VPN with OS X Server 10.2.8
Is it possible to create VPN with OSX 10.2.8 ? I can´t find any issue at Mac Help or somewhere else.
OS X Server G4 Mac OS X (10.2.x)
Issue resolved.
Similar Messages
-
Need help setting up VPN with OS X Server 2.2
I just bought OS X Server in the hopes that it would be a simpler way to set up VPN for use with my iPhone. I've tried a couple third party VPN configuration tools before with older versions of OSX but was never able to get it working. Now I'm running 10.8.2 and Server 2.2. I've made some progress, but I'm not quite there yet.
Here's what I have set up in the VPN window:
And the user I created:
The User services show that VPN is selected:
I let the Server app configure my Airport Extreme, and it looks like it set up the port mapping:
Here are my iPhone settings
-Server is set to my iMac's public IP address assigned by my ISP
-Password is the password I gave the user account
When I turn the VPN on in the iPhone I get:
"Connecting..."
"Starting..."
"Authenticating..."
then an error:
"VPN Connection
Authentification failed."
What am I missing?
Thanks,
SeanHi,
1701
UDP
L2TP
l2f
Mac OS X Server VPN service
1723
TCP
PPTP
pptp
Mac OS X Server VPN service
Try L2TP -
L2TP based VPN with OpenS/WAN server, OpenSSL machine certificates
I cannot seem to get OSX to accept the machine certificates for a VPN connection using Internet Connect.
I have generated OpenSSL x509 certificates for the server and client side, the same process has generated certificates that work just dandy with WindowsXP. The certificates have "subjectAltName=" key/value pairs assigned to the IP address of the VPN server.
Once generated I import the certificates into OS X (you have to run KeyChain Access with "sudo" from the console to get this to work). The certificate authority seems to be ok, the CA has been added to the x509Roots, and when I examine the machine certificate for my OS X install using KeyChain Access the certificate is marked valid.
I generated the hash link for the certificate:
ln -s /etc/racoon/certs/certname.pem /etc/racoon/certs/'openssl x509 -noout -in certname.pem'.0
From the console I run '
openssl verify certname.pem
It fails unless I specify '-CAPath /etc/racoon/certs', then it passes.
When Internet Connect is setup to use the certificates I can see in the OpenS/WAN logs that the OS X box connects and negotiates IPSEC to MAIN_3. At this point pluto logs the following:
ignoring informational payload, type INVALIDCERTAUTHORITY
This repeats for several re-tries before the OS X side gives up. No useful logging is generated on the OS X side for me to debug, and everything from the OpenS/WAN side seems to be kosher, it appears to be an oakley/racoon issue with validating the machine certificate provided by OpenS/WAN to the OS X side, with the OS X side unable to verify the certificate.
Has anyone solved this? Any ideas on how to improve the logging output from OS X so I can see what racoon/oakley is carping about in the certificate files it is using?I'm having the same problem. I've got a machine cert on my Mac OS 10.4.6 client that was issued by my Win2003 CA. When I try and connect, it just hangs and then dies. In the Security Logs on the 2003 L2TP server, I even see a successful IKE negotiation (MS Event ID 541 and 543 below).
EventID 541:
IKE security association established.
Mode:
Key Exchange Mode (Main Mode)
Peer Identity:
Certificate based Identity.
Peer Subject C=US, S=City, L=State, O=Company, OU=group, CN=machine.subdomain.company.com, E=[email protected]
Peer SHA Thumbprint peerthumbrint
Peer Issuing Certificate Authority O=company.com, CN=Certificate Authority
Root Certificate Authority O=company.com, CN=Certificate Authority
My Subject CN=server.subdomain.company.com
My SHA Thumbprint mythumbrint
Peer IP Address: x.x.x.x
Filter:
Source IP Address x.x.x.x
Source IP Address Mask 255.255.255.255
Destination IP Address x.x.x.x
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr x.x.x.x
IKE Peer Addr x.x.x.x
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Parameters:
ESP Algorithm Triple DES CBC
HMAC Algorithm SHA
Lifetime (sec) 3600
MM delta time (sec) 1
EventID 543:
IKE security association ended.
