VPN Server, GW stop

Similar Messages

• VPN client connect to CISCO 887 VPN Server bat they stop at router!!

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.5.2/24)
  |
  |
  CISCO-887 (192.168.5.4) with VPN server
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on xp machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
  They can ping only router!!!
  They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Peraps ACL problem?
  Building configuration...
  Current configuration : 5019 bytes
  ! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname gate
  boot-start-marker
  boot-end-marker
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-453216506
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-453216506
  revocation-check none
  rsakeypair TP-self-signed-453216506
  crypto pki certificate chain TP-self-signed-453216506
  certificate self-signed 01
          quit
  ip name-server 212.216.112.222
  ip cef
  no ipv6 cef
  password encryption aes
  license udi pid CISCO887VA-K9 sn ********
  username adm privilege 15 secret 5 *****************
  username user1 secret 5 ******************
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key 6 *********\*******
  dns 192.168.5.2
  wins 192.168.5.2
  domain domain.local
  pool SDM_POOL_1
  save-password
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group EXTERNALS
     client authentication list ciscocp_vpn_xauth_ml_2
     isakmp authorization list ciscocp_vpn_group_ml_2
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Loopback0
  ip address 10.10.10.10 255.255.255.0
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  pvc 8/35
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip unnumbered Dialer0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.5.4 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly in
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ******@*******.****
  ppp chap password 0 alicenewag
  ppp pap sent-username ******@*******.**** password 0 *********
  ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.5.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 permit ip 192.168.5.0 0.0.0.255 any
  dialer-list 1 protocol ip permit
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  end

  Hello,
  Your pool of VPN addresses is overlapping with the interface vlan1.
  Since proxy-arp is disabled on that interface, it will never work
  2 solutions
  1- Pool uses a different network than 192.168.5
  2- Enable ip proxy-arp on interface vlan1
  Cheers,
  Olivier

• Untrusted VPN Server Certificate

  We just upgraded our AnyConnect to Ver 3.1.01065 and we are using a self signed cert with it. We haven't had any issues with the before but now when ever a customer logs on to the VPN using AnyConnect we get " Security warning: Untrusted VPN Server Certificate!" and it says that AnyConnect cannot verify the VPN server.
  Then i can connect anyways or cancel.
  Because this is my server and i trust the cert i am fine just clicking Connect anyways. My customers freak out a bit when they see this, I know this has to be a simple fix but i can't figure out how to get my local boxes to trust the cert. Has anyone run in to this with Ver 3.1.01065 and how did you fix it?
  Thanks,
  Jeremy

  Cisco is really trying to make people stop using self-signed certificates with AC 3.1. You have to either use a trusted root CA (either private or public) or turn off the certificate checking altogether.

• Setting up VPN Server fails in Windows 8.1

  Hello Folks
  I'm trying to set up VPN server in my Windows 8.1 box to receive incoming connections. It fails at the last step (http://www.diaryofaninja.com/blog/2012/09/11/setting-up-a-vpn-server-on-windows-7-or-windows-8-ndash-secure-your-internet-use-while-away)
  of the process (Allow Access) with the following error. I binged a lot but none of the trouble shooting mechanisms worked for me. I made sure that concerned service (Routing and Remote Access) can be started and stopped manually. Also, the same step works
  in Windows 7.
  Please see attached for error details.
  Highly appreciate any help for fixing the issue.
  Cheers
  Manohar

  Hi  Manooh,
  Besides disabling IP v6, try reset the TCP/IP in the way below:
  Open the command line windows as an administrator and type the command “nets hint ip reset” hit enter, or you can try the fix it below:
  http://support.microsoft.com/kb/299357
  We usually modify the default RDP port 3389 to another value, if you followed this too, you should add an port exception through a firewall in the way below:
  1.Open Windows Firewall
  2.In the left pane, click Advanced settings. 
  3.In the Windows Firewall with Advanced Security dialog box, in the left pane, click Inbound Rules, and then, in the right pane, click New Rule.
  4. Choose “port” and input the port number as allowed to connect.
  Regards
  Wade Liu
  TechNet Community Support

• VPN Server

  I can not seem to STOP the VPN server.  I select the toggle and it switches to off but if I click off the VPN selection and go back its back on again.  The green "dot" next to VPN never goes off.  Any ideas?  No users connected. 

