WRT160N v2 VPN Problem ( GRE Protocol )
Hi,
I just owned a WRT160N router. But this router does not allow GRE protocol. I use a VPN server on my local network and I only need PPTP ( made NAT 1723 TCP ) and GRE Protokol 47 ( cant find anything about this ) to be routed to my VPN server. 1723 works ok but not GRE.
I checked all settings on Security / VPN Passthrough but the problem persists. Does anybody have solution for this? My firmware is Firmware Version: v2.0.02
I am afraid the router does not support GRE Protocol...
Similar Messages
-
Up until recently I was using a Belkin Pre-N cable router which served me well but gave it to my son who was off to university. Decided to purchase a Linksys WRT160N as it appeared to be comparable to the Belkin.
Setting up the WRT160N for wireless access was easy as expected although it doesn't seem to have the same power as Belkin (less signal).
All seemed good upto the point I needed to start work, whereupon I open up a Nortel VPN session to my office and establish a session. Then I start up a Cisco VPN client to tunnel through the Nortel VPN into my customers network, a double hop thing. Nothin new here, have been doing this for the past 2 years.
All seemed to work OK but then periodically the 2nd VPN tunnel would drop out crashing me out of my customers network. Trying to re-establish the 2nd VPN then constantly fails. On investigation it seems that the problem lies with the 1st VPN as I was unable to ping my customers VPN concentrator. The only way to re-establish the session was to terminate both VPN's and start again.
The only thing that has changed is the Belkin router to this Linksys WRT160N router. Infact I'm even considering getting the Belkin back from my son, giving him this Linksys, as it had a stronger signal. So, unless someone can offer any ideas or suggestions the Linksys will have to go.
Model: WRT160N V2
Firmware: 2.0.01 build 14
Date Stamp: 03/10/2008 17:36:45
Security: WPA PersonalWhich helpdesk was that?
Suggesting to forward TCP & UDP port 50 shows how clueless it is.
ESP is the protocol used for IPSec tunnels. It has IP protocol number 50. It's another IP protocol like TCP and UDP. TCP is IP protocol number 6 and UDP is IP protocol number 17. Forwarding TCP or UDP port 50 has nothing to do with a completely different protocol like ESP. Do not forward port 50, TCP or UDP. It won't make any difference to your VPN problems and will at best be a security problem.
You cannot configure port forwarding for ESP. It is enabled/disabled with the IPSec pass-through option but you cannot define a single destination for ESP traffic. And it won't help you must anyway because running IPSec&ESP through a NAT router won't work.
Remove the port 50 forwarding. You will see it won't make any difference to your problem.
To forward PPTP VPN tunnels, use forwarding of TCP port 1723. Neither the Nortel VPN client nor the Cisco VPN client uses PPTP. PPTP is quite well equipped to run through NAT routers. Forwarding port 1723 would only be necessary if you are running a PPTP server on your computer to which someone from the internet is supposed to connect to. Otherwise, remove the 1723 forwarding. It won't make a difference to the connection with the Nortel or Cisco VPN client.
To forward IPSec VPN tunnels with NAT traversal use forwarding of UDP port 500 and TCP/UDP port 4500. UDP 500 is the port where the endpoints negotiate the connection. The connection itself runs through ESP or with NAT traversal encapsulated into UDP or TCP port 4500. Forwarding these two ports may make a difference to your problem.
Port 10000 is an alternative port for 4500 in Nortel clients. But as far as I know, the Nortel client will only use port 10000 if you configure the Nortel client in its settings to do so. So I would recommend to test if it works as well without port 10000 forwarding.
The fewer forwardings you have the better for your security. Remember with any forwarding anyone in the internet is able to access your computer on these ports.
