASA has no clue about where to send the traffic from anyconnect to branch network.
  I hope it explains the cause.
  Regards,
  Abaji.

• Setting up Easy VPN in Cisco Configuration Professional, external access problems!

  Hi
  I have a Cisco 857 router which is flashed with Cisco Configuration Express 2.6.
  Cisco Configuration Professional 2.6 is installed on my PC and I'm trying to configure Easy VPN for access away from the office.
  The steps I have taken are as follows:
  1) I launched the Easy VPN Server Wizard
  2) IP address of Virtual Tunnel Interface is unnumbered to Vlan1 from the drop down menu - Authentication, Pre Shared Key
  3) IKE Proposals set to the default option thats already there
  4) Transform set is the default which is already there
  5) Method list for group policy Lookup is LOCAL
  6) User authentication is LOCAL ONLY, the admin account shows up in ADD USER CREDENTIALS which is the account i'm going to test the connection with
  7) I have set up a GROUP POLICY which i've named, created a PRE SHARED KEY, created an IP address pool & subnet mask to the same range as the routers addresses and left all other options to default
  8) I left cTCP unticked and disabled
  9) I delivered the commands succesfully
  10) I click TEST VPN SERVER and get 3 ticks successful for Server configuration, dependant components & Firewall
  11) I open the cisco client and access the VPN internally using the routers LAN address, it prompts for my user name and password, I type it in and connect successfully
  12) When I go home I configure my client to the same settings except I change the LAN address for the external WAN ip address, but I get an error message which says "Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding"
  VPN Client settings are as follows
  Group Authentication
  Enable Transparent Tunneling- IPSec over UDP (NAT / PAT)
  Currently I have a dynamic external IP address, I intend to get a static one once I know I can get this to work.
  I would be extremely greatful if someone could help me solve this issue and work out why I can't connect externally.
  I have no knowledge of CLI but will use it if given some instructions.
  Thanks.
  P.S. I have turned off all antivirus and firewall programs on the client computer when trying to connect.

  Your nat exemption acl is backwards...
  access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  should be...
  access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0