  So, here's what solved it.  I'm not sure if both things I did help or just one, but this is what I did:
  1.)  Removed the LT2P.ppp and PPtP.ppp extensions from \system\library\extensions.....rebooted.  Service obviously did resume on boot.
  2.)  Replaces both extensions, then ran "repair permissions" on disk
  I can now start and stop the service as normal.

• Problems w/ VPN Server & Cisco VPN Client on same machine

  I really wish that I read about how the developer of the program iVPN no longer supports his work BEFORE I paid for it. It's a great, simple, GUI frontend to the existing Leopard VPN server built in to regular (non-server) OSX...
  Anyway, on my Mac that stays @ home:
  (1) - I have the iVPN server set up & running to allow me to connect (from my iphone or another computer on the road) to my Mac @ home using L2TP.
  (2) - When I'm @ home and need to connect to my company's network, I need to use the Cisco VPN Client (which uses IPSec etc).
  So, I found out that when I need to use my Mac to connect to work, I first have to open up the iVPN server to click "Stop Server" (which has me enter my password twice sometimes). Now I close iVPN until I'm done, then open up Activity Monitor for the purpose of finding the still-running process "racoon". I realized this not because it's published info, but because if I don't do this, and try to connect to work using the Cisco VPN Client, it simply will not connect. So, I quit the process "racoon" (which also has me enter my password because it's running as root yada yada). NOW, I can load Cisco VPN Client and successfully connect to my company's network. When I'm finished here, I disconnect the C.V.C., then reopen iVPN Server and restart my server (enter password again).
  Is there any way I can make the process "racoon" quit automatically when I turn off the iVPN server? I'd email the developer but I guess that's a lost cause now. It's a shame because he did a fabulous job making iVPN & gave the less computer-networking-literate-user the ability to create their own VPN server without using Terminal.
  I thought about the possibility of using iVPN to create a PPTP connection instead of L2TP - thinking that would allow me to keep my iVPN PPTP server running at all times, even when I wanted to use the CVC to connect OUT to work - but:
  (1) - I would like the increased security of L2TP.
  (2) - When I tried running a PPTP server, and connecting to it from iPhone or other computer, I was NOT able to access the other devices on my network, or the internet. I couldn't even open up a webpage to check whatismyip.com (while sending all traffic over VPN). And yes, the IP Address Range that I have iVPN handing out is within my normal home network's range.
  My end goal for all of this when using my Mac is to be able to leave my iVPN server running at all times, while still being able to run the Cisco VPN CLIENT to connect to my company's network.
  Or, at least not having to open up Activity Monitor to quit the process racoon... let alone having to enter my password 3 times after opening up iVPN, again to stop the server, again to quit the process racoon. Then a forth when I'm all done and need to start the iVPN server again.
  Am I going about this the wrong way? Is there an easier way to accomplish these secure connections? There is a slight possibility of me upgrading and running a dedicated Mac Mini server of some sort perhaps with the real OSX Server. But not right now. I think I'm over complicating this. I mean, my needs are pretty simple:
  (1) - Need to connect TO my Mac from IPhone / someone else's Mac or PC for: VNC over SSH, SSH/SFTP file level access, in the future shared network volumes (time capsule). I'd use Back To My Mac for all of this but I don't always connect FROM a Mac.
  (2) - Need to connect FROM my Mac to work VPN for: VNC to my work PC to access our company's Windows-only program (dual booting into boot camp or using a virtual machine is out of the question), using Mocha for AS400 access, thinking about using file sharing on work PC but not needed so far.
  So it's really just VNC and sometimes SFTP. The "S" being important to me. That's why I don't like the idea of doing away with my iVPN server and just forwarding the outside ports. I use the Vine VNC Server which when checked, only allows access over SSH. The only other remote-logins are used from my iphone using an app called BriefCase (SSH to browse files on remote machine), or using an SFTP client on a computer.
  Thank you for reading all of this, and in advance for any insight you can offer.

  If the two servers need the same ports, then hosting two different VPN packages on the same box usually won't work.
  A firewall-based VPN service can be an option; that external box can deal with NAT and routing and other such and can field incoming or LAN-to-LAN VPNs, and your internal Mac boxes located "behind" that box can be free to initiate outbound VPNs.

• VPN Server in Snow Leopard Server not accepting connections

  I've got some issues with a new Snow Leopard Server, running on a Mac mini Server, and VPN.
  I have a Linksys WRT310N performing router duties. I have enabled the VPN Passthrough in the router's configuration pages (IPSec, PPTP and L2TP all Enabled). In the Applications and Gaming section, I have enabled ports 1723 (TCP and UDP) and 1701 (TCP and UDP) to go through to the mini Server. In order to have the VPN Passthrough enabled, I have to have the SPI Firewall enabled on the router.
  I have both PPTP and L2TP enabled on the Server. When I first tested it, everything worked.
  Within 24 hours, it stopped working, and I can't work out why.
  On the Server, I can see in the logs the following messages: (server name and IPs changed to protect the guilty)
  ---BEGIN vpnd.log---
  2009-11-03 20:03:32 EST Incoming call... Address given to client = 192.168.0.213
  Tue Nov 3 20:03:32 2009 : Directory Services Authentication plugin initialized
  Tue Nov 3 20:03:32 2009 : Directory Services Authorization plugin initialized
  Tue Nov 3 20:03:32 2009 : PPTP incoming call in progress from '123.456.789.123'...
  Tue Nov 3 20:03:33 2009 : PPTP connection established.
  Tue Nov 3 20:03:33 2009 : using link 0
  Tue Nov 3 20:03:33 2009 : Using interface ppp0
  Tue Nov 3 20:03:33 2009 : Connect: ppp0 <--> socket[34:17]
  Tue Nov 3 20:03:33 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:33 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:33 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:33 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:36 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:36 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:36 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:36 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:39 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:39 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:39 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:39 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:42 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:42 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:42 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:42 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:45 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:45 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:45 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:45 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:48 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:48 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:48 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:48 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:51 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:51 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:51 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:51 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:54 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:54 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:54 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:54 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:57 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:03:57 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:03:57 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:03:57 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:04:00 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x38278225> <pcomp> <accomp>]
  Tue Nov 3 20:04:00 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:04:00 2009 : lcp_reqci: returning CONFACK.
  Tue Nov 3 20:04:00 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4e96b584> <pcomp> <accomp>]
  Tue Nov 3 20:04:03 2009 : LCP: timeout sending Config-Requests
  Tue Nov 3 20:04:03 2009 : Connection terminated.
  Tue Nov 3 20:04:03 2009 : PPTP disconnecting...
  Tue Nov 3 20:04:03 2009 : PPTP disconnected
  2009-11-03 20:04:03 EST --> Client with address = 192.168.0.213 has hungup
  ---END vpnd.log---
  On the client I'm seeing this in the logs
  --- BEGIN ---
  3/11/09 8:03:32 PM pppd[12074] pppd 2.4.2 (Apple version 314.0.2) started by root, uid 502
  3/11/09 8:03:32 PM pppd[12074] PPTP connecting to server 'server.example.com' (10.0.1.1)...
  3/11/09 8:03:33 PM pppd[12074] PPTP connection established.
  3/11/09 8:03:33 PM pppd[12074] Connect: ppp0 <--> socket[34:17]
  3/11/09 8:04:03 PM pppd[12074] LCP: timeout sending Config-Requests
  3/11/09 8:04:03 PM pppd[12074] Connection terminated.
  3/11/09 8:04:03 PM pppd[12074] PPTP disconnecting...
  3/11/09 8:04:03 PM pppd[12074] PPTP disconnected
  3/11/09 8:04:03 PM pppd[12074] PPTP disconnected
  3/11/09 8:04:03 PM pppd[12074] PPTP disconnected
  --- END ---
  Any ideas?

