cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
611
Views
0
Helpful
11
Replies

PPtP VPN does not work if and only if 2 Cisco routers

guy.colsoul
Level 1
Level 1

Let's consider 2 sites:

A: client site (where I may change the config of the router if necessary)

B: server site (where I've NO authority on server nor router config)

I try to use the standard PPtP VPN of Windows 2003. TCP 1723 + GRE are correctly configured on the B site to enable NAT for the VPN.

My observation is : if A or B routers are not Cisco, the VPN works correctly.

If A and B routers are Cisco, then when connecting, the client hangs on "verifying username and password".

I reproduce this situation with several routers:

A = Cisco Soho96 and B = Cisco 878

A = Cisco 831 and B = Cisco 827

A = Cisco 878 and B = Cisco 827

What could be changed in the router of A to let this VPN work correctly in every situation?

Thanks in advance,

Kind regards,

Guy

11 Replies 11

kerek
Level 4
Level 4

Hi,

Can you post the configs of both routers?

Krisztian

Hi,

I've no access to the config of the B router. But i assume that this config is correct because if change the router at A, the VPN works successfully.

Below the config of the router at A, eg the 831

Thanks for help.

Kind regards,

Guy

!

version 12.4

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ineocable

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 x

!

no aaa new-model

!

resource policy

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.59

ip dhcp excluded-address 192.168.2.100 192.168.2.254

ip dhcp excluded-address 192.168.2.1

!

ip dhcp pool CLIENT

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 192.168.2.110

lease 0 2

!

!

ip cef

ip name-server 192.168.2.110

ip ddns update method ineodns

HTTP

add x

remove y

interval maximum 0 0 1 0

!

!

!

!

username x

username y

username z

!

!

!

!

!

interface Ethernet0

description $ETH-LAN$

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no cdp enable

hold-queue 32 in

!

interface Ethernet1

description $ETH-WAN$

ip dhcp client update dns server none

ip ddns update hostname www.ineodns.be

ip ddns update ineodns

ip address dhcp client-id Ethernet1

ip nat outside

ip virtual-reassembly

duplex auto

no cdp enable

!

interface Ethernet2

no ip address

shutdown

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

ip route 192.168.1.0 255.255.255.0 192.168.2.140

ip route 192.168.20.0 255.255.255.0 192.168.2.2

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http max-connections 4

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat inside source list 102 interface Ethernet1 overload

!

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 23 permit 192.168.20.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 permit gre 192.168.2.0 0.0.0.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

!

control-plane

!

!

line con 0

exec-timeout 120 0

login local

no modem enable

stopbits 1

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

end

HI,

Seems to be ok, but I think the

access-list 102 permit gre 192.168.2.0 0.0.0.255 any is not needed.

Let's try to remove it and port the show ip nat translations. Anyway is there any device in the path with lower MTU?

Krisztian

Below the IP nat translation during the user/password verification :

Pro Inside global Inside local Outside local Outside global

udp a.b.c.d:1031 192.168.2.60:1031 192.168.3.112:161 192.168.3.112:161

tcp a.b.c.d:1561 192.168.2.60:1561 x.y.z.t:1723 x.y.z.t:1723

gre a.b.c.d:33767 192.168.2.60:33767 x.y.z.t:33767 x.y.z.t:33767

gre a.b.c.d:49152 192.168.2.60:49152 x.y.z.t:49152 x.y.z.t:49152

(x.y.z.t is the IP of B)

I assume there is no device in the path with low MTU. I've tried with 3 ISP (adsl, sdsl, cable). I've tried from 2 differents sites. In every situation, in A, there is only 1 PC + 1 router which is the default gateway.

Guy

Hi,

It is definitely strange. What if you try to set up to terminate the PPTP on the router instead of forwarding it to the host on the LAN?

Krisztian

As far as i undestand your suggestion, this sould be implemented in the router on the VPN server side ? But, i'm not allowed to get access to the config of this router. (Located at a customer - public institution)

Regards,

Guy

Yes. I though that. If you have another router on the shelf you can make a test on that. Anyway have you tried to make some sniff on the PC to see what happens?

Krisztian

As written in the 1st message, if on my site (the client site) i replace the Cisco router with a Linksys router, it works immediately.

I'm not allowed to install any sniffer on the server site.

Regards,

Guy

Hi,

Then I think it should be an MTU issue. Let's try to issue the ip tcp-adjust mss 1300 under the LAN interface. I know you tried different access technologies, but just for sure.

Krisztian

Hi,

I've applied this to my Cisco router (client side of the VPN). E0 is the LAN interface of the router.

interface E0

ip tcp adjust-mss 1300

But it is still impossible to get connected to the VPN server.

Regards,

Guy

I've removed the "permit gre" line in acl 102. It looks now like this :

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

But it does not help.

(I'd added this line to see if better)

Guy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: