VPN server only connected to a WAN
Hi,
I have configured a VPN server on a xserve directly connected to the Internet (public IP address on en0 interface). The server is not connected to a LAN (no cable on en1 interface).
The VPN clients ("roadwarriors" clients) are assigned a 10.0.0.x private IP address.
My question is: what is the correct setup to have a private IP on the server?
1/ Should I configure en1 interface with a 10.0.0.x IP address (the panel won't apply the settings because there is no cable plugged BUT I can do it with a simple "ifconfig en1 10.0.0.1 netmask 255.255.255.0 up" command in a terminal).
2/ Or should I create a virtual interface and assign a 10.0.0.x IP to it (ifconfig vlan0 create)?
And yes there is a logic to have such a setup (expose only the VPN service on the server from the Internet side, but open access to all other services only to VPN clients like for example mail. This is why I do need a private IP address for the server).
Note: I was using previously openvpn on a Linux server and did not have such problem as openvpn creates a tun0 interface on the server side with its own private address.
setup macmini with public wan ip.
This is what i did and i have a firewall problem
I created a en1 interface with
sudo ifconfig en1 10.0.0.1 netmask 255.255.255.0 up
I enabled the pptp protocol in the vpn setup.
enable pptp
start ip 10.0.0.1
end ip 10.0.0.5
authentication mschap
in the client information
for the dns server I used opendns
208.67.222.222
208.67.220.220
network routing definition
10.0.0.0 255.255.255.0 private
I now goto the firewall settings
I check the box to allow for group ANY
vpn PPTP port 1723
i goto address group and create a group called vpn
I add the five ip's i have set the vpn server to assign to the clients. I choose allow All for this group.
I goto my mac book and setup the pptp connection. It lets me authenticate and I get an ip address of 10.0.0.2 from the server. however web, email and other services dont work.
I check the firewall log in the mac mini and sure nuff 10.0.0.2 is getting denied for lots of services.
Jan 3 21:04:38 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:04:38 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:49431 208.67.222.222:53 in via ppp0
Jan 3 21:04:41 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:04:44 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:04:46 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:49432 208.67.220.220:53 in via ppp0
Jan 3 21:04:53 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:04:53 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:49431 208.67.222.222:53 in via ppp0
Jan 3 21:04:56 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:05:01 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:49432 208.67.220.220:53 in via ppp0
Jan 3 21:05:08 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:05:08 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:49433 149.254.192.126:53 in via ppp0
Jan 3 21:05:11 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:05:17 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
4 Deny UDP 10.0.0.2:49433 149.254.192.126:53 in via ppp0
Jan 3 21:05:26 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:05:32 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:05:35 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
4 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
an 3 21:05:46 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:49436 208.67.220.220:53 in via ppp0
Jan 3 21:05:53 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:49435 208.67.222.222:53 in via ppp0
Jan 3 21:05:56 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:05:59 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
Jan 3 21:06:01 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:49436 208.67.220.220:53 in via ppp0
n 3 21:06:05 mini ipfw[1158]: 65534 Deny UDP 10.0.0.2:5353 208.67.222.222:53 in via ppp0
I dont understand why 10.0.0.2 is being denied when I have setup a group including that IP and have allowed it to do anyting.
Can anyone help please?
Similar Messages
-
Can't access VPN server, only other clients
I am having trouble with my L2TP VPN. I can connect to the VPN server just fine and connect to any other IP address on the network over the VPN connection except the server I am connecting to. The server's address is 192.168.1.1 with a mask of 255.255.255.0. The bottom half of the subnet is reserved for local devices with the upper half dynamically assigned to VPN clients. How can I get my VPN clients talking to the server itself (I want to use Screen Sharing with the server over the VPN)?
The DNS server address was wrong (not 127.0.0.1 but 192.168.10.1) on the en1 interface. I changed that, but it didn't do anything immediately. I flushed DNS caches, double checked changip (which was okay), the name of the server... Then I restarted. And :
"ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 192.168.10.101 --> 192.168.10.1 netmask 0xffffff00 "
(ifconfig from the client). Notice the change of the gateway. Before, it was the public IP, now it's the internal IP. Quite interesting, since I can now ping the server using this address and accessing its services through the VPN. I was very happy, the only thing that didn't work was the DNS. But I don't know whether it's good or not, and it seems to "change" : I tried to reconnect few minutes later and have been given again the public IP from the server as the gateway IP. Strange. I can't get it working again. I restarted again, flushed caches another time... I managed to get this config three times before the server returned to its previous settings.
Setting the gateway address of the client to 192.168.10.1 is maybe the key (I tried to force the change in the client network settings with no success). I'm going to read the logs and try to spot the differences between the two connections. I will then have to allow the server to answer to incoming DNS request, but, as you said, it's not so insecure...
Here are my firewall rules (Four keep-state rules, very general though) :
00001 allow udp from any 626 to any dst-port 626
00010 divert 8668 ip from any to any via en0
01000 allow ip from any to any via lo0
01030 deny log logamount 1000 ip from any to 127.0.0.0/8
01040 deny log logamount 1000 ip from 224.0.0.0/4 to any in
01050 deny log logamount 1000 tcp from any to 224.0.0.0/4 in
12300 allow tcp from any to any established
12301 allow tcp from any to any out
12302 allow tcp from any to any dst-port 22
12302 allow udp from any to any dst-port 22
*12303 allow udp from any to any out keep-state*
*12304 allow tcp from any to any dst-port 53 out keep-state* (DNS ?)
*12304 allow udp from any to any dst-port 53 out keep-state* (DNS ?)
12305 allow udp from any to any in frag
12306 allow tcp from any to any dst-port 311
12307 allow tcp from any to any dst-port 625
12308 allow icmp from any to any icmptypes 8
12309 allow icmp from any to any icmptypes 0
12310 allow igmp from any to any
*12311 allow udp from any to any in keep-state*
12312 allow icmp from any to any icmptypes 3,4,11,12
12313 allow icmp from any to any
12314 allow tcp from any to any dst-port 59850-59860
12314 allow udp from any to any dst-port 59850-59860
12315 allow tcp from any to any dst-port 25
12315 allow udp from any to any dst-port 25
12316 allow tcp from any to any dst-port 80
12317 allow tcp from any to any dst-port 143
12318 allow tcp from any to any dst-port 465
12319 allow tcp from any to any dst-port 587
12320 allow tcp from any to any dst-port 993
12321 allow tcp from any to any dst-port 443
12322 allow tcp from any to any dst-port 3283,5900
12322 allow udp from any to any dst-port 3283,5900
12323 allow tcp from any to any dst-port 5433
12324 allow tcp from any to any dst-port 5988,5989
12325 allow esp from any to any
12326 allow udp from any to any dst-port 1701
12327 allow udp from any to any dst-port 4500
12328 allow udp from any to any dst-port 500
12329 allow udp from any to any dst-port 5060
12330 allow tcp from any to any dst-port 20-21
12331 allow tcp from any to any dst-port 115
12332 allow tcp from any to any dst-port 53
12332 allow udp from any to any dst-port 53
12333 allow ip from 10.0.0.0/8 to any
12334 allow ip from 192.168.0.0/16 to any
65534 deny log logamount 1000 ip from any to any
65535 allow ip from any to any
I have 5 public IPs, and I can request my ISP to change PTR for me. But I think that this part is already okay (I made them change it two weeks ago to the name of the server for the primary interface). I will try to play a little with firewall rules, to see if it does something.
Thanks again for your help ! -
Cisco VPN server internal connection
I have a cisco 1841 router which I use as VPN server. This is the configuration:
Cisco#show running-config Building configuration...Current configuration : 6382 bytes!version 15.1service tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Cisco!boot-start-markerboot-end-marker!!enable secret 5 $1$Xg19$MKt1eIm4yrmDwcYn1z0x2/enable password qwerty!aaa new-model!!aaa authentication login default localaaa authentication login ciscocp_vpn_xauth_ml_1 localaaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! !! !! aaa session-id common! dot11 syslogip source-route!! !! !ip cef no ipv6 cef! multilink bundle-name authenticated! crypto pki token default removal timeout 0! crypto pki trustpoint TP-self-signed-947112914 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-947242914 revocation-check none rsakeypair TP-self-signed-947182914! !crypto pki certificate chain TP-self-signed-947142914 certificate self-signed 01 3082023B 308201A4 A0030201 02020101 300D0609 2A874886 F70D1101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 39343731 34325931 34301E17 0D313131 31323532 30353931 325A170D 32303031 30313030 30303030 5A303031 2E302C06 03559403 1325444F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3934 37313432 39313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 B4C6CC16 5EA2210F D4A0234B 90D9E29C E1132F0D 491CC9BC F513EF57 A5986C31 C03BC061 B3B4E103 0005F992 A7CA2605 8C46FCB2 C22AAC4B 739D1DC2 49EA3883 253D553C A1E7BD3A 26D49347 86414B11 5C03F4E6 A4BD5306 CD857F99 0A567B85 FD639414 C2E25161 74A52A7B 32753F25 AE8FDC73 EC859EEC D8A1C9C4 D8A50EED 02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D 11040930 07820543 6973636F 301F0603 551D2304 18301680 14414AD6 2A674283 54CC008C A6B81E1D 7A3B09A4 8C301D06 03551D0E 04160414 414AD62A 67428354 CC008CA6 B81E1D7A 3B09A48C 300D0609 2A864886 F70D0101 04050003 8181007B 00264BAE A55C3CB0 20F83B46 A047F400 3B5748CA D8C64A49 5484FE1E 7588949F A8E5EBAE BE5FAD22 0C89FC92 671E0BB6 1155EB76 21E72F07 68F76AE3 2F0CB2C6 EC26A8C1 C3EA1300 CE284F9B 3E3F6BB9 