  Well, this didn't last long. The VPN is already down. Cannot connect to it again.Very Frustrating.
  I know the actual server is receiving the requests (Server Log):
  Jan 7 10:26:33 SnowServer racoon[118]: Connecting.
  Jan 7 10:26:33 SnowServer racoon[118]: IKE Packet: receive success. (Responder, Main-Mode message 1).
  Jan 7 10:26:33 SnowServer racoon[118]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
  Jan 7 10:26:33 SnowServer racoon[118]: IKE Packet: receive success. (Responder, Main-Mode message 3).
  Jan 7 10:26:33 SnowServer racoon[118]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
  Jan 7 10:26:36 SnowServer racoon[118]: IKE Packet: transmit success. (Phase1 Retransmit).
  Jan 7 10:26:55: --- last message repeated 6 times ---
  Jan 7 10:26:55 SnowServer servermgrd[67]: servermgr_jabber[W]: detailed service status not available until network configuration completed
  Jan 7 10:26:57 SnowServer racoon[118]: IKE Packet: transmit success. (Phase1 Retransmit).
  Jan 7 10:27:03: --- last message repeated 1 time ---
  Jan 7 10:27:03 SnowServer racoon[118]: IKEv1 Phase1: maximum retransmits. (Phase1 Maximum Retransmits).
  Jan 7 10:27:03 SnowServer racoon[118]: Disconnecting. (Connection tried to negotiate for, 30.655020 seconds).
  Jan 7 10:27:03 SnowServer racoon[118]: IKE Phase1 Failure-Rate Statistic. (Failure-Rate = 100.000).
  Jan 7 10:27:57 SnowServer racoon[118]: Connecting.
  Jan 7 10:27:57 SnowServer racoon[118]: IKE Packet: receive success. (Responder, Main-Mode message 1).
  Jan 7 10:27:57 SnowServer racoon[118]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
  Jan 7 10:27:58 SnowServer racoon[118]: IKE Packet: receive success. (Responder, Main-Mode message 3).
  Jan 7 10:27:58 SnowServer racoon[118]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
  Jan 7 10:28:01 SnowServer racoon[118]: IKE Packet: transmit success. (Phase1 Retransmit).
  Jan 7 10:28:28: --- last message repeated 8 times ---
  Jan 7 10:28:28 SnowServer racoon[118]: IKEv1 Phase1: maximum retransmits. (Phase1 Maximum Retransmits).
  Jan 7 10:28:28 SnowServer racoon[118]: Disconnecting. (Connection tried to negotiate for, 30.993122 seconds).
  Jan 7 10:28:28 SnowServer racoon[118]: IKE Phase1 Failure-Rate Statistic. (Failure-Rate = 100.000).
  But the VPN Server never gets the connection request (VPN Log):
  2010-01-07 10:12:13 EST Loading plugin /System/Library/Extensions/L2TP.ppp
  2010-01-07 10:12:13 EST Listening for connections...
  2010-01-07 10:12:13 EST Listening for connections...
  I have a call with Apple Support this afternoon. Hopefully it will be fruitful. If I get anywhere, I will post it. If anyone has any bright ideas, they would be greatly appreciated.
  Message was edited by: AeroJet

• VPN Server broken with Windows after upgrade from Tiger.

  Hey there
  I use Tiger 10.4 Server on a PowerMac G4.
  It has two network interfaces, one public facing with it's own static IP, and the other internal facing.
  The VPN service works perfectly, and allows people to connect via L2TP and assignes them an IP on the internal facing subnet, and allows OS X and Windows clients to connect.
  However after upgrading to Leopard, only Mac clients can connect, all the Windows clients connect, and although they get an IP and are able to ping destinations, attempts to connect to these destinations (some of which are web apps on port 80, others are file servers running Samba), they just sit waiting for ever.
  I've experimented with this problem, and it appears to be a problem with MTU and packet fragmentation, however these settings appear to be the same between Tiger, which worked, and Leopard which does not work.
  Does anyone have any experience with the new VPN Server in Leopard, and can offer me any advice on how to fix this problem? I'm currently downgraded to Tiger again until a fix can be found.

