Untrusted VPN Server Blocked after a reload

Similar Messages

• Untrusted VPN Server Certificate

  We just upgraded our AnyConnect to Ver 3.1.01065 and we are using a self signed cert with it. We haven't had any issues with the before but now when ever a customer logs on to the VPN using AnyConnect we get " Security warning: Untrusted VPN Server Certificate!" and it says that AnyConnect cannot verify the VPN server.
  Then i can connect anyways or cancel.
  Because this is my server and i trust the cert i am fine just clicking Connect anyways. My customers freak out a bit when they see this, I know this has to be a simple fix but i can't figure out how to get my local boxes to trust the cert. Has anyone run in to this with Ver 3.1.01065 and how did you fix it?
  Thanks,
  Jeremy

  Cisco is really trying to make people stop using self-signed certificates with AC 3.1. You have to either use a trusted root CA (either private or public) or turn off the certificate checking altogether.

• Security warning for any connect VPN " Untrusted VPN server Certificate"

  Is there any way to disable this security warning  ( " Untrusted VPN server Certificate") with self sign certificate on the ASA 

  Hi Anton,
  Please have a look at the link below:
  http://docs.acl.com/ex/300/index.jsp?topic=%2Fcom.acl.ax.exception.installguide%2Fexception%2Finstallation%2Ft_installing_the_self-signed_certificate.html
  This is for IE. You should get steps for FF and CHROME out there easily as well.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• AnyConnect 3.1 - removing Security Warning: Untrusted VPN Server Certificate!

  Hi guys,
  Is there a way to disable the warning generated from using self signed certs?
  I would like to make the process as seamless as possible.
  AnyConnect 3.1
  ASA 8.4(2)
  Thanks.

  Hi,
  We had problem with the above error message with our certificate when we moved to AnyConnect 3.1
  We were instructed to request a new one
  Also here is the link to Cisco site we were provided that explains the changes in 3.1
  IPSec and SSL connections require server  certificates to contain Key Usage attributes of Digital Signature and  Key Encipherment, as well as an Enhanced Key Usage attribute of Server  Authentication or IKE Intermediate. Note that IPSec server certificates  not containing a Key Usage are considered invalid for all Key Usages,  and similarly an IPSec server certificate not containing an Enhanced Key  Usage is considered invalid for all Enhanced Key Usages.
  Link to document
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936
  Sadly I dont dable with certificates myself so I'm not really familiar with this.
  - Jouni

• How to setup vpn-server in Mountain Lion 10.8.3?

  Before I updated my mac mini server to 10.8.3 I used Server Admin to setup a vpn server. After the update Server Admin isn't supported anymore and my vpn settings are gone. Now i want to setup the server again, but have no clue what settings to enter where.
  I suppose it starts with adding two vpn-interfaces: PPTP and LT2P.
  But how further? I can't find a tutorial or manual.

  I do now :-)
  And many thank, that's the application I was looking for. My vpn is back online. Well, the mac-part. I still can't connect with a Win7 system. Connecting to a vpn-server of another company works fine, so it's something in the configuration of de Mini Server.
  The error code is 629.
  Hopefully someone can help me with this part too?

• VPN works only after reload

  Hello,
  I have a Cisco ASA5505 setup for VPN trough IPSec (L2TP). I can connect from wherever I want to it using the user and password.
  The only problem is that, after 2-3 days I have to reload the appliance because it denies connection on port 500 UDP. After the reload everything works fine again.
  Do you know how to handle this kind of problem? Is is a bug in the software or it could be only a misconfiguration?

  forget the diagnostics and launch airport utility and if a yellow button is showing, double click it and read what it says to correct.

• Phonefactor with RRAS(Windows Server 2003) - VPN client timeout after 20 seconds -- too fast!

  [Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
  We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they
  just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
  So... now we are trying Phonefactor.
  Our VPN setup is RRAS on a Windows Server 2003 domain controller.
  We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone
  call.
  It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really
  nimble, that is frequently not enough time!
  When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
  How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
  Things we have tried:
  1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
  2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
  3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
  4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
  5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
  6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
  7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
  8) Try this registry hack:
  http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
  Any ideas?
  thanks!