7807CF63 8154BC4B AD33392E 68347E0B F78AE625 818C3A4E 6E0302D8 26DF4890 08E42063 37BF9026 BF4E251D A86EEA quit!! license udi pid CISCO1841 sn FCZ150218ACusername root privilege 15 password 0 qwertyusername admin secret 5 $1$78MV2Yc72fwt5PoEm.eK33PlKw1username test privilege 15 password 0 test_123!redundancy!! ! crypto ctcp keepalive 6crypto ctcp port 443 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2crypto isakmp keepalive 10 10 periodiccrypto isakmp nat keepalive 20! crypto isakmp client configuration group cisco key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_client include-local-lan max-users 1000 netmask 255.255.255.0!crypto isakmp client configuration group server_1 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_1 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_2 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_2 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_3 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_3 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_4 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_4 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_5 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_5 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_6 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_6 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_7 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_7 save-password include-local-lan netmask 255.255.255.0! crypto isakmp client configuration group server_8 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_8 include-local-lan netmask 255.255.255.0! crypto isakmp client configuration group server_9 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_9 include-local-lan netmask 255.255.255.0! crypto isakmp client configuration group server_10 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_10 include-local-lan netmask 255.255.255.0! crypto ipsec security-association lifetime seconds 86400crypto ipsec security-association idle-time 86400!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route!! crypto map SDM_CMAP_1 local-address FastEthernet0/0crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1crypto map SDM_CMAP_1 client configuration address respondcrypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! !! !! interface Loopback0 ip address 172.16.0.1 255.255.255.255!interface FastEthernet0/0 ip address 192.168.1.130 255.255.255.0 ip flow ingress speed auto full-duplex no mop enabled crypto map SDM_CMAP_1!interface FastEthernet0/1 no ip address shutdown speed auto full-duplex no mop enabled! ip local pool SDM_POOL_client 10.10.10.51 10.10.10.190ip local pool SDM_POOL_server_1 10.10.10.1ip local pool SDM_POOL_server_2 10.10.10.2ip local pool SDM_POOL_server_3 10.10.10.3ip local pool SDM_POOL_server_4 10.10.10.4ip local pool SDM_POOL_server_5 10.10.10.5ip local pool SDM_POOL_server_6 10.10.10.6ip local pool SDM_POOL_server_7 10.10.10.7ip local pool SDM_POOL_server_8 10.10.10.8ip local pool SDM_POOL_server_9 10.10.10.9ip local pool SDM_POOL_server_10 10.10.10.10ip forward-protocol ndip http serverip http authentication localip http secure-server! !ip route 0.0.0.0 0.0.0.0 192.168.1.1!logging esm configaccess-list 100 remark CCP_ACL Category=4access-list 100 permit ip 10.10.0.0 0.0.255.255 any!! !! !! !! control-plane! !! line con 0line aux 0line vty 0 4 password qwerty transport input telnet ssh! scheduler allocate 20000 1000end Cisco#
I have a VPN clients which can connect to the VPN server and communicate each other. I want to connect dedicated server to port FE 0/1 and all VPN clients to be able to see and communicate with the server. How I can connect the two networks?Ideally, VPN connectivity is tested from devices behind the endpoint devices that do the encryption, yet many users test VPN connectivity with the ping command on the devices that do the encryption. While the ping generally works for this purpose, it is important to source your ping from the correct interface. If the ping is sourced incorrectly, it can appear that the VPN connection has failed when it really works. If ping works continuously then the problem can be that the xauth times out. Increase the timeout value for AAA server in order to resolve this issue.
For further information about troubleshoot the VPN connectivity click this link.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solunf -
L2TP VPN Server only accepts one client at a time
We have an ISA570 on Site 1 with the following Network Config:
192.168.100.XXX
255.255.255.0
192.168.100.254 (GW)
ISA570
ISP Modem in Bridge Mode
So let us call my location right now as site 2. Although the network setup does not matter, let me just state it.