  I had the same issue, among others, but I finally got everything to work eventually. It seems that if the IP range of the client connecting to VPN is in the same range of the server LAN, there will be connectivity issues, whether it be pcs and/or macs not being able to connect. The following set up got my VPN services working:
  1. Get DNS and Open Directory working properly. When I did an upgrade, the Server Admin updated my zone files with a curious extra space, which killed DNS. For example, I had the name server as ns.company.private., but in the files it would say ns. company.private everywhere! I've been reading about various bugs in upgrading DNS, so I think it's best just to start DNS from scratch. But if you are upgrading, the following thread expalins how to go about setting up DNS and Open Directory: http://discussions.apple.com/thread.jspa?messageID=5957209&#5957209
  2. Once you have Open directory users and dns working properly, then set up VPN. Give a unique IP range to the internal network (192.168.7.1/24) that other networks will not emulate. If you use 192.168.1.1, you will likely run into issues. You can always test this method out by changing the IP range from a remote location and trying to get in this way instead of changing the server. Also, be aware that if you use Gateway Assistant within NAT, it will automatically give you a 192.168.1.1/24 range, at least that's been my experience, and this always killed VPN for me. I would set up NAT manually to avoid problems.
  3. Ensure that the DNS information under the Client Information tab is correct. For my server I have 192.168.9.1 as the nameserver, and company.private as the search domain. Then set up routing tables. Mine are 192.168.0.0:255.255.0.0 private and 0.0.0.0:0.0.0.0 public.
  Also, when you restart the server, stop and restart VPN services, as there is some talk about the Tiger bug still being around, where VPN services are messed up upon startup. This all worked for me and a couple others that had similar server set ups. Hopefully this will work for you.

• I've only had my iphone 5s for a week. I keep getting an error message of "Server has stopped responding."  I need the server to work. Does anyone know if there is a "fix" for the problem? Other wise, I probably best return for a refund and get a Samsung.

  I've only had my iphone 5s for a week. I keep getting an error message of "Server has stopped responding."  I need the server to work. Does anyone know if there is a "fix" for the problem? Other wise, I probably best return for a refund and get a Samsung.  Thanks

  sandyzotz wrote:
  Other wise, I probably best return for a refund and get a Samsung.
  Unlikely.  Based on the complete lack of detail of the issue provided it is entirely possible the same issue would occur.
  Unless and until the user provides some actual details of the problem, there is nothing the indicate that the issue is with the iPhone.

• VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.1.4)
  |
  |
  CISCO-887 (192.168.1.254)
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on windows 7 machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
  I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Perhaps ACL problem?
  Building configuration...
  Current configuration : 4921 bytes
  ! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname TestLab
  boot-start-marker
  boot-end-marker
  enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-3013130599
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3013130599
  revocation-check none
  rsakeypair TP-self-signed-3013130599
  crypto pki certificate chain TP-self-signed-3013130599
  certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
  33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
  9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
  8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
  C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
  AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
  03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
  2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
  AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
  B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
  B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
  CBB28E7A E91A090D 53DAD1A0 3F66A3
  quit
  no ip domain lookup
  ip cef
  no ipv6 cef
  license udi pid CISCO887VA-K9 sn ***********
  username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key NetasTest
  dns 8.8.4.4
  pool VPN-Pool
  acl 120
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group EXTERNALS
  client authentication list ciscocp_vpn_xauth_ml_2
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  hold-queue 224 in
  pvc 8/35
  pppoe-client dial-pool-number 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip address 192.168.2.1 255.255.255.0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer0
  ip address negotiated
  ip mtu 1452
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ****
  ppp chap password 0 *********
  ppp pap sent-username ****** password 0 *******
  no cdp enable
  ip local pool VPN-Pool 192.168.2.210 192.168.2.215
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 100 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 100 remark
  access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 100 remark
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 120 remark
  access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  line con 0
  exec-timeout 5 30
  password ******
  no modem enable
  line aux 0
  line vty 0 4
  password ******
  transport input all
  end
  Best Regards,

  I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin  and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
  router#sh crypto session detail 
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer0
  Uptime: 00:40:37
  Session status: UP-ACTIVE     
  Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 192.168.1.100
        Desc: (none)
    IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active 
            Capabilities:(none) connid:2001 lifetime:07:19:22
    IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0 
          Active SAs: 4, origin: dynamic crypto map
          Inbound:  #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
          Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162

• VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

  Hello,
  I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
  881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
  When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
  VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
  Can you help me, how can I debug or troubleshoot this problem ?
  I am unable to update software on ASA5505 side.