To sum up: I would recommend to test if you are successful with forwarding App2 & App4 only or if you have configured the Nortel VPN client to use port 10000 instead to forward only App2 and App5. All others should not be necessary. App1 is just totally wrong. App3 would only make sense if you used PPTP which you don't. -
I have a server running SBS 2003 and MS VPN set up and running. I can test the connection using the support tools utilities provided by XP/2003 using the pptpclnt and pptpsvr utilities. Both the TCP port 1723 packets and GRE (protocol 47) packets are sent and received successfully. Then I point the client to my external IP address and the TCP packets get through but the GRE packets do not. The only way I have to test it right now is with a computer that is on the same network as the server. I don't know if that is my issue but right now I don't have much of an alternative. I assume the traffic goes out of the network then back in through the firewall but I can't tell for certain. I have port 1723 forwarded to my server and all of the VPN options are enabled. Has anyone had any success using a setup like I described? I don't see any other router settings to play with but maybe I missed one? Also, I have tried it with the SPI firewall diasabled and enabled, the server in the DMZ and out, unpnp disabled and enabled and all permutations of the three with no success. Can anyone help?
Thanks!I seem to be having the same problem. I think it has something to do with IP PROTOCOL 47 (GRE) but can't find how to enable this in the wrt54gs. I only have the same 3 setting to enable under the VPN tab in the router. I can connect to the VPN when I am inside the network, but when i try from outside the network is can't connect.
Any ideas
thanks -
VPN problems with ActionTec wireless router
I'm trying to set up VPN from my Win7 laptop to my Win7 desktop to use while travelling.
I have an ActionTec GT704WGB and cannot VPN from my laptop on the Internet in to my desktop on this router. Using the Microsoft VPN test tools pptpsrv and pptpclnt I can successfully send VPN test messages (Port 1723 and GRE Protocol 47) between the two machines on my subnet, bypassing the ActionTec, so I know that Windows and Norton Internet Security are not the problem. But when I put the laptop on the Internet through another provider I cannot get any messages through the ActionTec. The ActionTec is configured (Security / VPN) to support VPN with Port 1723 forwarding and GRE * * * ). I am suspecting perhaps the ActionTec does not support inbound VPN but cannot find anything in the user manual or ActionTec support that clarifies one way or the other. I'm sure I used to be able to outbound VPN to my former employer's network.
It seems there is something about this router, or perhaps there is something in the Verizon network that does not support inbound VPN. Does anyone know?The actiontech does support incoming and outgoing VPN connections. What changes possibly needed with your VPN setup or different port forwarding needed would need to be advised by the VPN tech support group.
Anthony_VZ
**If someones post has helped you, please acknowledge their assistance by clicking the red thumbs up button to give them Kudos. If you are the original poster and any response gave you your answer, please mark the post that had the answer as the solution**
Notice: Content posted by Verizon employees is meant to be informational and does not supersede or change the Verizon Forums User Guidelines or Terms or Service, or your Customer Agreement Terms and Conditions or plan -
Dynamic NAT GRE protocol into internal Server
Hi guys just a quick one.
I've had a quick look and it appears it cannot be done.
I'm attempting to forward the GRE protocol to an internal web server. We only have 2 external addresses and the internal server is not one of them. Is this possible?
Kind regards,
Jake
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
c2c-pix1 up 10 hours 43 mins
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.You would need to have a spare public IP to configure static NAT statement for GRE as GRE is a protocol, not TCP or UDP with port hence you can't share a public IP.
However if you are trying to enable PPTP connection to the internal server, then all you have to do is static PAT on TCP/1723, and enable "fixup protocol pptp 1723" and that would allow the GRE traffic to pass through. -
Problem Accessing Protocol Classes in INBOUND PROXY
Hi guys.
Im having problems accessing Protocol Classes in a inbound proxy.
I have this code that is copied from:
http://help.sap.com/saphelp_nw04/helpdata/en/a7/3b2a2d45a34a23b75e3b18745c63bc/frameset.htm
DATA: lo_server_context TYPE REF TO if_ws_server_context,
lo_payload_protocol TYPE REF TO if_wsprotocol_payload.
lo_server_context = cl_proxy_access=>get_server_context( ).
lo_payload_protocol =
lo_server_context->get_protocol( if_wsprotocol=>payload ).
But Im getting this error:
The result type of the function method cannot be converted into the type lo_payload_protocol
If I try to get the attachment protocol with this code:
DATA: lo_server_context TYPE REF TO if_ws_server_context,
lo_attachment_prtcl TYPE REF TO IF_WSPROTOCOL_ATTACHMENTS.
lo_server_context = cl_proxy_access=>get_server_context( ).
lo_attachment_prtcl = lo_server_context->get_protocol( if_wsprotocol=>ATTACHMENTS ).