192.168.101.XXX
255.255.255.0
192.168.101.254 (GW)
Cisco RV042
ISP Modem in Bridge Mode
L2TP Client Network Pool:
192.168.103.100 - 192.168.100.200
255.255.255.0
DNS1 192.168.100.254
=======================================================================================
So here comes the situation
Client 1 with IP address of 192.168.101.24 connects to Site 1 via L2TP. He uses this VPN Tunnel for a desktop application which is hosted at site 1.
Client 2 with IP address of 192.168.101.17 connects to Site 1 via L2TP but is unsuccessful. Screen1.jpg below shows the Windows VPN Error.
Screen1.jpg
I can not post my configs as of now because the WAN1 of site 1 is very congested. For now I will post the guides which I followed.
http://www.cisco.com/en/US/docs/security/small_business_security/isa500/administration/guide/ISA500_VPN.html#wp1393916
http://www.cisco.com/en/US/docs/security/small_business_security/isa500/administration/guide/ISA500_VPN.html#wp1479596
What am I missing here?Hi Dan,
The site-to-site VPN tunnel should still work with those settings. For the IPSec VPN Client, we have the Cisco VPN Client that should work. There should be a copy of it on the CD that came with the ISA500.
Here is a link that has information on setting up the Remote Access VPN on the ISA500:
http://www.cisco.com/en/US/docs/security/small_business_security/isa500/technical_reference/vpn/Configuring_VPN_with_Cisco_ISA500_Series_Security_Appliances.pdf
The section 'Configuration Examples of EzVPN, SSLVPN and Site-to-Site Between Cisco ISA500 Appliances' has an example at the beginning.
Let me know if that helps.
Thanks,
Brandon -
Windows 2012 VPN Server - Routing
Hi community,
I hope you can help me out with my problem.
Following situation:
I have a Win 2012 Server as VPN Server configured.
Connecting a VPN Client works fine and the VPN Client gets a IP address from a static IP range. The ip address it gets is 192.168.200.x
It works fine to ping to all devices in the 192.168.200.0/24 net. But I have a second net - 192.168.202.0/24. My VPN Server is connected to both nets. (2 NICs)
What I want to achieve is that the vpn clients can connect to devices in the 192.168.202.0 net as well.
When I put the following route into the clients ip table, it works:
#route add 192.168.202.0 mask 255.255.255.0 192.168.200.1
For me thats fine, but I have a bunch of other users, also connecting to this vpn server.
So the best would be if automatically when the user connects to the vpn, it also creates a static route like the one above.
Is this somehow possible?
I tried static route in the "Routing and Remote Access" Tool and static routes in the Dial-In config of the user in Active Directory - nothing workedHi Made1990 ,
When VPN is connected ,the clients will use VPN server as default gateway .
As a result ,clients will be able to connect the two subnets that VPN server is connected to .
We can use
Network Monitor on VPN server and the device on subnet 192.168.202.0 to find the problem :
Install and open
Network Monitor on the two devices .
Ping the device on subnet 192.168.202.0 from VPN client .
If the device on subnet 192.168.202.0 get ICMP Echo Request packet ,that means the routes to 192.168.202.0 is OK .
If the device sends ICMP Echo Reply packet and VPN client doesn’t get ,thar means reverse routes are wrong.Analyze the data on both devices can help to find the problem of routes .
Here is the guide for using
Network Monitor :
Network Monitor :
https://technet.microsoft.com/en-us/library/cc938655.aspx?f=255&MSPPError=-2147217396
Best Regards,
Leo
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
WRT320N: a URL VPN-server (PPTP/L2TP)
All,
My ISP has a URL VPN-server for connection to the Internet (vpn.internet.beeline.ru).
I have defined (by ping) one of IP-addresses and have entered it in WRT320N (PPTP).
It works, but it is not always good, since IP-address of server often varies.
It seems to me that to use fixed IP instead of URL - incorrectly. There is other decision?
How correctly to adjust PPTP/L2TP of WRT320N for a URL VPN-server?I am not familiar with many of VPN and PPTP settings. But can you answer in 2 words CAN I SOMEHOW make my wrt320n use URL instead of IP for pptp server?
And the second question is why does it supplies poor speed when connected through pptp via cable? I have 18 Mbit plan but router seems to give no more than 10-12 Mbit (tested on speedtest.net). When connected directly via PC lan -- test shows full 18 Mbit. -
Can't connect to my VPN server from the WAN addres...
I've setup a PPTP VPN server on a Raspberry Pi, so that I can connect to it when out and about and avoid having my android internet use sniffed by random public wi-fi hotspots.
It seems to be working as I setup a Windows 7 connection to it using the LAN address (192.168.1.85) and that connected fine but I can't get it to work through the BT HH3 via the WAN address. I've forwarded port 1723 to 192.168.1.85 and tried disabling the firewall, enabling port clamping and putting the RPi in the DMZ, none of which made any difference.