  Hello,
  Hire is what my config look like:
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 60 set pfs
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 80 set pfs
  crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 100 set pfs
  crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 120 set pfs
  crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 140 set pfs
  crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
  crypto dynamic-map outside_dyn_map 160 set pfs
  crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 180 set pfs
  crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 200 set pfs
  crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 2
   authentication pre-share
   encryption 3des
   hash sha
   group 1
   lifetime 86400
  crypto isakmp policy 3
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  tunnel-group HW-CLIENT-GROUPR type ipsec-ra
  tunnel-group HW-CLIENT-GROUP general-attributes
   address-pool HW-CLIENT-GROUP-POOL
   default-group-policy HW-CLIENT-GROUP
  tunnel-group HW-CLIENT-GROUP ipsec-attributes
   pre-shared-key *******
  group-policy HW-CLIENT-GROUP internal
  group-policy HW-CLIENT-GROUP attributes
   password-storage enable
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value cisco_splitTunnelAcl
   nem enable

• ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?

  Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.

  I don't think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

• How to setup built-in VPN server on Mountain Lion

  Anyone have information on configuring the built-in VPN server in OS X Mountain Lion ?

  Update - it works ! At least I can connect to Mountain Lion (not server) from my iPhone using the VPN Server Configurator app.
  Here's what I did :
  1) download the app and install
  2) setup using the help files on the web page : http://www.greenworldsoft.com/product-vpn-server-help.html
  3) at the last stage you need to setup port forwardin on your router
  4) under Airport Utility 6.0 you cannot setup ports 500 or 4500 due to BTTM conflicts but setup the other 2 ports (1723 TCP and 1701 UDP), update airport extreme
  5) download Airport Utility 5.6 from here : download already extracted utility  it is in it's extracted form as is necessary under Mtn Lion (thanks to NetUse Monitor for the download - great app by the way)
  6) run 5.6 and setup port forwarding (Advanced-Port Mapping) for the other 2 ports (500 and 4500 UDP), update airport extreme
  7) that's it, I was able to connect to the VPN from my iPhone !

• I would like to know which apple server dictation connects to so that my proxy server will stop blocking it. Which apple server does it connect too?

  I would like to know which apple server dictation connects to so that my proxy server will stop blocking it. Which apple server does it connect too?

  I would presume so, but it might be worth your while to experiment and play around with different combinations to see if you can block FaceTime while keeping Game Center open.  Good luck!

• OSX 10.8 server Set VPN server in Local net, How to restrict the Local some IP connect to the VPN server?(noob,so need clearly)

  the tittle is my question. I am noob , so I hope i can make my question clear. Now i 'd like to tell you more about my question:
  My aim is to set a VPN server in Local lan, then ppl can connect to the VPN server, But I dont wanna all of the Local lan IP cant connet to it. So I neet to set a rule to restrick some local Ip to connect failure, just like banning so IP in a rule.such as: just like the "192.168.4.3~192.168.4.20 ; 192.168.7.3~192.168.7.20 " IPs can connect . the IPs which outside the rules can not do.
  my step is following:
  1) install server app
  2)and then i set a VPN server , finally the VPN server can be connected successfully by local lan computer(PC or Mac)
  3)But i found no restrict IP founction in Server app panel.
  4)then i down load workgroup manager, and found nothing there about such a founction about IP restriction.
  so can you tell me how to aproach my aim?
  Please tell me in a clear detail,I am noob
  thank you

  Won't the password restrict everyone from connecting unless they know the password?
  I have never worked with a VPN server, so I can't really add any suggestions. Below are links to Apple support articles, but I'm not sure they will help you:
  VPN - Set up Connection
  VPN - Advanced Setup 
  VPN - Connect
  VPN - Connect Automatically