  Hi fdc2005,
  Thanks for the post.
  However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
  Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
  Regarding error 718, please check if the following could help:
  If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
  Steps to follow for resolution:
  (1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
  (2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
  Quote from:
  Troubleshooting Vista VPN problems.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• VPN Server broken with Windows after upgrade from Tiger.

  Hey there
  I use Tiger 10.4 Server on a PowerMac G4.
  It has two network interfaces, one public facing with it's own static IP, and the other internal facing.
  The VPN service works perfectly, and allows people to connect via L2TP and assignes them an IP on the internal facing subnet, and allows OS X and Windows clients to connect.
  However after upgrading to Leopard, only Mac clients can connect, all the Windows clients connect, and although they get an IP and are able to ping destinations, attempts to connect to these destinations (some of which are web apps on port 80, others are file servers running Samba), they just sit waiting for ever.
  I've experimented with this problem, and it appears to be a problem with MTU and packet fragmentation, however these settings appear to be the same between Tiger, which worked, and Leopard which does not work.
  Does anyone have any experience with the new VPN Server in Leopard, and can offer me any advice on how to fix this problem? I'm currently downgraded to Tiger again until a fix can be found.

  I had the same issue, among others, but I finally got everything to work eventually. It seems that if the IP range of the client connecting to VPN is in the same range of the server LAN, there will be connectivity issues, whether it be pcs and/or macs not being able to connect. The following set up got my VPN services working:
  1. Get DNS and Open Directory working properly. When I did an upgrade, the Server Admin updated my zone files with a curious extra space, which killed DNS. For example, I had the name server as ns.company.private., but in the files it would say ns. company.private everywhere! I've been reading about various bugs in upgrading DNS, so I think it's best just to start DNS from scratch. But if you are upgrading, the following thread expalins how to go about setting up DNS and Open Directory: http://discussions.apple.com/thread.jspa?messageID=5957209&#5957209
  2. Once you have Open directory users and dns working properly, then set up VPN. Give a unique IP range to the internal network (192.168.7.1/24) that other networks will not emulate. If you use 192.168.1.1, you will likely run into issues. You can always test this method out by changing the IP range from a remote location and trying to get in this way instead of changing the server. Also, be aware that if you use Gateway Assistant within NAT, it will automatically give you a 192.168.1.1/24 range, at least that's been my experience, and this always killed VPN for me. I would set up NAT manually to avoid problems.
  3. Ensure that the DNS information under the Client Information tab is correct. For my server I have 192.168.9.1 as the nameserver, and company.private as the search domain. Then set up routing tables. Mine are 192.168.0.0:255.255.0.0 private and 0.0.0.0:0.0.0.0 public.
  Also, when you restart the server, stop and restart VPN services, as there is some talk about the Tiger bug still being around, where VPN services are messed up upon startup. This all worked for me and a couple others that had similar server set ups. Hopefully this will work for you.

• Block outgoing email because of VPN server

  We have Cisco VPN on ASA for over 4 years. Recently, barracudacentral.org blocks our outgoing email because of these reasons: •Your email server contains a virus and has been sending out spam. •Your email server may be misconfigured. •Your PC may be infected with a virus or botnet software program. •Someone in your organization may have a PC infected with a virus or botnet program. •You may be utilizing a dynamic IP address which was previously utilized by a known spammer. •Your marketing department may be sending out bulk emails that do not comply with the CAN-SPAM Act. •You may have an insecure wireless network which is allowing unknown users to use your network to send spam. •In some rare cases, your recipient's Barracuda Spam Firewall may be misconfigured. This is the undeliverable message: barracudacentral.org rejected your message to the following e-mail addresses and  gave this error: Service unavailable; Client host [VPN IP address-illinois.hfc.comcastbusiness.net] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=VPN IP Address The IP address they blocks is our VPN server. Why?                   

  gmail issue
  Your post is the 4th one already this morning.
  This is a gmail issue, contact them.

• My Macbook disconnect with the vpn server after 1-2minutes inactivity

  My Macbook disconnect with the vpn server after 1-2minutes inactivity. Why ? I would like maybe 5 minutes later some date download from this vpn server .

  I hope this will help ..
  setting the following on the VPN custom connection:
  a) "lifetime time 24 hours;" or more
  b) dpd_delay 0;
  c) proposal_check claim;

• Installing a VPN Server in Mac OS X

  Has anyone tried to install a VPN server successfully in mac os x?
  I was able to get webmin installed successfully, and I know on my linux distros webmin automatically detects if a VPN server is installed (such as poptop) or at least if the option is there, but in mac os x (not the server version) there is nothing listed.
  Anyone know of any other VPN servers that could be installed in mac os x, or even anything for BSD that could be compiled from source?

  I run the server on PowerPC and use clients on both PowerPC and Intel. Admittedly, my wife has run off the the MBP so my use on the Intel is limited these days.
  If you want to route onto the network, you'll have to create routes after the TUN/TAP interface is up. The OS X FAQs on OpenVPN detail various ways to do this.
  # Sample OpenVPN 2.0 config file for #
  # multi-client server. #
  # This file is for the server side #
  # of a many-clients <-> one-server #
  # OpenVPN configuration. #
  # OpenVPN also supports #
  # single-machine <-> single-machine #
  # configurations (See the Examples page #
  # on the web site for more info). #
  # This config should work on Windows #
  # or Linux/BSD systems. Remember on #
  # Windows to quote pathnames and use #
  # double backslashes, e.g.: #
  # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
  # Comments are preceded with '#' or ';' #
  # Which local IP address should OpenVPN
  # listen on? (optional)
  ;local 192.168.2.253
  # Which TCP/UDP port should OpenVPN listen on?
  # If you want to run multiple OpenVPN instances
  # on the same machine, use a different port
  # number for each one. You will need to
  # open up this port on your firewall.
  port 443
  # TCP or UDP server?
  ;proto tcp
  proto tcp
  # "dev tun" will create a routed IP tunnel,
  # "dev tap" will create an ethernet tunnel.
  # Use "dev tap0" if you are ethernet bridging
  # and have precreated a tap0 virtual interface
  # and bridged it with your ethernet interface.
  # If you want to control access policies
  # over the VPN, you must create firewall
  # rules for the the TUN/TAP interface.
  # On non-Windows systems, you can give
  # an explicit unit number, such as tun0.
  # On Windows, use "dev-node" for this.
  # On most systems, the VPN will not function
  # unless you partially or fully disable
  # the firewall for the TUN/TAP interface.
  ;dev tap
  dev tun
  # Windows needs the TAP-Win32 adapter name
  # from the Network Connections panel if you
  # have more than one. On XP SP2 or higher,
  # you may need to selectively disable the
  # Windows firewall for the TAP adapter.
  # Non-Windows systems usually don't need this.
  ;dev-node MyTap
  # SSL/TLS root certificate (ca), certificate
  # (cert), and private key (key). Each client
  # and the server must have their own cert and
  # key file. The server and all clients will
  # use the same ca file.
  # See the "easy-rsa" directory for a series
  # of scripts for generating RSA certificates
  # and private keys. Remember to use
  # a unique Common Name for the server
  # and each of the client certificates.
  # Any X509 key management system can be used.
  # OpenVPN can also use a PKCS #12 formatted key file
  # (see "pkcs12" directive in man page).
  ca /etc/openvpn/key/ca.crt
  cert /etc/openvpn/key/server.crt
  key /etc/openvpn/key/server.key
  # Diffie hellman parameters.
  # Generate your own with:
  # openssl dhparam -out dh1024.pem 1024
  # Substitute 2048 for 1024 if you are using
  # 2048 bit keys.
  dh /etc/openvpn/key/dh1024.pem
  # Configure server mode and supply a VPN subnet
  # for OpenVPN to draw client addresses from.
  # The server will take 10.8.0.1 for itself,
  # the rest will be made available to clients.
  # Each client will be able to reach the server
  # on 10.8.0.1. Comment this line out if you are
  # ethernet bridging. See the man page for more info.
  server 169.254.1.0 255.255.255.0
  # Maintain a record of client <-> virtual IP address
  # associations in this file. If OpenVPN goes down or
  # is restarted, reconnecting clients can be assigned
  # the same virtual IP address from the pool that was
  # previously assigned.
  ifconfig-pool-persist ipp.txt
  # Configure server mode for ethernet bridging.
  # You must first use your OS's bridging capability
  # to bridge the TAP interface with the ethernet
  # NIC interface. Then you must manually set the
  # IP/netmask on the bridge interface, here we
  # assume 10.8.0.4/255.255.255.0. Finally we
  # must set aside an IP range in this subnet
  # (start=10.8.0.50 end=10.8.0.100) to allocate
  # to connecting clients. Leave this line commented
  # out unless you are ethernet bridging.
  ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
  ;server-bridge 192.168.2.1 255.255.255.0 192.168.2.240 192.168.2.245
  # Push routes to the client to allow it
  # to reach other private subnets behind
  # the server. Remember that these
  # private subnets will also need
  # to know to route the OpenVPN client
  # address pool (10.8.0.0/255.255.255.0)
  # back to the OpenVPN server.
  push "route 10.0.0.0 255.255.255.0"
  ;push "route 192.168.20.0 255.255.255.0"
  # To assign specific IP addresses to specific
  # clients or if a connecting client has a private
  # subnet behind it that should also have VPN access,
  # use the subdirectory "ccd" for client-specific
  # configuration files (see man page for more info).
  # EXAMPLE: Suppose the client
  # having the certificate common name "Thelonious"
  # also has a small subnet behind his connecting
  # machine, such as 192.168.40.128/255.255.255.248.
  # First, uncomment out these lines:
  ;client-config-dir ccd
  ;route 192.168.40.128 255.255.255.248
  # Then create a file ccd/Thelonious with this line:
  # iroute 192.168.40.128 255.255.255.248
  # This will allow Thelonious' private subnet to
  # access the VPN. This example will only work
  # if you are routing, not bridging, i.e. you are
  # using "dev tun" and "server" directives.
  # EXAMPLE: Suppose you want to give
  # Thelonious a fixed VPN IP address of 10.9.0.1.
  # First uncomment out these lines:
  ;client-config-dir ccd
  ;route 10.9.0.0 255.255.255.252
  # Then add this line to ccd/Thelonious:
  # ifconfig-push 10.9.0.1 10.9.0.2
  # Suppose that you want to enable different
  # firewall access policies for different groups
  # of clients. There are two methods:
  # (1) Run multiple OpenVPN daemons, one for each
  # group, and firewall the TUN/TAP interface
  # for each group/daemon appropriately.
  # (2) (Advanced) Create a script to dynamically
  # modify the firewall in response to access
  # from different clients. See man
  # page for more info on learn-address script.
  ;learn-address ./script
  # If enabled, this directive will configure
  # all clients to redirect their default
  # network gateway through the VPN, causing
  # all IP traffic such as web browsing and
  # and DNS lookups to go through the VPN
  # (The OpenVPN server machine may need to NAT
  # the TUN/TAP interface to the internet in
  # order for this to work properly).
  # CAVEAT: May break client's network config if
  # client's local DHCP server packets get routed
  # through the tunnel. Solution: make sure
  # client's local DHCP server is reachable via
  # a more specific route than the default route
  # of 0.0.0.0/0.0.0.0.
  ;push "redirect-gateway"
  # Certain Windows-specific network settings
  # can be pushed to clients, such as DNS
  # or WINS server addresses. CAVEAT:
  # http://openvpn.net/faq.html#dhcpcaveats
  ;push "dhcp-option DNS 10.8.0.1"
  ;push "dhcp-option WINS 10.8.0.1"
  # Uncomment this directive to allow different
  # clients to be able to "see" each other.
  # By default, clients will only see the server.
  # To force clients to only see the server, you
  # will also need to appropriately firewall the
  # server's TUN/TAP interface.
  ;client-to-client
  # Uncomment this directive if multiple clients
  # might connect with the same certificate/key
  # files or common names. This is recommended
  # only for testing purposes. For production use,
  # each client should have its own certificate/key
  # pair.
  # IF YOU HAVE NOT GENERATED INDIVIDUAL
  # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
  # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
  # UNCOMMENT THIS LINE OUT.
  ;duplicate-cn
  # The keepalive directive causes ping-like
  # messages to be sent back and forth over
  # the link so that each side knows when
  # the other side has gone down.
  # Ping every 10 seconds, assume that remote
  # peer is down if no ping received during
  # a 120 second time period.
  keepalive 10 120
  # For extra security beyond that provided
  # by SSL/TLS, create an "HMAC firewall"
  # to help block DoS attacks and UDP port flooding.
  # Generate with:
  # openvpn --genkey --secret ta.key
  # The server and each client must have
  # a copy of this key.
  # The second parameter should be '0'
  # on the server and '1' on the clients.
  ;tls-auth ta.key 0 # This file is secret
  # Select a cryptographic cipher.
  # This config item must be copied to
  # the client config file as well.
  ;cipher BF-CBC # Blowfish (default)
  ;cipher AES-128-CBC # AES
  ;cipher DES-EDE3-CBC # Triple-DES
  # Enable compression on the VPN link.
  # If you enable it here, you must also
  # enable it in the client config file.
  comp-lzo
  # The maximum number of concurrently connected
  # clients we want to allow.
  ;max-clients 100
  # It's a good idea to reduce the OpenVPN
  # daemon's privileges after initialization.
  # You can uncomment this out on
  # non-Windows systems.
  ;user nobody
  ;group nobody
  # The persist options will try to avoid
  # accessing certain resources on restart
  # that may no longer be accessible because
  # of the privilege downgrade.
  persist-key
  persist-tun
  # Output a short status file showing
  # current connections, truncated
  # and rewritten every minute.
  status /var/log/openvpn-status.log
  # By default, log messages will go to the syslog (or
  # on Windows, if running as a service, they will go to
  # the "\Program Files\OpenVPN\log" directory).
  # Use log or log-append to override this default.
  # "log" will truncate the log file on OpenVPN startup,
  # while "log-append" will append to it. Use one
  # or the other (but not both).
  ;log openvpn.log
  ;log-append openvpn.log
  # Set the appropriate level of log
  # file verbosity.
  # 0 is silent, except for fatal errors
  # 4 is reasonable for general usage
  # 5 and 6 can help to debug connection problems
  # 9 is extremely verbose
  verb 3
  # Silence repeating messages. At most 20
  # sequential messages of the same message
  # category will be output to the log.
  ;mute 20

