Cisco 1721 Router

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


I am having troubles getting my Windows computers using the Windows
VPN to connect using data encryption from XP and Vista.  If I uncheck
the option "Require data encryption (disconnect if none)" in the
Windows VPN client, everything works fine, I connect, authenticate,
get the DHCP address, and everything is fine.  If I check the option
for Require data encryption, it will disconnect.  Obviously I know
that it's not encrypting the data, but I don't know how to get it to.
Below is my configuration (IP addresses and Passwords changed):

Current configuration : 5337 bytes
!
! Last configuration change at 16:25:26 CST Wed Oct 28 2009 by david
! NVRAM config last updated at 16:43:08 CST Wed Oct 28 2009 by david
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password 7 password
!
clock timezone CST -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login TRAuthList group radius local
aaa authentication login userauthen group radius local
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
aaa authorization auth-proxy default group radius
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
ip inspect name dialer1_out tcp
ip inspect name dialer1_out udp
ip inspect name dialer1_out ftp
ip inspect name dialer1_out realaudio
ip inspect name dialer1_out netshow
ip inspect name dialer1_out h323
ip inspect name dialer1_out streamworks
ip inspect name dialer1_out vdolive
ip inspect name dialer1_out rtsp
ip inspect name dialer1_out cuseeme
ip inspect name dialer1_out rcmd
ip inspect name dialer1_out sqlnet
ip inspect name dialer1_out fragment maximum 256 timeout 1
ip inspect name dialer1_out rpc program-number 1
ip audit po max-events 100
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group PPTP-Radius
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
async-bootp dns-server 192.168.x.x 192.168.x.x
async-bootp nbns-server 192.168.x.x 192.168.x.x
!
!
username espadmin password 7 password
username david privilege 15 password 7 password
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group neteng
 pool pptppool
!
crypto isakmp client configuration group VPN
 key 3spint
 dns 192.168.x.x 192.168.x.x
 domain esp-seals.com
 acl 111
!
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
!
crypto dynamic-map vpndyn 10
 set transform-set trans2
!
!
crypto map nemap client authentication list vpnauthen
crypto map nemap isakmp authorization list vpnauthor
crypto map nemap client configuration address initiate
crypto map nemap client configuration address respond
crypto map nemap 10 ipsec-isakmp dynamic vpndyn
!
!
!
interface ATM0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/32
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 ip address 1.1.1.1 255.255.255.0
 ip helper-address 192.168.x.x
 ip nat inside
 ip policy route-map nonat
 speed 100
 full-duplex
 crypto map nemap
!
interface Virtual-Template1
 ip unnumbered FastEthernet0
 ip helper-address 192.168.x.x
 ip mroute-cache
 peer default ip address dhcp
 ppp encrypt mppe auto
 ppp authentication ms-chap ms-chap-v2
!
interface Dialer1
 mtu 1492
 ip address [outside IP] 255.255.255.240
 ip access-group 102 in
 ip nat outside
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname username
 ppp chap password 7 password
 ppp pap sent-username username password 7 password
!
router eigrp 100
 network 1.1.1.1
 no auto-summary
!
ip local policy route-map nonat
ip nat pool INTERNET [outside IP] [outside IP] netmask 255.255.255.240
ip nat inside source route-map nat pool INTERNET overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
!
ip radius source-interface FastEthernet0
logging trap debugging
logging facility local2
access-list 101 permit ip 1.1.1.0 0.0.0.255 192.168.221.0 0.0.0.255
access-list 101 permit ip 2.2.2.0 0.0.0.255 192.168.221.0 0.0.0.255
access-list 101 permit ip 3.3.3.0 0.0.0.255 192.168.221.0 0.0.0.255
access-list 101 permit ip 4.4.4.0 0.0.0.255 192.168.221.0 0.0.0.255
access-list 101 permit ip 5.5.5.0 0.0.0.255 192.168.221.0 0.0.0.255
access-list 101 permit ip 192.168.x.0 0.0.0.31 192.168.221.0 0.0.0.255
access-list 102 permit esp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit udp any any eq ntp
access-list 102 permit tcp any any eq 1723
access-list 102 permit gre any any
access-list 102 permit icmp any any
access-list 102 permit tcp any any eq www
access-list 111 permit ip 1.1.1.0 0.0.0.255 any
access-list 199 remark Global_NAT_Out
access-list 199 permit ip 1.1.1.0 0.0.0.255 any
access-list 199 permit ip 192.168.x.0 0.0.0.31 any
access-list 199 permit ip 2.2.2.0  0.0.0.255 any
access-list 199 permit ip 4.4.4.0 0.0.0.255 any
access-list 199 permit ip 6.6.0.0 0.0.255.255 any
!
route-map nonat permit 20
 match ip address 101
 set ip next-hop 172.31.254.1
!
route-map nat permit 10
 match ip address 199
!
snmp-server community 3spint RO
radius-server host 192.168.x.x auth-port 1645 acct-port 1646
radius-server key 7 [key]
radius-server vsa send authentication
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 login authentication userauthen
 transport input telnet ssh
!
ntp clock-period 17180033
ntp server 192.168.x.x
end

