Arg! What is wrong with my super simple dial-in VPN config?

thomasdzubin · ‎11-28-2007

I have a very simple dial-in VPN test, which ALMOST works, but not quite

I can connect up with my "testvpn" user just fine, my workstation gets a 192.168.1.240 address from the VPDN pool

but I cannot PING the router 192.168.1.1 or another device that I've got connected on my router's internal 4-port

switch 192.168.1.239

I don't have any access lists (except for the one that defines my inside NAT range)

I suspect that I'm missing one stupid thing...any ideas?

-----------------------------------------

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname temp192168

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

no aaa new-model

ip cef

!

ip domain name xxxxxxxxx.xxx

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

local name CIS

l2tp tunnel password 7

ip mtu adjust

!

username myuser secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx

username testvpn password 7 xxxxxxxxxxxxxxxxxxxxxxx

!

interface Loopback0

description 192.168.255.1 just for internal PING & Telnet test

ip address 192.168.255.1 255.255.255.0

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN link to Internet

ip address xxx.xxx.xxx.23 255.255.255.128

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered FastEthernet0

ip nat inside

ip virtual-reassembly

peer default ip address pool VPDN

ppp encrypt mppe auto

ppp authentication ms-chap

!

interface Vlan1

description inside LAN address

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool VPDN 192.168.1.240 192.168.1.250

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 60 0

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

thomasdzubin · ‎11-28-2007

FYI: here's the Cisco CLI output from a PING of my locally connected device, a PING of my VPN connected workstation, the output from the "show vpdn tunnel" command, the output from the "show caller ip" command, and finally the output of the "show ip route" command. Everything seems normal, so why can't I PING between my VPN-connected workstation and anything on my 192.168.1.x net?

temp192168#ping 192.168.1.239

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.239, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

temp192168#ping 192.168.1.240

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.240, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

temp192168#show vpdn tunnel all

%No active L2TP tunnels

PPTP Tunnel Information Total tunnels 1 sessions 1

Tunnel id 7, 1 active sessions

Tunnel state is estabd, time since change 00:00:43

Remote tunnel name is

Internet Address xxx.x.xxx.3, port 2199

Local tunnel name is CIS

Internet Address xxx.x.xxx.23, port 1723

VPDN group: 1

72 packets sent, 96 received, 3741 bytes sent, 5224 received

Last clearing of "show vpdn" counters never

temp192168#show caller ip

Line User IP Address Local Number Remote Number <->

Vi3 testvpn 192.168.1.240 - - in

temp192168#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is xxx.xxx.xxx.1 to network 0.0.0.0

xxx.xxx.xxx.0/25 is subnetted, 1 subnets

C xxx.xxx.xxx.0 is directly connected, FastEthernet4

C 192.168.255.0/24 is directly connected, Loopback0

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, Vlan1

C 192.168.1.240/32 is directly connected, Virtual-Access3

S* 0.0.0.0/0 [1/0] via xxx.xxx.xxx.1

temp192168#

thomasdzubin · ‎11-28-2007

Nevermind... I found my error.

Earlier in the day I was working on a different model router (with different interface names) and I put the wrong interface name into my Virtual-Template1 config.

Instead of "ip unnumbered FastEthernet0"

I used "ip unnumbered Vlan1" and it started working!

Too bad I can't rate my own replies, eh?