PPtP VPN does not work if and only if 2 Cisco routers

Unanswered Question

Let's consider 2 sites:

A: client site (where I may change the config of the router if necessary)

B: server site (where I've NO authority on server nor router config)

I try to use the standard PPtP VPN of Windows 2003. TCP 1723 + GRE are correctly configured on the B site to enable NAT for the VPN.

My observation is : if A or B routers are not Cisco, the VPN works correctly.

If A and B routers are Cisco, then when connecting, the client hangs on "verifying username and password".

I reproduce this situation with several routers:

A = Cisco Soho96 and B = Cisco 878

A = Cisco 831 and B = Cisco 827

A = Cisco 878 and B = Cisco 827

What could be changed in the router of A to let this VPN work correctly in every situation?

Thanks in advance,

Kind regards,

Guy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hi,

I've no access to the config of the B router. But i assume that this config is correct because if change the router at A, the VPN works successfully.

Below the config of the router at A, eg the 831

Thanks for help.

Kind regards,

Guy

!

version 12.4

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ineocable

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 x

!

no aaa new-model

!

resource policy

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.59

ip dhcp excluded-address 192.168.2.100 192.168.2.254

ip dhcp excluded-address 192.168.2.1

!

ip dhcp pool CLIENT

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 192.168.2.110

lease 0 2

!

!

ip cef

ip name-server 192.168.2.110

ip ddns update method ineodns

HTTP

add x

remove y

interval maximum 0 0 1 0

!

!

!

!

username x

username y

username z

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no cdp enable

hold-queue 32 in

!

interface Ethernet1

description $ETH-WAN$

ip dhcp client update dns server none

ip ddns update hostname www.ineodns.be

ip ddns update ineodns

ip address dhcp client-id Ethernet1

ip nat outside

ip virtual-reassembly

duplex auto

no cdp enable

!

interface Ethernet2

no ip address

shutdown

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

ip route 192.168.1.0 255.255.255.0 192.168.2.140

ip route 192.168.20.0 255.255.255.0 192.168.2.2

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http max-connections 4

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat inside source list 102 interface Ethernet1 overload

!

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 23 permit 192.168.20.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 permit gre 192.168.2.0 0.0.0.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

!

control-plane

!

!

line con 0

exec-timeout 120 0

login local

no modem enable

stopbits 1

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

end

Below the IP nat translation during the user/password verification :

Pro Inside global Inside local Outside local Outside global

udp a.b.c.d:1031 192.168.2.60:1031 192.168.3.112:161 192.168.3.112:161

tcp a.b.c.d:1561 192.168.2.60:1561 x.y.z.t:1723 x.y.z.t:1723

gre a.b.c.d:33767 192.168.2.60:33767 x.y.z.t:33767 x.y.z.t:33767

gre a.b.c.d:49152 192.168.2.60:49152 x.y.z.t:49152 x.y.z.t:49152

(x.y.z.t is the IP of B)

I assume there is no device in the path with low MTU. I've tried with 3 ISP (adsl, sdsl, cable). I've tried from 2 differents sites. In every situation, in A, there is only 1 PC + 1 router which is the default gateway.

Guy

Actions

This Discussion