Then here is the part of the debug ppp negotiation after the
authentication is successful but the option Require data encryption is
checked and it fails to connect:

Oct 29 13:07:03.387: Vi2 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=
[long number letter combo]"
Oct 29 13:07:03.387: Vi2 PPP: Phase is UP
Oct 29 13:07:03.387: Vi2 IPCP: O CONFREQ [Closed] id 1 len 10
Oct 29 13:07:03.387: Vi2 IPCP:    Address 1.1.1.207 (0x0306DD1515CF)
Oct 29 13:07:03.391: Vi2 PPP: Process pending ncp packets
Oct 29 13:07:03.391: Vi2 CCP: O CONFREQ [Closed] id 1 len 10
Oct 29 13:07:03.395: Vi2 CCP:    MS-PPC supported bits 0x01000060
(0x120601000060)
Oct 29 13:07:03.459: Vi2 CCP: I CONFREQ [REQsent] id 7 len 10
Oct 29 13:07:03.459: Vi2 CCP:    MS-PPC supported bits 0x01000040
(0x120601000040)
Oct 29 13:07:03.459: Vi2 CCP: O CONFACK [REQsent] id 7 len 10
Oct 29 13:07:03.463: Vi2 CCP:    MS-PPC supported bits 0x01000040
(0x120601000040)
Oct 29 13:07:03.463: Vi2 CCP: I CONFNAK [ACKsent] id 1 len 10
Oct 29 13:07:03.463: Vi2 CCP:    MS-PPC supported bits 0x01000040
(0x120601000040)
Oct 29 13:07:03.463: Vi2 CCP: O CONFREQ [ACKsent] id 2 len 10
Oct 29 13:07:03.463: Vi2 CCP:    MS-PPC supported bits 0x01000040
(0x120601000040)
Oct 29 13:07:03.463: Vi2 IPCP: I CONFREQ [REQsent] id 8 len 34
Oct 29 13:07:03.463: Vi2 IPCP:    Address 0.0.0.0 (0x030600000000)
Oct 29 13:07:03.463: Vi2 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Oct 29 13:07:03.467: Vi2 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
Oct 29 13:07:03.467: Vi2 IPCP:    SecondaryDNS 0.0.0.0
(0x830600000000)
Oct 29 13:07:03.467: Vi2 IPCP:    SecondaryWINS 0.0.0.0
(0x840600000000)
Oct 29 13:07:03.467: Vi2 AAA/AUTHOR/IPCP: Start.  Her address 0.0.0.0,
we want 0.0.0.0
Oct 29 13:07:03.467: Vi2 AAA/AUTHOR/IPCP: Done.  Her address 0.0.0.0,
we want 0.0.0.0
Oct 29 13:07:03.535: Vi2 CCP: I CONFACK [ACKsent] id 2 len 10
Oct 29 13:07:03.535: Vi2 CCP:    MS-PPC supported bits 0x01000040
(0x120601000040)
Oct 29 13:07:03.539: Vi2 CCP: State is Open
Oct 29 13:07:03.539: Vi2 CCP: O TERMREQ [Open] id 3 len 4
Oct 29 13:07:03.595: Vi2 IPCP: Pool returned 1.1.1.51
Oct 29 13:07:03.595: Vi2 IPCP: O CONFNAK [REQsent] id 8 len 34
Oct 29 13:07:03.595: Vi2 IPCP:    Address 1.1.1.51 (0x0306DD151533)
Oct 29 13:07:03.595: Vi2 IPCP:    PrimaryDNS 192.168.x.x
(0x8106C0A80A02)
Oct 29 13:07:03.595: Vi2 IPCP:    PrimaryWINS 192.168.x.x
(0x8206C0A80A02)
Oct 29 13:07:03.595: Vi2 IPCP:    SecondaryDNS 192.168.x.x
(0x8306C0A80A14)
Oct 29 13:07:03.595: Vi2 IPCP:    SecondaryWINS 192.168.x.x
(0x8406C0A80A14)
Oct 29 13:07:03.595: Vi2 IPCP: I CONFACK [REQsent] id 1 len 10
Oct 29 13:07:03.599: Vi2 IPCP:    Address 1.1.1.207 (0x0306DD1515CF)
Oct 29 13:07:03.607: Vi2 CCP: I TERMACK [TERMsent] id 3 len 4
Oct 29 13:07:03.607: Vi2 CCP: State is Closed
Oct 29 13:07:03.611: Vi2 LCP: I TERMREQ [Open] id 9 len 16
(0x34185FD9003CCD74000002E6)
Oct 29 13:07:03.611: Vi2 LCP: O TERMACK [Open] id 9 len 4
Oct 29 13:07:03.611: Vi2 PPP: Sending Acct Event[Down] id[4A]
Oct 29 13:07:03.615: Vi2 PPP: Phase is TERMINATING
Oct 29 13:07:03.699: Vi2 PPP: Block vaccess from being freed [0x18]
Oct 29 13:07:03.703: %LINK-3-UPDOWN: Interface Virtual-Access2,
changed state to down
Oct 29 13:07:03.703: Vi2 LCP: State is Closed
Oct 29 13:07:03.703: Vi2 PPP: Phase is DOWN
Oct 29 13:07:03.707: Vi2 IPCP: State is Closed
Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x10] Still Locked by [0xA]
Oct 29 13:07:03.707: Vi2 PPP: Send Message[Disconnect]
Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x8] Still Locked by [0x2]
Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x2] Still Locked by [0x0]
Oct 29 13:07:03.707: Vi2 PPP: Free previously blocked vaccess