Mode: Key Exchange (Main mode)
Filter:
Source IP Address X.X.X.X
Source IP Address Mask 255.255.255.255
Destination IP Address X.X.X.X
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr X.X.X.X
IKE Peer Addr X.X.X.X
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
At least give me a some methods to debug with. -
Creating VPN with OS X Serve 10.4.4 from iMac Intel
Hi all,
Has anyone else had problems creating a VPN (PPTP) connection with a MacOS X Server (10.4.4)?
Everytime I get the following error in my connection log (in Internet Connect)
Received bad configure-nak/rej
And after 1 minute the connection closes...
XanderI have the same problem when connecting from home on my iMac Core Duo to a PPTP server running on Mac OS X Server 10.3.8 at my office. My iMac connects fine for at least 60 seconds but then within the next 5 seconds I get disconnected. The VPN server has been working fine for months and I can still connect with my iBook running 10.3.9 and my old Power Mac G4 running 10.3.9 worked fine too up until I replaced it with the iMac. All of these machines are using the built-in VPN client configured using Internet Connect.
What types of VPN connections (PPTP, IPSec, etc.) and servers (OS X Server, Cisco, SonicWALL, etc.) are you all trying to connect to and what VPN client are you using?
-- Dave -
Help! VPN with Leopard & Leopard server isn't working!
Hello all,
I have tried (and tried, and tried) to get VPN to work on Leopard server v10.5.1 and I cannot get this to work no matter what I have tried. here is my setup:
Router:
New Airport Extreme Base station running firmware v7.1.1. I have my server open to the world (for this test)
Server:
Mac Mini running v10.5.1 server. Both VPN L2TP and PPTP is setup and configured. NAT is NOT turned on, the AEBS is doing DHCP for me (should the server be doing that?).
When I try to connect via PPTP here is my log:
2007-11-23 10:41:22 EST Incoming call... Address given to client = 192.168.4.121
Fri Nov 23 10:41:22 2007 : Directory Services Authentication plugin initialized
Fri Nov 23 10:41:22 2007 : Directory Services Authorization plugin initialized
Fri Nov 23 10:41:22 2007 : PPTP incoming call in progress from '208.xxx.xxx.xxx'...
Fri Nov 23 10:41:23 2007 : PPTP connection established.
Fri Nov 23 10:41:23 2007 : using link 0
Fri Nov 23 10:41:23 2007 : Using interface ppp0
Fri Nov 23 10:41:23 2007 : Connect: ppp0 <--> socket[34:17]
Fri Nov 23 10:41:23 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:26 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:29 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:32 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:35 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:38 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:41 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:44 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:47 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:50 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x407014ff> <pcomp> <accomp>]
Fri Nov 23 10:41:53 2007 : LCP: timeout sending Config-Requests
Fri Nov 23 10:41:53 2007 : Connection terminated.
Fri Nov 23 10:41:53 2007 : PPTP disconnecting...
Fri Nov 23 10:41:53 2007 : PPTP disconnected
2007-11-23 10:41:53 EST --> Client with address = 192.168.4.121 has hungup
I can see that my system is receiving the request for VPN, but my workstation isn't responding it seems. I have had this working under 10.4, but cannot get server 10.5 to work at all.
Any ideas?Hi All,
Exactly the same problem here, but with one VPN it works most of the time:
Sun Nov 25 14:50:27 2007 : PPTP connecting to server '10.0.4.35
10.0.4.35' (10.0.4.35)...
Sun Nov 25 14:50:28 2007 : PPTP connection established.
Sun Nov 25 14:50:28 2007 : using link 0
Sun Nov 25 14:50:28 2007 : Using interface ppp0
Sun Nov 25 14:50:28 2007 : Connect: ppp0 <--> socket[34:17]
Sun Nov 25 14:50:28 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
Sun Nov 25 14:50:31 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
Sun Nov 25 14:50:34 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
Sun Nov 25 14:50:37 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
Sun Nov 25 14:50:40 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
Sun Nov 25 14:50:43 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x52583874> <pcomp> <accomp>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfReq id=0x1 <asyncmap 0xffffffff> <mru 1460> <magic 0xe14a182f> <quality lqr 00 00 17 70> <auth chap MS-v2>]
Sun Nov 25 14:50:43 2007 : lcp_reqci: returning CONFREJ.
Sun Nov 25 14:50:43 2007 : sent [LCP ConfRej id=0x1 <quality lqr 00 00 17 70>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
Sun Nov 25 14:50:43 2007 : sent [LCP ConfReq id=0x2 <asyncmap 0x0> <magic 0x52583874>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfReq id=0x2 <asyncmap 0xffffffff> <mru 1460> <magic 0xe14a182f> <auth chap MS-v2>]
Sun Nov 25 14:50:43 2007 : lcp_reqci: returning CONFACK.
Sun Nov 25 14:50:43 2007 : sent [LCP ConfAck id=0x2 <asyncmap 0xffffffff> <mru 1460> <magic 0xe14a182f> <auth chap MS-v2>]
Sun Nov 25 14:50:43 2007 : rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <magic 0x52583874>]
Sun Nov 25 14:50:43 2007 : sent [LCP EchoReq id=0x0 magic=0x52583874]
Sun Nov 25 14:50:43 2007 : rcvd [LCP EchoReq id=0x0 magic=0xe14a182f 00 00 00 00 e1 4a 18 2f]
Sun Nov 25 14:50:43 2007 : sent [LCP EchoRep id=0x0 magic=0x52583874 00 00 00 00 e1 4a 18 2f]
Sun Nov 25 14:50:43 2007 : rcvd [CHAP Challenge id=0x1 <33373237373537323934343739393131>, name = ""]
While with other VPN it does not work most of the time:
Sun Nov 25 14:49:52 2007 : PPTP connecting to server '*******************' (*************)...
Sun Nov 25 14:49:52 2007 : PPTP connection established.
Sun Nov 25 14:49:52 2007 : using link 0
Sun Nov 25 14:49:52 2007 : Using interface ppp0
Sun Nov 25 14:49:52 2007 : Connect: ppp0 <--> socket[34:17]
Sun Nov 25 14:49:53 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:49:56 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:49:59 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:50:02 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:50:05 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:50:08 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:50:11 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:50:14 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:50:17 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:50:20 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8533a7cf> <pcomp> <accomp>]
Sun Nov 25 14:50:23 2007 : LCP: timeout sending Config-Requests
Sun Nov 25 14:50:23 2007 : Connection terminated.
Sun Nov 25 14:50:23 2007 : PPTP disconnecting...
Sun Nov 25 14:50:23 2007 : PPTP disconnected -
Setting up VPN with OS X Server/Netgear FVS318 and remote offices
I am a newbie to VPN and am hoping someone can help get the config right. We have an Xserve (Server 10.4) and a range of G5's (OS 10.4) in 3 remote offices and want to setup a VPN between the remote offices back to the xServe. All 3 remote office are behind their own WGT624 router. Our setup looking like this:
Remote Office G5 (OS 10.4)
|
|
Netgear WGT624 (with dynamic IP address supplied by ISP)
|
|
Cable Modem
|
|
**INTERNET**
|
|
Cable Modem
|
|
Netgear FVS318 (v1) with static IP of 61.xxx.xxx.xxx
|
|
xServe (OS X 10.4 Server)
Can someone please walk me through the setup we need at head office and how we setup the branch office.
ThanksHi,
1701
UDP
L2TP
l2f
Mac OS X Server VPN service
1723
TCP
PPTP
pptp
Mac OS X Server VPN service
Try L2TP -
Issues with VPN on 10.3 Server
I have no problems using the VPN with 10.4 Server. I manage several of these, and the VPN works fine.
However, with 10.3 Server it doesn't seem to work. I have two 10.3.9 servers at different offices, and with each I can connect to the VPN, I get an IP address, but I cannot access any resources through the VPN. Does anyone have any ideas about this?Thanks for your reply.
I'm using PPTP. I've got it set up the same way as with 10.4 server.
The servers are behind NAT routers, with TCP port 1723 forwarded to them.
In each case the private IP subnet on the server is different from the one I'm connecting from.
I'm connecting just fine to the VPN, but once I'm connected I can't connect to anything on the network.
One thing I see in the system log when I try to make a connection is this: "Protocol-Reject for unsupported protocol."
What do you think? -
Remote access VPN with ASA 5510 using DHCP server
Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
LayFor RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Unable to access gateway and DNS via VPN (L2TP) with Snow Leopard Server
Summary:
After rebooting my VPN server, i am able to establish a VPN (L2TP) connection from outside my private network. I am able to connect (ping, SSH, …) the gateway only until the first client disconnects. Then i can perfectly access all the other computers of the private network, but i cannot access the private IP address of the gateway.