Im getting the same error.
What am I doing wrong? It' s code copied fror SAP Library!!!
Thanks a lot.hi,
you are choosing wrong type for lo_payload_protocol.
you must change like this
lo_payload_protocol TYPE REF TO IF_WSPROTOCOL.
regards,
orhan -
Problem with protocol.jar with weblogic
atg10.0.3 and weblogic 11g on 64bit linux.
I've been plagued by this problem with ATG's protocol jar. While it loads the jar when starting up startWeblogic.sh it does not get loaded when starting a managed server thus i get the following errors:
**** Error Fri Jun 15 15:56:43 MDT 2012 1339797403444 / Unable to start service "/atg/scenario/ScenarioManager": atg.nucleus.ServiceException: The configuration file XMLFile(/atg/scenario/scenarioManager.xml) could not be read: java.net.MalformedURLException: unknown protocol: dynamosystemresource
**** Error Fri Jun 15 15:56:43 MDT 2012 1339797403544 /atg/scenario/ScenarioManager Unable to combine messaging information from the process manager component /atg/scenario/ScenarioManager. The process manager has not been classified yet so it cannot be determined if global messages should be listened for. This error indicates a problem with component startup order - the /atg/scenario/ScenarioManager component has been started before the /atg/dynamo/messaging/MessagingManager component
**** Error Fri Jun 15 15:56:43 MDT 2012 1339797403583 /atg/dynamo/messaging/MessagingManager An exception occurred while trying to parse XML definition file "XMLFile(/atg/dynamo/messaging/dynamoMessagingSystem.xml)" java.net.MalformedURLException: unknown protocol: dynamosystemresource
Following instructions has led me to place the protocol.jar from DAS/lib to the root of my domain directory and then apply the classpath entry in startWeblogic.sh script. protocol.jar shows up at the top of this scripts SDTOUT. But I cannot seem to get it included in the production.out logs when starting the managed server.
Any ideas?
Thanks!
-KipYes I figured this out. The problem was the version of weblogic. I was using 1.3.6 when it should have been 1.3.5. After changing out the version, I no longer had problems with protocol.jar.
Thanks!
-Kip -
With the new KitKat update (20.1.A.0.47) trying to open VPN from Settings, the Settings app crashes and restarts. Due to that, in Security, the None and Swipe lockscreen options are disabled, leaving PIN, Password, and Pattern the only options. Why is that / is it ever gonna be fixed?
Oh and it didn't happen on 4.3... Now, when a music is playing in Walkman, when pressing the Walkman button and shaking the phone as I did on JB will pause the song, as if I didn't shake the phone. On Jelly Bean, this feature worked. This should get fixed too.Hi guys, sony seems to have solved the problem in an update in...india. I only found that and not tested yet : http://www.xperiablog.net/2015/05/22/small-update-rolling-for-xperia-e1-20-1-a-2-19-and-e1-dual-20-1-b-2-29/ It solves the lockscreen and VPN problem. Test and say if it works or not. I hope they will relase an european version soon.
-
VPN problem behind ASA5505 -regular translation creation failed for protocol 50
Dear All,
I have to connect behind my ASA5505 with an VPN klient to an other site.
First time i got this failure.
"Deny protocol 50 src inside:192.168.50.X dst outside:x.x.x.x by access-group "acl_in" [0x0, 0x0]"
Than I opened our inside (src 192.168.50.0) network the UDP 500,4500 TCP 500,4500,10000 and ESP (dest x.x.x.x remote firewall ip).
access-list acl_in extended permit esp host 192.168.50.0 host x.x.x.x eq isakmp
access-list acl_in extended permit udp host 192.168.50.0 host x.x.x.x eq 500
access-list acl_in extended permit eudp host 192.168.50.0 host x.x.x.x eq 4500
etc.
After that i could connect for the remote firewall with vpn client but i couldn't reach any PC1s on there side and ping gives back no anwser.
Deny protocol 50 was solved but i got an other problem:
"regular translation creation failed for protocol 50 src inside:192.168.50.X dst outside:x.x.x.x"
I found somewhere thet lines can help:
crypto isakmp nat-traversal
inspect ipsec-pass-thru
But this wasn't usefull.
I tried a many thing but i'm stuck.
Could somebody help me what can i do to solve this problem?
Thanks for all anwsers!The solution was the following for one IP!
object network x.x.x.x (inside IP)
host x.x.x.x (inside IP)
nat (inside,outside) static y.y.y.y (remote IP) -
Remote Access VPN Problem with ASA 5505
After about ~1 year of having the Cisco VPN Client connecting to a ASA 5505 without any problems, suddenly one day it stops working. The client is able to get a connection to the ASA and browse the local network for only about 30 seconds after connection. After that, no access is available to the network behind the ASA. I tried everything that I can think of to try and troubleshoot the problem, but at this point I am just banging my head against a wall. Does anyone know what could cause this?
Here is the running cfg of the ASA
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
object network FINX
host 192.168.2.11
object service rdp
service tcp source range 1 65535 destination eq 3389
description rdp
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list outside_access_in extended permit tcp any object FINX eq 3389
access-list outside_access_in_1 extended permit object rdp any object FINX
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
object network FINX
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http **.**.***.*** 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
And here is the logs from the Cisco VPN Client when it browses, then fails to browse the network behind the ASA:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 09:44:55.677 10/01/13 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
2 09:44:55.677 10/01/13 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
3 09:44:55.693 10/01/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
4 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100002
Begin connection process
5 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100004
Establish secure connection
6 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "**.**.***.***"
7 09:45:02.802 10/01/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
8 09:45:02.818 10/01/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
9 09:45:02.865 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
10 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
11 09:45:02.896 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
12 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
13 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
14 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
17 09:45:02.927 10/01/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
18 09:45:02.927 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
19 09:45:02.927 10/01/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20 09:45:02.927 10/01/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
21 09:45:02.927 10/01/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 09:45:02.943 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23 09:45:02.943 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24 09:45:02.943 10/01/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 09:45:03.037 10/01/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
26 09:45:03.037 10/01/13 Sev=Info/4 CM/0x63100017
xAuth application returned
27 09:45:03.037 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
28 09:45:03.037 10/01/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
29 09:45:03.037 10/01/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
30 09:45:03.083 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
31 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
32 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
33 09:45:03.083 10/01/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
34 09:45:03.083 10/01/13 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
35 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
36 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
37 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
38 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
39 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
40 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
41 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
42 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
43 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
45 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
46 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710
47 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
48 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
49 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
50 09:45:03.146 10/01/13 Sev=Info/4 CM/0x63100019
Mode Config data received
51 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
52 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
53 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
54 09:45:03.177 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
55 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
56 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
57 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
58 09:45:03.193 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
59 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
60 09:45:03.193 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to **.**.***.***
61 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=967A3C93 OUTBOUND SPI = 0xAAAF4C1C INBOUND SPI = 0x3EBEBFC5)
62 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xAAAF4C1C
63 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x3EBEBFC5
64 09:45:03.193 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
65 09:45:03.521 10/01/13 Sev=Info/6 CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
66 09:45:03.896 10/01/13 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.70/255.255.255.0
DNS=192.168.2.1,8.8.8.8
WINS=0.0.0.0,0.0.0.0
Domain=NCHCO.local
Split DNS Names=
67 09:45:03.912 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261
68 09:45:07.912 10/01/13 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
69 09:45:07.912 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
**.**.***.*** 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261
70 09:45:07.912 10/01/13 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
71 09:45:07.912 10/01/13 Sev=Info/4 CM/0x6310001A
One secure connection established
72 09:45:07.943 10/01/13 Sev=Info/4 CM/0x6310003B
Address watch added for 96.11.251.149. Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73 09:45:07.943 10/01/13 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74 09:45:07.943 10/01/13 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
75 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
76 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
77 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x1c4cafaa into key list
78 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
79 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xc5bfbe3e into key list
80 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
81 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 96.11.251.149. SG: **.**.***.***
82 09:45:07.943 10/01/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
83 09:45:13.459 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
84 09:45:13.459 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205276
85 09:45:13.474 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
86 09:45:13.474 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
87 09:45:13.474 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205276, seq# expected = 107205276
88 09:45:15.959 10/01/13 Sev=Info/4 IPSEC/0x63700019
Activate outbound key with SPI=0x1c4cafaa for inbound key with SPI=0xc5bfbe3e
89 09:46:00.947 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
90 09:46:00.947 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205277
91 09:46:01.529 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
92 09:46:01.529 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
93 09:46:01.529 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205277, seq# expected = 107205277
94 09:46:11.952 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
95 09:46:11.952 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205278
96 09:46:11.979 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
97 09:46:11.979 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
98 09:46:11.979 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205278, seq# expected = 107205278
Any help would be appreciated, thanks!I made the change that you requested by moving the VPN pool to the 192.168.3.0 network. Unfortunately, now traffic isn't flowing to the inside network at all. I was going to make a specific route as you suggested, but as far as I can see the routes are already being created correctly on the VPN client's end.
Here is the route print off of the computer behind the (test) client:
===========================================================================
Interface List
21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
10...00 15 5d 01 02 01 ......Microsoft Hyper-V Network Adapter
15...00 15 5d 01 02 02 ......Microsoft Hyper-V Network Adapter #2
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
69.61.228.178 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 On-link 96.11.251.149 261
96.11.251.149 255.255.255.255 On-link 96.11.251.149 261
96.11.251.255 255.255.255.255 On-link 96.11.251.149 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.3 261
192.168.1.3 255.255.255.255 On-link 192.168.1.3 261
192.168.1.255 255.255.255.255 On-link 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.3.1 192.168.3.70 100
192.168.3.0 255.255.255.0 On-link 192.168.3.70 261
192.168.3.70 255.255.255.255 On-link 192.168.3.70 261
192.168.3.255 255.255.255.255 On-link 192.168.3.70 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.3 261
224.0.0.0 240.0.0.0 On-link 96.11.251.149 261
224.0.0.0 240.0.0.0 On-link 192.168.3.70 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.3 261
255.255.255.255 255.255.255.255 On-link 96.11.251.149 261
255.255.255.255 255.255.255.255 On-link 192.168.3.70 261
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 96.11.251.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 1020 ::/0 2002:c058:6301::c058:6301
14 1020 ::/0 2002:c058:6301::1
1 306 ::1/128 On-link
14 1005 2002::/16 On-link
14 261 2002:600b:fb95::600b:fb95/128
On-link
15 261 fe80::/64 On-link
10 261 fe80::/64 On-link
21 261 fe80::/64 On-link
10 261 fe80::64ae:bae7:3dc0:c8c4/128
On-link
21 261 fe80::e9f7:e24:3147:bd/128
On-link
15 261 fe80::f116:2dfd:1771:125a/128
On-link
1 306 ff00::/8 On-link
15 261 ff00::/8 On-link
10 261 ff00::/8 On-link
21 261 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
And here is the updated running config in case you need it:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
object network FINX
host 192.168.2.11
object service rdp
service tcp source range 1 65535 destination eq 3389
description rdp
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list outside_access_in extended permit tcp any object FINX eq 3389
access-list outside_access_in_1 extended permit object rdp any object FINX
access-list outside_specific_blocks extended deny ip host 121.168.66.35 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
ip local pool VPN_Split_Pool 192.168.3.70-192.168.3.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
object network FINX
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh 96.11.251.186 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Split_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Split_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Split_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9e8466cd318c0bd35bc660fa65ba7a03
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Thanks again for your help,
Matthew -
Hello, I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
The running-config it created is:
ciscoasa# sh run
: Saved
ASA Version 8.4(2)
hostname ciscoasa
enable password XXXX encrypted
passwd XXXX encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.254 255.255.0.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ADSL_Telefonica
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_16
subnet 172.16.0.0 255.255.0.0
access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 55
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 55
console timeout 0
vpdn group ADSL_Telefonica request dialout pppoe
vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
vpdn group ADSL_Telefonica ppp authentication pap
vpdn username adslppp@telefonicanetpa password *****
dhcpd auto_config outside
dhcpd address 172.16.2.2-172.16.2.129 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy test internal
group-policy test attributes
dns-server value 172.16.1.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
username test password XXXXXX encrypted privilege 0
username test attributes
vpn-group-policy test
username ignacio password XXXXXXX encrypted
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool test
default-group-policy test
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
: end
Thank you very much for your helpYes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
• The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
I should have read Release Notes before. Thank you very much for your help and effort. -
10.8.5 VPN problems
I am trying to connect to a corprate VPN and I am unable to. Here is what I see in the logs:
Tue Jun 10 17:36:00 2014 : PPTP connecting to server 'xxx.xx.xx.xx' ..
Tue Jun 10 17:36:01 2014 : PPTP connection established.
Tue Jun 10 17:36:01 2014 : PPTP set port-mapping for en1, interface: 5, protocol: 0, privatePort: 0
Tue Jun 10 17:36:01 2014 : using link 0
Tue Jun 10 17:36:01 2014 : Using interface ppp0
Tue Jun 10 17:36:01 2014 : Connect: ppp0 <--> socket[34:17]
Tue Jun 10 17:36:01 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:01 2014 : PPTP port-mapping for en1, interfaceIndex: 0, Protocol: None, Private Port: 0, Public Address: 32a3b143, Public Port: 0, TTL: 0.
Tue Jun 10 17:36:01 2014 : PPTP port-mapping for en1 inconsistent. is Connected: 1, Previous interface: 5, Current interface 0
Tue Jun 10 17:36:01 2014 : PPTP port-mapping for en1 initialized. is Connected: 1, Previous publicAddress: (0), Current publicAddress 32a3b143
Tue Jun 10 17:36:01 2014 : PPTP port-mapping for en1 fully initialized. Flagging up
Tue Jun 10 17:36:02 2014 : rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:02 2014 : lcp_reqci: returning CONFACK.
Tue Jun 10 17:36:02 2014 : sent [LCP ConfAck id=0x1 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:03 2014 : rcvd [LCP ConfReq id=0x2 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:03 2014 : lcp_reqci: returning CONFACK.
Tue Jun 10 17:36:03 2014 : sent [LCP ConfAck id=0x2 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:04 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:04 2014 : rcvd [LCP ConfReq id=0x3 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:04 2014 : lcp_reqci: returning CONFACK.
Tue Jun 10 17:36:04 2014 : sent [LCP ConfAck id=0x3 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:06 2014 : rcvd [LCP ConfReq id=0x4 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:06 2014 : lcp_reqci: returning CONFACK.
Tue Jun 10 17:36:06 2014 : sent [LCP ConfAck id=0x4 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:07 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:10 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:10 2014 : rcvd [LCP ConfReq id=0x5 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:10 2014 : lcp_reqci: returning CONFACK.
Tue Jun 10 17:36:10 2014 : sent [LCP ConfAck id=0x5 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:13 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:15 2014 : rcvd [LCP ConfReq id=0x6 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:15 2014 : lcp_reqci: returning CONFACK.
Tue Jun 10 17:36:15 2014 : sent [LCP ConfAck id=0x6 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:16 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:19 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:22 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:22 2014 : rcvd [LCP ConfReq id=0x7 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:22 2014 : lcp_reqci: returning CONFACK.
Tue Jun 10 17:36:22 2014 : sent [LCP ConfAck id=0x7 <auth chap MS-v2> <mru 1460> <magic 0x7770c41c>]
Tue Jun 10 17:36:25 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:28 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1c7df8d8> <pcomp> <accomp>]
Tue Jun 10 17:36:31 2014 : LCP: timeout sending Config-Requests
Tue Jun 10 17:36:31 2014 : Connection terminated.
Tue Jun 10 17:36:31 2014 : PPTP disconnecting...
Tue Jun 10 17:36:31 2014 : PPTP clearing port-mapping for en1
Tue Jun 10 17:36:31 2014 : PPTP disconnected
I had someone else try it from their Mac using my credentials and they were able to connect. Can anyone see what the problem is or how I can debug this further? Are theere any other VPN client I can get to try this with?From your log above, there are missing authentication challenges sent from the VPN server. Therefore after retrying a few times, the connection is disconnected.
Since you have checked your creds with another user on the same type of machine to the same VPN Server, I guess the other user is at a different location, either your settings on your machine or your internet connection devices may be blocking these challenges.
Is there a different internet connection you could use and retry your VPN connection? -
RV042 Gateway-Gateway VPN Problem
I have two RV042 routers connected and configured for VPN by the book.
The office site subnet is 192.168.1; The factory site is on 192.168.2.
They have been working flawlessly for three months until yesterday.
Now I cannot:ping either subnet from the other.
The DB servers cannot see each other either.
Software firewalls are turned off on both sides.
I used to be able to browse folders by using the remote hot's IP address in a WindowsExplorer window.
The routers on both sides show a "connected" VPN status, yet nothing works. Also the log files show that the routers are chatting to on another quite happily.
I would welcome ideas from anyone out there.Success finallly.
I found this configuration somewhere on the 'Net. Tried it. It now works.
I (i.e. the original author) found that the problem occurred when I set "Phase2 Encryption".
Finally, I found a solution to fix it.
1. Set "Phase2 Encryption" as NULL
2. In "Advanced" option, set "AH Hash Algorithm" as MD5
3. Enable "Aggressive Mode"
4. Enable "Compress (Support IP Payload Compression Protocol(IPComp))"
5. Enable "Keep-Alive"
6. Enable "Dead Peer Detection (DPD) Interval 10 seconds" -
Westell 9100em - Source of passthrough VPN problems
Hi
I've been reading on a few forums about people setting up passthough VPN through the Westell and it failing but it works if setup as the DMZ host in the Westel.
Well, I think I have found the problem in the Westell!
I have exactly that problem. If I connect my VPN enabled server as the DMZ, works fine.
Here is the rub...
If the VPN server is NOT the DMZ host, and you do port forwarding rules to send 1701, 1723 and GRE to the server's IP address, IT STILL SENDS GRE AND 1723 TO THE DMZ HOST!!!!!! I verified it in the logs on the Westell.
I even turned off DMZ, rebooted the modem, etc and it STILL sends GRE and 1723 to the last known DMZ host.
THIS IS A MAJOR BUG!
AND IT EXPLAINS WHY IT DOESNT WORK as DESCRIBED.
FiOS people, can you pass this forward? I tried to tell tech support about this and was told any port forwarding is NOT SUPPORTED so they wont take a report for it. Good way to fix a problem, huh?Ok, more on this
If you unbundle the items, ie, instead of one rule with 5-6 forwarding items, and instead list them as 5-6 RULES, it works fine.
So it definitely is their handing of multiple items in a rule.
Verizon, listening, pass this forward please?
Thanks! -
VPN problems on 10.4 Tiger Server
First, I'm going to let people know right up front that I'm a server novice. If I've even reached that level.
At work we have an Xserve, which is running several services, including Mail and VPN. When I'm at home, I can connect right away, but "Authenticating" never takes less than about 30 seconds, and many times never happens at all, forcing me to disconnect and try again. I'm using PPTP, because we've never been able to get L2TP to work.
By far, the most frustrating thing is that when a user like myself tries to connect using VPN during the day, the server (or at least the mail service) will freeze, anywhere from 5 to 20 minutes, sometimes longer, requiring a hard restart. So the end result is that VPN can only be used after hours.
I'd really appreciate it if any server gurus out there could give me some suggestions of things to try.Brenton Bills wrote:
We have a separate firewall--a Sonicwall--and I'm pretty sure all the necessary ports are open. And the Sonicwall's own VPN is off.
I'm also running into problems with our VPN. I have a 10.4 server with a SonicWall firewall. I can connect (using L2TP) when I'm on the same network as the server, but when I go home, I can't access it. My firewall returns the following in the log. What I'm wondering is, how were to able to get the SonicWall to allow VPN connections to the server?