Is anyone able to help please?Did some testing from my parents house yesterday and whilst connected to their router (Virgin Media) and/or a local BTWiFi hotspot (I can't honestly remember if I tried both or if I only tested with one or the other), I was able to connect to the VPN Server from my phone.
I can also connect from my home PC using Putty to the VPN Server on SSH (port 22) with that forwarded in the router using the WAN address, so NAT travesal doesn't seem to be an issue.
Yet I still can't connect to the VPN Server from home, whether connected to my HH3 or a local BTWiFI-with-FON hotspot, using the WAN address, only the LAN address, which doesn't make any sense to me.
I don't think it's relevant to this problem but I want to ask a question about the router firewall as the description for Default (which is what I have enabled) says "Allow all outgoing connections and block all unsolicited incoming traffic. Games and application sharing is allowed." but it doesn't appear to block unsolicited incoming traffic as otherwise I don't think I'd have been able to connect to the VPN Server from my parent's house, or on SSH from my PC using the WAN address. So is the description incorrect? -
Hello,
I have a RD farm using 3 Win 2012 servers (1 broker and 2 session host), for internal use only, have not
configured gateway for internet access.
Users are able to connect to RD farm website and remote into terminal server, within office
but can only connect to RD farm website and cannot remote into terminal server , when connected via VPN
Its takes long time at securing connection and fails.
ThanksHi,
Thank you for your posting in Windows Server Forum.
First of all I would suggest you to configure RD gateway role on your server and pass all the connection through it because it’s a best practice to use RD Gateway in RDS Farm.
Apart from this, if you are not using RD Gateway then you must check that you have successfully forwarded port 3389 for RDS to access via VPN. Also check that you have made configuration under IIS Manager to enable Forms Authentication. Please check
this link.
In addition, please refer beneath article for additional details.
1. How to Access Windows Remote Desktop Over the Internet
2. Remote Desktop Services in Windows 2008 R2 – Part 3 – RD Web Access & RemoteApp
(For reference)
Hope it helps!
Thanks,
Dharmesh -
Issue with WAN Miniport when setting up VPN server in Windows 7
I tried making my computer a VPN server by setting up a "New incoming connection" under network connections within Network and sharing center. Originally, it did complete but did not show any WAN Miniport connections. I could not connect to this VPN
with my other computer.
What I've done so far:
I "updated" all the WAN Miniports in Device Manager to "MAC Bridge Miniport" driver (since I could not uninstall them as they were) and then proceeded to uninstall all the WAN miniports. I rebooted my computer and then the device
drivers tried to install automatically but only a few installed successfully.
I then downloaded the latest WDK (8.1) and tried re-installing all the WAN Miniports via devcon.exe with the command "devcon.exe install c:\windows\inf\netrasa.inf MS_PptpMiniport". It said that the node was created but it failed to install the
drivers. I rebooted my computer but some of these mini ports appeared as "Unknown" in Device Manager while others appeared with their names but with numbers attached since I've attempted this a few times, Ex: "WAN Miniport (IP) #3".
from my understanding, I need at least WAN Miniport pptp to be working for VPN to work. I don't know what to do at this point. Any help is greatly appreciated. Thanks in advance.
Gateway DX4822-01 Desktop PC
Windows 7 64-bit, SP1Hi,
Please try to use Incoming connection troubleshooter to fix this problem for test. If it identify any problem that couldn't fix this problem, please provide the error message here.
Control Panel\All Control Panel Items\Troubleshooting\All Categories
Roger Lu
TechNet Community Support -
VPN client connect to CISCO 887 VPN Server bat they stop at router!!
Hi
my scenario is as follows
SERVER1 on lan (192.168.5.2/24)
|
|
CISCO-887 (192.168.5.4) with VPN server
|
|
INTERNET
|
|
VPN Cisco client on xp machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
They can ping only router!!!
They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Peraps ACL problem?
Building configuration...
Current configuration : 5019 bytes
! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname gate
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-453216506
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-453216506
revocation-check none
rsakeypair TP-self-signed-453216506
crypto pki certificate chain TP-self-signed-453216506
certificate self-signed 01
quit
ip name-server 212.216.112.222
ip cef
no ipv6 cef
password encryption aes
license udi pid CISCO887VA-K9 sn ********
username adm privilege 15 secret 5 *****************
username user1 secret 5 ******************
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key 6 *********\*******
dns 192.168.5.2
wins 192.168.5.2
domain domain.local
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
ip address 10.10.10.10 255.255.255.0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.5.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******@*******.****
ppp chap password 0 alicenewag
ppp pap sent-username ******@*******.**** password 0 *********
ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
line con 0
line aux 0
line vty 0 4
transport input all
endHello,
Your pool of VPN addresses is overlapping with the interface vlan1.