Additionally, during my first VPN connection, my DNS server, which is on the same server, is not working properly with VPN. I can access it with the public IP address of my gateway. I can access it from inside my private network. A port scan indicates me that the port 53 is open, but a dig returns me a timeout.
Configuration:
Cluster of 19 Xserve3.1 - Snow Leopard Server 10.6.2
Private network 192.168.1.0/255.255.255.0 -> domain name: cluster
-> 1 controller, which act as a gateway for the cluster private network, with the following services activated:
DHCP, DNS, firewall (allowing all incoming traffic for each groups for test purposes), NAT, VPN, OpenDirectory, web, software update, AFP, NFS and Xgrid controller.
en0: fixed public IP address -> controller.example.com
en1: 192.168.1.254 -> controller.cluster
-> 18 agents with AFP and Xgrid agent activated:
en1: 192.168.1.x -> nodex.cluster with x between 1 and 18
VPN (L2TP) server distributes IP addresses between 192.168.1.201 and 192.168.1.210 (-> vpn1.cluster to vpn10.cluster). Client informations contain the private network DNS server informations (192.168.1.254, search domain: cluster).
_*Detailed problem description:*_
After rebooting the Xserve, my VPN server works fine except for the DNS. My client receives the correct informations:
Configure IPv4: Using PPP
IPv4 address: 192.168.1.201
Subnet Mask:
Router: 192.168.1.254
DNS: 192.168.1.254
Search domain: cluster
From my VPN client, i can ping all the Xserve of my cluster (192.168.1.1 to 18 and 192.168.1.254). If i have a look in Server Admin > Settings > Network, i have three interfaces listed: en0, en1 and ppp0 of family IPv4 with address 192.168.1.254 and DNS name controller.cluster.
The DNS server returns me timeouts when i try to do a dig from my VPN client even if i am able to access it directly from a computer inside or outside my private network.
After i disconnect, i can see in Server Admin that the IP address of my ppp0 interface has switch to my public IP address.
Then i can always establish a VPN (L2TP) connection, but the client receives the following informations:
Configure IPv4: Using PPP
IPv4 address: 192.168.1.202
Subnet Mask:
Router: (Public IP address of my VPN server)
DNS: 192.168.1.254
Search domain: cluster
From my VPN client, i can access all the other computers of my network (192.168.1.1 to 192.168.1.18) but when i ping my gateway (192.168.1.254), it returns me timeouts.
I have two "lazy" solutions to this problem: 1) Configure VPN and DNS servers on two differents Xserve, 2) Put the public IP address of my gateway as DNS server address, but none of these solutions are acceptable for me…
Any help is welcome!!!I would suggest taking a look at:
server admin:vpn:settings:client information:network route definitions.
as I understand your setup it should be something like
192.168.1.0 255.255.255.0 private.
at least as a start. I just got done troubleshooting a similar issue but via two subnets:
http://discussions.apple.com/thread.jspa?threadID=2292827&tstart=0 -
AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN
Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
JoAAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html -
[Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they
just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
So... now we are trying Phonefactor.
Our VPN setup is RRAS on a Windows Server 2003 domain controller.
We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone
call.
It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really
nimble, that is frequently not enough time!
When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
Things we have tried:
1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
8) Try this registry hack:
http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
Any ideas?
thanks!Hi fdc2005,
Thanks for the post.
However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
Regarding error 718, please check if the following could help:
If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
Steps to follow for resolution:
(1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
(2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
Quote from:
Troubleshooting Vista VPN problems.
Hope this helps.
Jeremy Wu
TechNet Community Support -
Site to site VPN with windows server 2012
I am trying to connect our server to cisco site-to-site IPSec VPN with one of our partners servers, they asked us to implement the settings they gave us into our router, but actually we don't have access to the router, we are just connected directly with
our ISP. alternatively, we were informed that we can use software VPN instead, and yes we found a working one, tested and verified, but we have to pay for it to keep running.
Now my question is, having that we are running windows server 2012 R2, how can we establish this VPN connection directly from windows without the need to use third parties tools?