2 04/15/2008 21:06:42.080 Warning VPN IKE Received packet retransmission. Drop duplicate packet 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 4500 VPN Policy: WAN GroupVPN
3 04/15/2008 21:06:42.080 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) *(ID) 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 4500
4 04/15/2008 21:06:39.000 Notice Network Access UDP packet from LAN dropped 192.168.30.251, 3283, X0 192.168.30.1, 3283, X0 IP Protocol: 0 Port: 0
5 04/15/2008 21:06:36.000 Info DHCP Relay DHCP OFFER received from server 73.218.184.1, 67, X1 255.255.255.255, 68 IP=0.0.0.0, HostName:
6 04/15/2008 21:06:32.080 Warning VPN IKE Received packet retransmission. Drop duplicate packet 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 4500 VPN Policy: WAN GroupVPN
7 04/15/2008 21:06:32.080 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) *(ID) 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 4500
8 04/15/2008 21:06:30.048 Debug VPN IKE SENDING>>>> ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) *(KE, NATD, NATD, NON, VID, VID, VID) 74.94.150.141, 500 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net
9 04/15/2008 21:06:30.048 Info VPN IKE IKE Responder: Remote party timeout - Retransmitting IKE request. 74.94.150.141, 500 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net VPN Policy: WAN GroupVPN
10 04/15/2008 21:06:26.368 Notice Network Access Unknown protocol dropped 73.218.184.1, 17, X1 224.0.0.1, 17, ALL-SYSTEMS.MCAST.NET IP Protocol: 2
11 04/15/2008 21:06:22.144 Warning VPN IKE Received packet retransmission. Drop duplicate packet 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 4500 VPN Policy: WAN GroupVPN
12 04/15/2008 21:06:22.144 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) *(ID) 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 4500
13 04/15/2008 21:06:20.048 Debug VPN IKE SENDING>>>> ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) *(KE, NATD, NATD, NON, VID, VID, VID) 74.94.150.141, 500 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net
14 04/15/2008 21:06:20.048 Info VPN IKE IKE Responder: Remote party timeout - Retransmitting IKE request. 74.94.150.141, 500 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net VPN Policy: WAN GroupVPN
15 04/15/2008 21:06:19.000 Info DHCP Relay DHCP OFFER received from server 73.218.184.1, 67, X1 255.255.255.255, 68 IP=0.0.0.0, HostName:
16 04/15/2008 21:06:12.240 Debug VPN IKE SENDING>>>> ISAKMP OAK INFO (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x759DEDFE) (NOTIFY:PAYLOAD_MALFORMED) 74.94.150.141, 4500 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net
17 04/15/2008 21:06:12.240 Warning VPN IKE Failed payload verification after decryption; possible preshared key mismatch 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 4500 VPN Policy: WAN GroupVPN
18 04/15/2008 21:06:12.240 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) *(ID) 66.30.4.125, 61620, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 4500
19 04/15/2008 21:06:12.176 Debug VPN IKE SENDING>>>> ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID) 74.94.150.141, 500 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net
20 04/15/2008 21:06:12.176 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device
21 04/15/2008 21:06:12.176 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) (KE, NON, NATD, NATD) 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 500
22 04/15/2008 21:06:12.144 Debug VPN IKE SENDING>>>> ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0xb6fb61bae153efed, MsgID: 0x0) (SA, VID, VID) 74.94.150.141, 500 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net
23 04/15/2008 21:06:12.144 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 500
24 04/15/2008 21:06:12.144 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0xc505104d83dbb545 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID) 66.30.4.125, 500, c-66-30-4-125.hsd1.ma.comcast.net (admin) 74.94.150.141, 500</div>
Maybe you are looking for
-
Basically, my iphone has been in the same apple ID as my dads iphone and mac book, so my iphone has always been synced to his macbook. I bought myself a mac book the other day and want to sync my iphone to it. However i have obviously put my mac book
-
How to display Error Message in APEX from Database Stored Procedure
Hello, Using APEX version 3.2 DB version 9.2.0.8.0 Internet Explorer version 6 I have an After Submit Page Process that calls a stored procedure. In the exception section I'm using dbms_output.putline to display an error message, but the error messag
-
Dynamic coloumn creation in TABLE CONTROL
Hi all, i am using table control in the user interface. here, how to create columns dynamically in table control? thanks in advance. Vinod.S
-
Apple TV won't recognize HomeSharing and no AirPlay on iPad
Hey, I bought an Apple TV and I just can't set it up. My Mac,iPad2 and Apple TV are all on the same network. HomeSharing is turned on both on my Mac and PC's but Apple TV won't see it. It's on version 5.0 and the iPad on version 5.0.1 but no AirPlay
-
Error when trying to download an Answers report to PowerPoint
Below is the error we get when we try to run a report and then click the download button and select PowerPoint. All the other options under download seem to work fine. Also, the Powerpoint download does work in a Windows environment, but not our UNIX