Since proxy-arp is disabled on that interface, it will never work
2 solutions
1- Pool uses a different network than 192.168.5
2- Enable ip proxy-arp on interface vlan1
Cheers,
Olivier -
Can only connect one user at a time via VPN?
Hi, long-term Mac user but new to OS X Server. Dug thru the forums quite a bit but couldn't find an answer to this one - hopefully I wasn't searching with the wrong keywords.
Installed OS X Server 10.6 on a MacBook (white, 1 generation back) at the office. Sits behind an Airport Extreme, which is connected to Comcast. Other machines at the office are NOT routed through the Server, but rather connect directly to the Airport Extreme for internet access. I've set up server.mydomainname.com to point to our Comcast address, and I am able to connect via VPN to the server without any problems, and access the server using the server.mydomainname.com address which I pointed to my Comcast IP address, as long as I check "Send all traffic over VPN connection" on my client.
However, when I'm logged in via VPN on one computer, and then log in via VPN on another computer (with the same UID or a different one), the first one loses all connectivity through the VPN - it's as if it had been logged off.
In Server Admin, under the Settings|Network tabs, I have Computer Name set up as "theserver", and Local Hostname as "theserver" (so I can access via theserver.private). VPN is set up to enable L2TP over IPsec, sharing ranges 10.0.1.200 thru 10.0.1.220; no load balancing, no PPTP. Client DNS servers is set to 10.0.1.29.
Any ideas as to why I can only connect with one client at a time?Thanks. I didn't see anything interesting, but then again I'm not up on VPN details. Here's the scenario:
First, I logged in as "user1", and I can use the VPN.
Then, I logged in as "user2", and I can use the VPN with user2, but user1 is no longer able to do anything over the VPN.
Then I hung up with user2, but user1 still can't see anything over the VPN.
Then I hung up and reconnected with user1, and user1 can use the VPN again.
Here's part of the log for this activity. I've replaced potentially identifying info with "XYZ" for safety. Appreciate any thoughts on this!
Tue Oct 19 07:33:08 2010 : L2TP received ICCN
Tue Oct 19 07:33:08 2010 : L2TP connection established.
Tue Oct 19 07:33:08 2010 : using link 1
Tue Oct 19 07:33:08 2010 : Using interface ppp1
Tue Oct 19 07:33:08 2010 : Connect: ppp1 <--> socket[34:18]
Tue Oct 19 07:33:08 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : lcp_reqci: returning CONFACK.
Tue Oct 19 07:33:08 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : sent [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : sent [CHAP Challenge id=0x18 <XYZ>, name = "myserver.private"]
Tue Oct 19 07:33:08 2010 : rcvd [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : sent [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : rcvd [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : rcvd [CHAP Response id=0x18 <XYZ>, name = "user2"]
Tue Oct 19 07:33:08 2010 : sent [CHAP Success id=0x18 "S=XYZ M=Access granted"]
Tue Oct 19 07:33:08 2010 : CHAP peer authentication succeeded for user2
Tue Oct 19 07:33:08 2010 : DSAccessControl plugin: User 'user2' authorized for access
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfReq id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfReq id=0x1]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Oct 19 07:33:08 2010 : ipcp: returning Configure-NAK
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfNak id=0x1 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr XYZ>]
Tue Oct 19 07:33:08 2010 : Unsupported protocol 0x8057 received
Tue Oct 19 07:33:08 2010 : sent [LCP ProtRej id=0x2 80 47 01 01 00 0f 01 0a 02 1b 63 ff fe a0 dd da]
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfReq id=0x1 <ms-dns1 0.0.0.1> <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfRej id=0x1 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfAck id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfAck id=0x1]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : ipcp: returning Configure-ACK
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfAck id=0x2 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : ipcp: up
Tue Oct 19 07:33:08 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:08 2010 : found interface en0 for proxy arp
Tue Oct 19 07:33:08 2010 : local IP address 10.0.1.29
Tue Oct 19 07:33:08 2010 : remote IP address 10.0.1.213
Tue Oct 19 07:33:08 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfReq id=0x2 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfAck id=0x2 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSP data <payload len 26, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
<domain: name XYZ>]
Tue Oct 19 07:33:08 2010 : rcvd [IP data <src addr 10.0.1.213> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue Oct 19 07:33:08 2010 : sent [IP data <src addr 10.0.1.29> <dst addr 10.0.1.213> <BOOTP Reply> <type ACK> <server id 0x0a00011d> <domain name "XYZ">]
Tue Oct 19 07:33:08 2010 : rcvd [ACSP data <payload len 0, packet seq 0, CI_DOMAINS, flags: ACK>]
Tue Oct 19 07:33:34 2010 : rcvd [LCP TermReq id=0x2 "User request"]
Tue Oct 19 07:33:34 2010 : LCP terminated by peer (User request)
Tue Oct 19 07:33:34 2010 : ipcp: down
Tue Oct 19 07:33:34 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:34 2010 : sent [LCP TermAck id=0x2]
Tue Oct 19 07:33:34 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:34 2010 : L2TP received CDN
Tue Oct 19 07:33:34 2010 : Connection terminated.
