06-21-2007 12:12 AM - edited 03-03-2019 05:32 PM
Let's consider 2 sites:
A: client site (where I may change the config of the router if necessary)
B: server site (where I've NO authority on server nor router config)
I try to use the standard PPtP VPN of Windows 2003. TCP 1723 + GRE are correctly configured on the B site to enable NAT for the VPN.
My observation is : if A or B routers are not Cisco, the VPN works correctly.
If A and B routers are Cisco, then when connecting, the client hangs on "verifying username and password".
I reproduce this situation with several routers:
A = Cisco Soho96 and B = Cisco 878
A = Cisco 831 and B = Cisco 827
A = Cisco 878 and B = Cisco 827
What could be changed in the router of A to let this VPN work correctly in every situation?
Thanks in advance,
Kind regards,
Guy
06-21-2007 07:21 AM
Hi,
Can you post the configs of both routers?
Krisztian
06-21-2007 07:31 AM
Hi,
I've no access to the config of the B router. But i assume that this config is correct because if change the router at A, the VPN works successfully.
Below the config of the router at A, eg the 831
Thanks for help.
Kind regards,
Guy
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ineocable
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 x
!
no aaa new-model
!
resource policy
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.59
ip dhcp excluded-address 192.168.2.100 192.168.2.254
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool CLIENT
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.110
lease 0 2
!
!
ip cef
ip name-server 192.168.2.110
ip ddns update method ineodns
HTTP
add x
remove y
interval maximum 0 0 1 0
!
!
!
!
username x
username y
username z
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 32 in
!
interface Ethernet1
description $ETH-WAN$
ip dhcp client update dns server none
ip ddns update hostname www.ineodns.be
ip ddns update ineodns
ip address dhcp client-id Ethernet1
ip nat outside
ip virtual-reassembly
duplex auto
no cdp enable
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip route 192.168.1.0 255.255.255.0 192.168.2.140
ip route 192.168.20.0 255.255.255.0 192.168.2.2
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http max-connections 4
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 102 interface Ethernet1 overload
!
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 23 permit 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit gre 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
!
control-plane
!
!
line con 0
exec-timeout 120 0
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
06-21-2007 10:14 AM
HI,
Seems to be ok, but I think the
access-list 102 permit gre 192.168.2.0 0.0.0.255 any is not needed.
Let's try to remove it and port the show ip nat translations. Anyway is there any device in the path with lower MTU?
Krisztian
06-21-2007 10:48 PM
Below the IP nat translation during the user/password verification :
Pro Inside global Inside local Outside local Outside global
udp a.b.c.d:1031 192.168.2.60:1031 192.168.3.112:161 192.168.3.112:161
tcp a.b.c.d:1561 192.168.2.60:1561 x.y.z.t:1723 x.y.z.t:1723
gre a.b.c.d:33767 192.168.2.60:33767 x.y.z.t:33767 x.y.z.t:33767
gre a.b.c.d:49152 192.168.2.60:49152 x.y.z.t:49152 x.y.z.t:49152
(x.y.z.t is the IP of B)
I assume there is no device in the path with low MTU. I've tried with 3 ISP (adsl, sdsl, cable). I've tried from 2 differents sites. In every situation, in A, there is only 1 PC + 1 router which is the default gateway.
Guy
06-22-2007 01:29 AM
Hi,
It is definitely strange. What if you try to set up to terminate the PPTP on the router instead of forwarding it to the host on the LAN?
Krisztian
06-22-2007 05:13 AM
As far as i undestand your suggestion, this sould be implemented in the router on the VPN server side ? But, i'm not allowed to get access to the config of this router. (Located at a customer - public institution)
Regards,
Guy
06-24-2007 09:01 AM
Yes. I though that. If you have another router on the shelf you can make a test on that. Anyway have you tried to make some sniff on the PC to see what happens?
Krisztian
06-26-2007 06:17 AM
As written in the 1st message, if on my site (the client site) i replace the Cisco router with a Linksys router, it works immediately.
I'm not allowed to install any sniffer on the server site.
Regards,
Guy
06-26-2007 06:50 AM
Hi,
Then I think it should be an MTU issue. Let's try to issue the ip tcp-adjust mss 1300 under the LAN interface. I know you tried different access technologies, but just for sure.
Krisztian
06-26-2007 07:18 AM
Hi,
I've applied this to my Cisco router (client side of the VPN). E0 is the LAN interface of the router.
interface E0
ip tcp adjust-mss 1300
But it is still impossible to get connected to the VPN server.
Regards,
Guy
06-21-2007 11:50 PM
I've removed the "permit gre" line in acl 102. It looks now like this :
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
But it does not help.
(I'd added this line to see if better)
Guy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: