1. Home
  2. Cisco Systems
  3. Cisco 1721 Router

Cisco 1721 Router

I am having troubles getting my Windows computers using the Windows VPN to connect using data encryption from XP and Vista. If I uncheck the option "Require data encryption (disconnect if none)" in the Windows VPN client, everything works fine, I connect, authenticate, get the DHCP address, and everything is fine. If I check the option for Require data encryption, it will disconnect. Obviously I know that it's not encrypting the data, but I don't know how to get it to. Below is my configuration (IP addresses and Passwords changed):

Current configuration : 5337 bytes ! ! Last configuration change at 16:25:26 CST Wed Oct 28 2009 by david ! NVRAM config last updated at 16:43:08 CST Wed Oct 28 2009 by david ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable password 7 password ! clock timezone CST -5 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login TRAuthList group radius local aaa authentication login userauthen group radius local aaa authentication ppp default group radius local aaa authorization network default if-authenticated aaa authorization auth-proxy default group radius aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ip inspect name dialer1_out tcp ip inspect name dialer1_out udp ip inspect name dialer1_out ftp ip inspect name dialer1_out realaudio ip inspect name dialer1_out netshow ip inspect name dialer1_out h323 ip inspect name dialer1_out streamworks ip inspect name dialer1_out vdolive ip inspect name dialer1_out rtsp ip inspect name dialer1_out cuseeme ip inspect name dialer1_out rcmd ip inspect name dialer1_out sqlnet ip inspect name dialer1_out fragment maximum 256 timeout 1 ip inspect name dialer1_out rpc program-number 1 ip audit po max-events 100 vpdn enable vpdn ip udp ignore checksum ! vpdn-group PPTP-Radius ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! vpdn-group pppoe request-dialin protocol pppoe ! async-bootp dns-server 192.168.x.x 192.168.x.x async-bootp nbns-server 192.168.x.x 192.168.x.x ! ! username espadmin password 7 password username david privilege 15 password 7 password ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group neteng pool pptppool ! crypto isakmp client configuration group VPN key 3spint dns 192.168.x.x 192.168.x.x domain esp-seals.com acl 111 ! ! crypto ipsec transform-set trans2 esp-3des esp-md5-hmac ! crypto dynamic-map vpndyn 10 set transform-set trans2 ! ! crypto map nemap client authentication list vpnauthen crypto map nemap isakmp authorization list vpnauthor crypto map nemap client configuration address initiate crypto map nemap client configuration address respond crypto map nemap 10 ipsec-isakmp dynamic vpndyn ! ! ! interface ATM0 no ip address no ip mroute-cache no atm ilmi-keepalive bundle-enable dsl operating-mode auto ! interface ATM0.1 point-to-point pvc 0/32 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ip address 1.1.1.1 255.255.255.0 ip helper-address 192.168.x.x ip nat inside ip policy route-map nonat speed 100 full-duplex crypto map nemap ! interface Virtual-Template1 ip unnumbered FastEthernet0 ip helper-address 192.168.x.x ip mroute-cache peer default ip address dhcp ppp encrypt mppe auto ppp authentication ms-chap ms-chap-v2 ! interface Dialer1 mtu 1492 ip address [outside IP] 255.255.255.240 ip access-group 102 in ip nat outside encapsulation ppp dialer pool 1 no cdp enable ppp authentication chap pap callin ppp chap hostname username ppp chap password 7 password ppp pap sent-username username password 7 password ! router eigrp 100 network 1.1.1.1 no auto-summary ! ip local policy route-map nonat ip nat pool INTERNET [outside IP] [outside IP] netmask 255.255.255.240 ip nat inside source route-map nat pool INTERNET overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ! ip radius source-interface FastEthernet0 logging trap debugging logging facility local2 access-list 101 permit ip 1.1.1.0 0.0.0.255 192.168.221.0 0.0.0.255 access-list 101 permit ip 2.2.2.0 0.0.0.255 192.168.221.0 0.0.0.255 access-list 101 permit ip 3.3.3.0 0.0.0.255 192.168.221.0 0.0.0.255 access-list 101 permit ip 4.4.4.0 0.0.0.255 192.168.221.0 0.0.0.255 access-list 101 permit ip 5.5.5.0 0.0.0.255 192.168.221.0 0.0.0.255 access-list 101 permit ip 192.168.x.0 0.0.0.31 192.168.221.0 0.0.0.255 access-list 102 permit esp any any access-list 102 permit udp any any eq isakmp access-list 102 permit udp any any eq ntp access-list 102 permit tcp any any eq 1723 access-list 102 permit gre any any access-list 102 permit icmp any any access-list 102 permit tcp any any eq www access-list 111 permit ip 1.1.1.0 0.0.0.255 any access-list 199 remark Global_NAT_Out access-list 199 permit ip 1.1.1.0 0.0.0.255 any access-list 199 permit ip 192.168.x.0 0.0.0.31 any access-list 199 permit ip 2.2.2.0 0.0.0.255 any access-list 199 permit ip 4.4.4.0 0.0.0.255 any access-list 199 permit ip 6.6.0.0 0.0.255.255 any ! route-map nonat permit 20 match ip address 101 set ip next-hop 172.31.254.1 ! route-map nat permit 10 match ip address 199 ! snmp-server community 3spint RO radius-server host 192.168.x.x auth-port 1645 acct-port 1646 radius-server key 7 [key] radius-server vsa send authentication ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 login authentication userauthen transport input telnet ssh ! ntp clock-period 17180033 ntp server 192.168.x.x end

Then here is the part of the debug ppp negotiation after the authentication is successful but the option Require data encryption is checked and it fails to connect:

Oct 29 13:07:03.387: Vi2 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S= [long number letter combo]" Oct 29 13:07:03.387: Vi2 PPP: Phase is UP Oct 29 13:07:03.387: Vi2 IPCP: O CONFREQ [Closed] id 1 len 10 Oct 29 13:07:03.387: Vi2 IPCP: Address 1.1.1.207 (0x0306DD1515CF) Oct 29 13:07:03.391: Vi2 PPP: Process pending ncp packets Oct 29 13:07:03.391: Vi2 CCP: O CONFREQ [Closed] id 1 len 10 Oct 29 13:07:03.395: Vi2 CCP: MS-PPC supported bits 0x01000060 (0x120601000060) Oct 29 13:07:03.459: Vi2 CCP: I CONFREQ [REQsent] id 7 len 10 Oct 29 13:07:03.459: Vi2 CCP: MS-PPC supported bits 0x01000040 (0x120601000040) Oct 29 13:07:03.459: Vi2 CCP: O CONFACK [REQsent] id 7 len 10 Oct 29 13:07:03.463: Vi2 CCP: MS-PPC supported bits 0x01000040 (0x120601000040) Oct 29 13:07:03.463: Vi2 CCP: I CONFNAK [ACKsent] id 1 len 10 Oct 29 13:07:03.463: Vi2 CCP: MS-PPC supported bits 0x01000040 (0x120601000040) Oct 29 13:07:03.463: Vi2 CCP: O CONFREQ [ACKsent] id 2 len 10 Oct 29 13:07:03.463: Vi2 CCP: MS-PPC supported bits 0x01000040 (0x120601000040) Oct 29 13:07:03.463: Vi2 IPCP: I CONFREQ [REQsent] id 8 len 34 Oct 29 13:07:03.463: Vi2 IPCP: Address 0.0.0.0 (0x030600000000) Oct 29 13:07:03.463: Vi2 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) Oct 29 13:07:03.467: Vi2 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) Oct 29 13:07:03.467: Vi2 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) Oct 29 13:07:03.467: Vi2 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) Oct 29 13:07:03.467: Vi2 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0 Oct 29 13:07:03.467: Vi2 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0 Oct 29 13:07:03.535: Vi2 CCP: I CONFACK [ACKsent] id 2 len 10 Oct 29 13:07:03.535: Vi2 CCP: MS-PPC supported bits 0x01000040 (0x120601000040) Oct 29 13:07:03.539: Vi2 CCP: State is Open Oct 29 13:07:03.539: Vi2 CCP: O TERMREQ [Open] id 3 len 4 Oct 29 13:07:03.595: Vi2 IPCP: Pool returned 1.1.1.51 Oct 29 13:07:03.595: Vi2 IPCP: O CONFNAK [REQsent] id 8 len 34 Oct 29 13:07:03.595: Vi2 IPCP: Address 1.1.1.51 (0x0306DD151533) Oct 29 13:07:03.595: Vi2 IPCP: PrimaryDNS 192.168.x.x (0x8106C0A80A02) Oct 29 13:07:03.595: Vi2 IPCP: PrimaryWINS 192.168.x.x (0x8206C0A80A02) Oct 29 13:07:03.595: Vi2 IPCP: SecondaryDNS 192.168.x.x (0x8306C0A80A14) Oct 29 13:07:03.595: Vi2 IPCP: SecondaryWINS 192.168.x.x (0x8406C0A80A14) Oct 29 13:07:03.595: Vi2 IPCP: I CONFACK [REQsent] id 1 len 10 Oct 29 13:07:03.599: Vi2 IPCP: Address 1.1.1.207 (0x0306DD1515CF) Oct 29 13:07:03.607: Vi2 CCP: I TERMACK [TERMsent] id 3 len 4 Oct 29 13:07:03.607: Vi2 CCP: State is Closed Oct 29 13:07:03.611: Vi2 LCP: I TERMREQ [Open] id 9 len 16 (0x34185FD9003CCD74000002E6) Oct 29 13:07:03.611: Vi2 LCP: O TERMACK [Open] id 9 len 4 Oct 29 13:07:03.611: Vi2 PPP: Sending Acct Event[Down] id[4A] Oct 29 13:07:03.615: Vi2 PPP: Phase is TERMINATING Oct 29 13:07:03.699: Vi2 PPP: Block vaccess from being freed [0x18] Oct 29 13:07:03.703: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down Oct 29 13:07:03.703: Vi2 LCP: State is Closed Oct 29 13:07:03.703: Vi2 PPP: Phase is DOWN Oct 29 13:07:03.707: Vi2 IPCP: State is Closed Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x10] Still Locked by [0xA] Oct 29 13:07:03.707: Vi2 PPP: Send Message[Disconnect] Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x8] Still Locked by [0x2] Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x2] Still Locked by [0x0] Oct 29 13:07:03.707: Vi2 PPP: Free previously blocked vaccess