Tue Oct 19 07:33:34 2010 : Connect time 0.5 minutes.
Tue Oct 19 07:33:34 2010 : Sent 777000 bytes, received 105388 bytes.
Tue Oct 19 07:33:34 2010 : L2TP disconnecting...
Tue Oct 19 07:33:34 2010 : L2TP disconnected
2010-10-19 07:33:34 PDT --> Client with address = 10.0.1.213 has hungup
Tue Oct 19 07:33:50 2010 : rcvd [LCP TermReq id=0x3 "User request"]
Tue Oct 19 07:33:50 2010 : LCP terminated by peer (User request)
Tue Oct 19 07:33:50 2010 : ipcp: down
Tue Oct 19 07:33:50 2010 : sent [LCP TermAck id=0x3]
Tue Oct 19 07:33:50 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp0, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.214).
Tue Oct 19 07:33:50 2010 : L2TP received CDN
Tue Oct 19 07:33:50 2010 : Connection terminated.
Tue Oct 19 07:33:50 2010 : Connect time 3.5 minutes.
Tue Oct 19 07:33:50 2010 : Sent 625383 bytes, received 225586 bytes.
Tue Oct 19 07:33:50 2010 : L2TP disconnecting...
Tue Oct 19 07:33:50 2010 : L2TP disconnected
2010-10-19 07:33:50 PDT --> Client with address = 10.0.1.214 has hungup
2010-10-19 07:33:59 PDT Incoming call... Address given to client = 10.0.1.216
Tue Oct 19 07:33:59 2010 : Directory Services Authentication plugin initialized
Tue Oct 19 07:33:59 2010 : Directory Services Authorization plugin initialized
Tue Oct 19 07:33:59 2010 : L2TP incoming call in progress from 'XYZ'...
Tue Oct 19 07:33:59 2010 : L2TP received SCCRQ
Tue Oct 19 07:33:59 2010 : L2TP sent SCCRP
Tue Oct 19 07:33:59 2010 : L2TP received SCCCN
Tue Oct 19 07:33:59 2010 : L2TP received ICRQ
Tue Oct 19 07:33:59 2010 : L2TP sent ICRP
Tue Oct 19 07:33:59 2010 : L2TP received ICCN
Tue Oct 19 07:33:59 2010 : L2TP connection established.
Tue Oct 19 07:33:59 2010 : using link 0
Tue Oct 19 07:33:59 2010 : Using interface ppp0
Tue Oct 19 07:33:59 2010 : Connect: ppp0 <--> socket[34:18]
Tue Oct 19 07:33:59 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : lcp_reqci: returning CONFACK.
Tue Oct 19 07:33:59 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : sent [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : sent [CHAP Challenge id=0xf1 <XYZ>, name = "myserver.private"]
Tue Oct 19 07:33:59 2010 : rcvd [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : sent [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : rcvd [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : rcvd [CHAP Response id=0xf1 <XYZ>, name = "user1"]
Tue Oct 19 07:34:00 2010 : sent [CHAP Success id=0xf1 "S=XYZ M=Access granted"]
Tue Oct 19 07:34:00 2010 : CHAP peer authentication succeeded for user1
Tue Oct 19 07:34:00 2010 : DSAccessControl plugin: User 'user1' authorized for access
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfReq id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : sent [ACSCP ConfReq id=0x1]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Oct 19 07:34:00 2010 : ipcp: returning Configure-NAK
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfNak id=0x1 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr XYZ>]
Tue Oct 19 07:34:00 2010 : Unsupported protocol 0x8057 received
Tue Oct 19 07:34:00 2010 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1b 63 ff fe 99 35 cb]
Tue Oct 19 07:34:00 2010 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 04]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfAck id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : ipcp: returning Configure-ACK
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfAck id=0x2 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : ipcp: up
Tue Oct 19 07:34:00 2010 : found interface en0 for proxy arp
Tue Oct 19 07:34:00 2010 : local IP address 10.0.1.29
Tue Oct 19 07:34:00 2010 : remote IP address 10.0.1.216
Tue Oct 19 07:34:00 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp0, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.216).
Tue Oct 19 07:34:00 2010 : rcvd [IP data <src addr 10.0.1.216> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue Oct 19 07:34:00 2010 : sent [IP data <src addr 10.0.1.29> <dst addr 10.0.1.216> <BOOTP Reply> <type ACK> <server id 0x0a00011d> <domain name "XYZ">] -
Can't connect to PPTP-VPN server...
When attempting to connect to a DD-WRT PPTP VPN server I kept receiving the general "Can't connect to PPTP-VPN server." message. All of the settings were exactly correct and tested on a Windows laptop. I began writing this because I didn't have any other ideas but half way through it (out of the blue) decided to attempt connecting. It worked!
The only thing I did different was delete the /Library/Preferences/SystemConfiguration contents and reboot.
Let's hope it continues to work. Posting this in case anyone else has the same error as I.A follow up on the VPN issue: it would only work if my laptop's wireless was tethered off of my Android phone - any other connection would connect to the VPN and get an IP but I couldn't ping anything. Also, after rebooting, I get the exact same damning error message now and any combination of rebooting and removing/renaming (don't ever delete system files!) /Library/Preferences/SystemConfiguration/* hasn't fixed the issue.
I very much hope Apple releases an update soon for this - it's a serious inconvenience! It must be a network stack issue too because I've tried many 3rd party applications that barf as well. -
VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN
Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162 -
Why does my iPhone 5 only connect to wifi when it's with in 5 feet of the server
I Up graded to an i phone 5 s. From a 4 and the 5 will only connect to the wifi at home when I am with in a few feet of the server my 4 worked all over the house and even in the back yard. But now I can't even be in the hallway and keep connection. Other. I phone 4s have a good connection throughout the house and other iPhone. 5. Are the same as mine it seems a s though there may be a poor quality antenna on e new iPhone 5 s models and a lesser quality of a product this seems to be a trend with iPhone and it is very disappointing. Is there anything that can be done and also could you start building your newer products with better performance parts. (If it's not broke don't fix it). I want my iPhone 4 back lol. I have done a hard reset to resolve my issue and I have checked my wifI signal side by side with other phones and I pad. Please let me know if anything can be done thanks you
if this is the case with all wifi routers then I would say that the wifi antenna of the iphone5 is broken or not connected
-
the tittle is my question. I am noob , so I hope i can make my question clear. Now i 'd like to tell you more about my question:
My aim is to set a VPN server in Local lan, then ppl can connect to the VPN server, But I dont wanna all of the Local lan IP cant connet to it. So I neet to set a rule to restrick some local Ip to connect failure, just like banning so IP in a rule.such as: just like the "192.168.4.3~192.168.4.20 ; 192.168.7.3~192.168.7.20 " IPs can connect . the IPs which outside the rules can not do.
my step is following:
1) install server app
2)and then i set a VPN server , finally the VPN server can be connected successfully by local lan computer(PC or Mac)
3)But i found no restrict IP founction in Server app panel.
4)then i down load workgroup manager, and found nothing there about such a founction about IP restriction.
so can you tell me how to aproach my aim?
Please tell me in a clear detail,I am noob
thank youWon't the password restrict everyone from connecting unless they know the password?
I have never worked with a VPN server, so I can't really add any suggestions. Below are links to Apple support articles, but I'm not sure they will help you:
VPN - Set up Connection
VPN - Advanced Setup
VPN - Connect
VPN - Connect Automatically
Maybe you are looking for
-
Hi , Thanks a lot on helping me in resolving one issue, "Hyperion Enterprise Error: Module not Found He.hecontainer". But when I click on application setup I am getting the following error message. Server Error in '/HEWeb' Application. Source File: C
-
I own a piece of software that reports three Solaris swap space statistics: Available Used Total It uses the swapctl API to gather the data. One user reports that this is insufficient because Solaris uses a combination of disk space (reported by swap
-
What's the fastest way to put items of a list in a map?
say i have a list of items and i would like to put them in a map. what's the shortest way to do that? or i should just iterate the list and put every item in a map? is there a command such sa list.toMap ??? thanks
-
Dear Experts, I have some queries and an issue also.. First Query : is the JMS sender channel is polling the message from JMS Queue or when ever the channel is connected to the JMS queue then the messages are pushed from JMS ? Simply I want to unde
-
Product and Customer description on RR details screen
Hello, We want to have product and customer description on responsive replenishement screen. How we can do it. If this has to be done by development then what should be included in FS. Thx