The only parameter that we have to connect are:
Gateway IP: xxx.xxx.xxx.xxx
Authentication Pre-shared Key: ######
Encryption: 3DES
Hash authentication: MD5
DH: Group1
No username or password is needed with this type of VPN.
Any help is appreciated.
Best regards, AbedHi,
You may try to configure the Windows Server 2012 (RRAS) as VPN router to connect to the 3rd party VPN server(compatible with Windows Server VPN).
Some samples just for your reference:
Checklist: Implementing a Site-to-Site Connection Design
https://technet.microsoft.com/en-us/library/ff687867(v=ws.10).aspx
TMG Configuring site-to-site VPN access
http://technet.microsoft.com/en-us/library/bb838949.aspx
More about how to deploy the RRAS on TMG please post in the TMG forum:
Forefront support forum
http://social.technet.microsoft.com/Forums/forefront/en-us/home?category=forefront
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
How Do I connect to Home VPN with IPAD
Hello All,
I have setup my home server on Mac Mini with OS X Server App. I have it configured on my Ipad and the Ipad shows that it is connected. NOW WHAT??? haha. I float around my ipad screen and I can't get to my home server. Ive downloaded a couple of vpn apps but they seem to want to connect me with the company that produced the app. I just want to connect to my home server and access music and such via vpn. I dont know what my next step is.
Thanks in advance,Hmmm...
I am definitly not an expert on this topic but I'll give you my thoughts and hopefully others will as well.
By using Home Sharing on itunes on your mini, Connecting both to your Applee ID (same), this would allow to share the video and audio content to your ipad while on the home network, then by leveraging the VPn when away from the home network, (set-up VPN in Server & connect with Settings> VPN on IPad) http://support.apple.com/kb/HT3819 Then get the same functionality while away.
Now connecting through the web browser is not in my knowledge but I believe you would have to host the website and have within it different modules to support the sharing of content but hosted by your server app.
I hope this helps some, Good luck! -
Can't authenticate Mac VPN client from RADIUS server
Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
ChristineIf it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside -
SSL VPN with client, anyconnect.
I've set up a simple test on SSL VPN with client on a 3800.
It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
The underlying routing is fine.
Could you tell me where it is configured wrong?
Config is copied below.
thanks,
Han
=======
Current configuration : 3340 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable password cisco
aaa new-model
aaa authentication login default local
aaa session-id common
no network-clock-participate slot 1
crypto pki trustpoint TP-self-signed-3551041125
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3551041125
revocation-check none
rsakeypair TP-self-signed-3551041125
crypto pki certificate chain TP-self-signed-3551041125
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
quit
dot11 syslog
ip cef
multilink bundle-name authenticated
voice-card 0
no dspfarm
username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
archive
log config
hidekeys
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
end
interface Loopback1
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
ip local pool svc-poll 1.1.1.50 1.1.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface GigabitEthernet0/0 port 443
ssl trustpoint local
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context SSLVPN
ssl authenticate verify all
policy group default
functions svc-required
svc default-domain "test.org"
svc keep-client-installed
svc split dns "primary"
default-group-policy default
gateway SSLVPN
inservice
endUsing the SDM follow the below config example
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
HTH>
Maybe you are looking for
-
Hello Payroll Experts!! I am calling it Challenge because whoever I spoke to hasnu2019t given me a clear answer, and most of the time it has been u201Cnot possibleu201D. Logic: 1. There is a Wage Type (which is defined as neither Payment nor Dedu
-
ODBC connection to Oracle 7 will not reset
We are using Oracle JDBC drivers for all but one of our datasources which is an old Oracle 7 database. The ODBC connection to this database will not reset when the database is bounced or the database server is rebooted. We have to restart the ODBC se
-
Problem facing during BAPI call for an inbound interface.
I have requirement where in i need to make a BAPI call from SRM system using RFC adapter. After importing the BAPI(Z_INV_REF_PO) in the Integration Repository the structure looks to be a follws, 1.Request 2.Response and 3.Exception (fault) Message ty
-
Types of promotions in is-retail
hi all Iam new to Retail What are the types of promotion available in SAP IS-Retail? regards satyaprasad
-
I am starting an editing session programmatically, so clicking outside of the cell being edited does not stop the session. But even when I have resizableColumns="false" sortableColumns="false" if I move a mouse with a left button down over a column s