Any help is greatly appreciate. I have been fighting this for quite some time now and want to put it in production.

Reply to
David
Loading thread data ...

In the interface Virtual-Template1 I use:

compress mppc ppp encrypt mppe auto required ppp authentication ms-chap ppp pap refuse

This works.

Reply to
Rob

I tried this and it is still doing the same thing. If it helps too, this only happens after it authenticates, and is "Registering computer on the network." On the Vista machine it show you can try and diagnose, try again, or choose another connection, but on the XP machine it says "Error 742: the remote computer does not support the requred data encryption type." Is the data still being encrypted even if I have the box "require encryptions" unchecked?

Reply to
David

I assumed you use PPTP with its associated encryption (mppe) but it seems you have configured network encryption on top of that?

Reply to
Rob

How would I change it to use PPTP with it's associated encryption and not network encryption on top of it?

Reply to
David

You configure only a PPTP connection on the calling PC. Not the whole network encryption (IPsec) stuff.

Reply to
Rob

I basically started from scratch and redid the config. Here is what it looks like now:

Current configuration : 3084 bytes ! ! Last configuration change at 14:50:35 CST Thu Oct 29 2009 by david ! NVRAM config last updated at 14:11:52 CST Thu Oct 29 2009 by david ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Inet3 ! boot-start-marker boot-end-marker ! enable password 7 password ! clock timezone CST -5 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login TRAuthList group radius local aaa authentication login userauthen group radius local aaa authentication ppp default group radius local aaa authorization network default if-authenticated aaa authorization auth-proxy default group radius aaa session-id common ip subnet-zero ! ! no ip domain lookup ip domain name esp-seals.com ! ip cef ip audit po max-events 100 vpdn enable vpdn ip udp ignore checksum ! vpdn-group PPTP-Radius ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! vpdn-group pppoe request-dialin protocol pppoe ! async-bootp dns-server 192.168.x.x 192.168.x.x async-bootp nbns-server 192.168.x.x 192.168.x.x ! ! username espadmin password 7 password username david privilege 15 password 7 password ! ! ! ! ! interface ATM0 no ip address no ip mroute-cache no atm ilmi-keepalive bundle-enable dsl operating-mode auto ! interface ATM0.1 point-to-point pvc 0/32 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ip address 1.1.1.1 255.255.255.0 speed 100 full-duplex ! interface Virtual-Template1 ip unnumbered FastEthernet0 ip helper-address 192.168.x.x peer default ip address dhcp compress mppc ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2 ppp pap refuse

! interface Dialer1 mtu 1492 ip address [outside IP] 255.255.255.240 encapsulation ppp dialer pool 1 no cdp enable ppp authentication chap pap callin ppp chap hostname username ppp chap password 7 password ppp pap sent-username username password 7 password ! router eigrp 100 network 1.1.1.0 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server ip http authentication local ip http secure-server ! ! logging trap debugging logging facility local2 ! snmp-server community key RO radius-server host 192.168.x.x auth-port 1645 acct-port 1646 radius-server key 7 key radius-server vsa send authentication ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 login authentication userauthen transport input telnet ssh ! ntp clock-period 17180080 ntp server 192.168.x.x end

The same thing is happening, but now there is another line in the debug ppp negotiation:

Oct 29 20:28:57.429: Vi5 MPPE: Required encryption not negotiated

I'm assuming it is disconnecting due to no encryption, but the client (Windows Vista vpn) has the require encryption checked. I took off all NAT and ACLs just to make sure. I am really confused here.

Reply to
David

Anyone have any ideas on this one?

Reply to
David

try ppp encrypt mppe auto passive ppp authentication ms-chap-v2

and leave Require data encryption (disconnect if none) unticked at the client.

once connected look at the vpn connection details and you should see mppe encryption on the connection

Mike

Reply to
mikeyb

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.