Any help is greatly appreciate.  I have been fighting this for quite
some time now and want to put it in production.

Re: Cisco 1721 Router


In the interface Virtual-Template1 I use:

 compress mppc
 ppp encrypt mppe auto required
 ppp authentication ms-chap
 ppp pap refuse

This works.

Re: Cisco 1721 Router


Quoted text here. Click to load it

I tried this and it is still doing the same thing.  If it helps too,
this only happens after it authenticates, and is "Registering computer
on the network."  On the Vista machine it show you can try and
diagnose, try again, or choose another connection, but on the XP
machine it says "Error 742: the remote computer does not support the
requred data encryption type."  Is the data still being encrypted even
if I have the box "require encryptions" unchecked?

Re: Cisco 1721 Router


Quoted text here. Click to load it

I assumed you use PPTP with its associated encryption (mppe) but
it seems you have configured network encryption on top of that?

Re: Cisco 1721 Router


Quoted text here. Click to load it

How would I change it to use PPTP with it's associated encryption and
not network encryption on top of it?

Re: Cisco 1721 Router


Quoted text here. Click to load it

You configure only a PPTP connection on the calling PC.  Not the
whole network encryption (IPsec) stuff.

Re: Cisco 1721 Router


I basically started from scratch and redid the config.  Here is what
it looks like now:

Current configuration : 3084 bytes
!
! Last configuration change at 14:50:35 CST Thu Oct 29 2009 by david
! NVRAM config last updated at 14:11:52 CST Thu Oct 29 2009 by david
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Inet3
!
boot-start-marker
boot-end-marker
!
enable password 7 password
!
clock timezone CST -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login TRAuthList group radius local
aaa authentication login userauthen group radius local
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
aaa authorization auth-proxy default group radius
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip domain name esp-seals.com
!
ip cef
ip audit po max-events 100
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group PPTP-Radius
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
async-bootp dns-server 192.168.x.x 192.168.x.x
async-bootp nbns-server 192.168.x.x 192.168.x.x
!
!
username espadmin password 7 password
username david privilege 15 password 7 password
!
!
!
!
!
interface ATM0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/32
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 ip address 1.1.1.1 255.255.255.0
 speed 100
 full-duplex
!
interface Virtual-Template1
 ip unnumbered FastEthernet0
 ip helper-address 192.168.x.x
 peer default ip address dhcp
 compress mppc
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
 ppp pap refuse

!
interface Dialer1
 mtu 1492
 ip address [outside IP] 255.255.255.240
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname username
 ppp chap password 7 password
 ppp pap sent-username username password 7 password
!
router eigrp 100
 network 1.1.1.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
logging facility local2
!
snmp-server community key RO
radius-server host 192.168.x.x auth-port 1645 acct-port 1646
radius-server key 7 key
radius-server vsa send authentication
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 login authentication userauthen
 transport input telnet ssh
!
ntp clock-period 17180080
ntp server 192.168.x.x
end


The same thing is happening, but now there is another line in the
debug ppp negotiation:

Oct 29 20:28:57.429: Vi5 MPPE: Required encryption not negotiated

I'm assuming it is disconnecting due to no encryption, but the client
(Windows Vista vpn) has the require encryption checked.  I took off
all NAT and ACLs just to make sure.  I am really confused here.

Re: Cisco 1721 Router


Anyone have any ideas on this one?

Re: Cisco 1721 Router


Quoted text here. Click to load it
try
ppp encrypt mppe auto passive
ppp authentication ms-chap-v2

and leave Require data encryption (disconnect if none) unticked at the
client.

once connected look at the vpn connection details and you should see
mppe encryption on the connection

Mike


Site Timeline