• GUI issues with VPN server / remote settings - SR520 UC540

  Kinda new to the CCA world, but not new to the game. So far I am finding the limitations a bit frustrating, but here's the main issue at the moment:
  Attempting to set up a simple network with a UC540 at HQ, with an SR520 at a SOHO site. I can get the remote VPN working fine, also get a VPN to the SR520 for remote administration working. Actually had everything working fine, saved the config and rebooted to test prior to shipping it to out.
  However, when I go back to look at the settings, trouble starts.The remote VPN settings don't show - the CCA tells me changes have been made in the CLI (not). The display for the VPN Server also seems buggy as it will not always display the settings for the VPN itself or the networks listed under split tunnels.Changes to either VPN setup appear to bork the other.
  As this is going to a site far, far away I need to be very sure that the VPN setup is solid, at least for remote access. I have a sneaking suspicion that some of the settings are shared and changes to one setup affect the other, but after going from everything working > save > reload > not working, I can't see what is wrong.
  Short version - need SOHO to communicate with HQ over site-to-site VPN, with remote access from 3d location to CCA.
  Any hints?

  Hi,
  To resolve your issue as soon as possible, please post your question on the Forefront TMG forum:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=Forefrontedgegeneral
  Steven Lee
  TechNet Community Support

• VPN client connect to CISCO 887 VPN Server bat they stop at router!!

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.5.2/24)
  |
  |
  CISCO-887 (192.168.5.4) with VPN server
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on xp machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
  They can ping only router!!!
  They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Peraps ACL problem?
  Building configuration...
  Current configuration : 5019 bytes
  ! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname gate
  boot-start-marker
  boot-end-marker
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-453216506
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-453216506
  revocation-check none
  rsakeypair TP-self-signed-453216506
  crypto pki certificate chain TP-self-signed-453216506
  certificate self-signed 01
          quit
  ip name-server 212.216.112.222
  ip cef
  no ipv6 cef
  password encryption aes
  license udi pid CISCO887VA-K9 sn ********
  username adm privilege 15 secret 5 *****************
  username user1 secret 5 ******************
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key 6 *********\*******
  dns 192.168.5.2
  wins 192.168.5.2
  domain domain.local
  pool SDM_POOL_1
  save-password
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group EXTERNALS
     client authentication list ciscocp_vpn_xauth_ml_2
     isakmp authorization list ciscocp_vpn_group_ml_2
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Loopback0
  ip address 10.10.10.10 255.255.255.0
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  pvc 8/35
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip unnumbered Dialer0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.5.4 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly in
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ******@*******.****
  ppp chap password 0 alicenewag
  ppp pap sent-username ******@*******.**** password 0 *********
  ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.5.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 permit ip 192.168.5.0 0.0.0.255 any
  dialer-list 1 protocol ip permit
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  end

  Hello,
  Your pool of VPN addresses is overlapping with the interface vlan1.
  Since proxy-arp is disabled on that interface, it will never work
  2 solutions
  1- Pool uses a different network than 192.168.5
  2- Enable ip proxy-arp on interface vlan1
  Cheers,
  Olivier

• VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.1.4)
  |
  |
  CISCO-887 (192.168.1.254)
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on windows 7 machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
  I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Perhaps ACL problem?
  Building configuration...
  Current configuration : 4921 bytes
  ! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname TestLab
  boot-start-marker
  boot-end-marker
  enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-3013130599
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3013130599
  revocation-check none
  rsakeypair TP-self-signed-3013130599
  crypto pki certificate chain TP-self-signed-3013130599
  certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
  33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
  9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
  8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
  C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
  AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
  03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
  2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
  AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
  B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
  B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
  CBB28E7A E91A090D 53DAD1A0 3F66A3
  quit
  no ip domain lookup
  ip cef
  no ipv6 cef
  license udi pid CISCO887VA-K9 sn ***********
  username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key NetasTest
  dns 8.8.4.4
  pool VPN-Pool
  acl 120
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group EXTERNALS
  client authentication list ciscocp_vpn_xauth_ml_2
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  hold-queue 224 in
  pvc 8/35
  pppoe-client dial-pool-number 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip address 192.168.2.1 255.255.255.0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer0
  ip address negotiated
  ip mtu 1452
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ****
  ppp chap password 0 *********
  ppp pap sent-username ****** password 0 *******
  no cdp enable
  ip local pool VPN-Pool 192.168.2.210 192.168.2.215
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 100 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 100 remark
  access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 100 remark
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 120 remark
  access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  line con 0
  exec-timeout 5 30
  password ******
  no modem enable
  line aux 0
  line vty 0 4
  password ******
  transport input all
  end
  Best Regards,

  I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin  and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
  router#sh crypto session detail 
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer0
  Uptime: 00:40:37
  Session status: UP-ACTIVE     
  Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 192.168.1.100
        Desc: (none)
    IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active 
            Capabilities:(none) connid:2001 lifetime:07:19:22
    IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0 
          Active SAs: 4, origin: dynamic crypto map
          Inbound:  #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
          Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162

• Cisco IPSEC VPN not working after upgrade to Mavericks

  I have been using the Cisco IPSEC VPN for almost 2 years with no issues. When I upgraded to Mavericks this week it stopped working. When i tell it to connect it prompts for password and attempts to connect for about 30 seconds then comes back with the following message...
  VPN Connection
  The negotiation with the VPN server failed. Verify the server address and try reconnecting.
  The address, group, shared secret, user and password are correct. Any help would be greatly appreiated.

  Hry, I'm not sure if this fixes the Cisco IPSec issue, but I can vouch for it fixing the L2TP issue that occurs after tha mavericks upgrade!
  I’ve got L2TP VPN working in Mavericks 10.9 and Server App 3.0.0 / 3.0.1.
  It really is quite a simple fix.
  Obviously, the standard caveats apply: This is a temporary, unsupported, workaround, and only a suggested idea at that. Again, this workaround is NOT supported by Apple.
  Proceed with this workaround on your own equipment at your own risk. And remember the golden rule: Always backup your data!
  OK so here goes… copy and paste the following into termini ONE LINE AT A TIME!
  cd /tmp
  curl -sO http://c5mart.co/mavericks-vpn-fix/racoon.tar.gz
  tar -xzvf racoon.tar.gz
  rm racoon.tar.gz
  sudo chown root:wheel racoon
  sudo chmod 555 racoon
  if [ ! -f /usr/sbin/racoon.mavericks ]; then sudo mv /usr/sbin/racoon /usr/sbin/racoon.mavericks; fi;
  sudo mv racoon /usr/sbin/racoon
  sudo killall racoon
  This works fine for me and I'm running a OSX Server for my entire office.
  …et voilà!