VPN working on XP, but not on Vista

Unanswered Question
Jul 8th, 2008
User Badges:

Hi


I've been building a VPN configuration to allow Windows Clients using the Windows VPN Client to access our internal LAN. Well, it comes out I didn't do a good job.


The VPN connection is working perfectly fine as long as XP clients are used. As soon as a Vista client tries to connect, it doesn't even get past the "Connecting to -IP-" stage (actually it asks me for a password and username, but I guess that's right at the beginning).


I am posting the relevant parts for my configuration here. I am using PAT for translating entries and I am using a Cisco 1811.


Thank you for your help



-snip-

r#show run

Building configuration...


Current configuration : 3483 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

!

aaa new-model

!

!

aaa authentication ppp VpdnAuth local

!

aaa session-id common

!

resource policy

!

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.200 192.168.0.240

ip dhcp excluded-address 192.168.0.1 192.168.0.100

!

ip dhcp pool XXXXXXXXX

network 192.168.0.0 255.255.255.0

default-router 129.168.0.1

dns-server 192.168.0.1

!

ip dhcp pool XXXXXXXXXX

network 192.168.9.0 255.255.255.0

default-router 192.168.9.1

dns-server 192.168.9.1

!

!

ip domain name XXXXXXXXXX

ip name-server XXXXXXXXXX

ip name-server XXXXXXXXXX

vpdn enable

!

vpdn-group L2TP

! Default L2TP VPDN group

description VPDN Group for L2TP/IPSec Clients

accept-dialin

protocol l2tp

virtual-template 2

no l2tp tunnel authentication

!

!

!

!

username -removed-

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXXX address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set MsIPSec esp-3des esp-md5-hmac

mode transport

!

crypto dynamic-map MsDynMap 1

set nat demux

set transform-set MsIPSec

!

!

crypto map IPSecIsaPmpMap 6000 ipsec-isakmp dynamic MsDynMap

!

!

!

!

interface Loopback2

ip address 192.168.3.1 255.255.255.255

!

interface FastEthernet0

ip address 78.X.X.2 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map IPSecIsaPmpMap

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

switchport access vlan 999

shutdown

!

interface FastEthernet6

switchport access vlan 999

shutdown

!

interface FastEthernet7

switchport access vlan 999

shutdown

!

interface FastEthernet8

switchport access vlan 999

shutdown

!

interface FastEthernet9

switchport access vlan 9

!

interface Virtual-Template2

ip unnumbered Loopback2

peer default ip address pool IPSecPool

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2 VpdnAuth

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan9

ip address 192.168.9.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip local pool IPSecPool 192.168.3.2 192.168.3.10

ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXX

!

ip dns server

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source list 2 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.0.96 22 interface FastEthernet0 XXXXXXX

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 192.168.9.0 0.0.0.255

access-list 3 permit XXXXXXXXXXX

access-list 3 permit 192.168.0.0 0.0.0.255

-snip-


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
purohit_810 Wed, 07/09/2008 - 19:57
User Badges:
  • Silver, 250 points or more

Which version VPN client are you using?

For windows Vista you should have 5.X client, can you check more in detail or in SDM, Do you have Client Version permit/deny rule?


Check the detailed protcol, TCP 500 or UDP 10000 it tries to connect.


Tharnks,

Dharmesh Purohit

thomaslinder Wed, 07/09/2008 - 20:52
User Badges:

Hi Dharmesh Purohit


I am sorry, I forgot to say that I am trying to use the Windows integrated VPN Client (not the one from Cisco). As I said - it is working in Windows XP just fine, but Vista Clients appear to have problems.


I didn't configure it using SDM. How could I best debug vpn connection tries?


Thank you so far.

Actions

This Discussion