VPN working on XP, but not on Vista

Unanswered Question
Jul 8th, 2008

Hi

I've been building a VPN configuration to allow Windows Clients using the Windows VPN Client to access our internal LAN. Well, it comes out I didn't do a good job.

The VPN connection is working perfectly fine as long as XP clients are used. As soon as a Vista client tries to connect, it doesn't even get past the "Connecting to -IP-" stage (actually it asks me for a password and username, but I guess that's right at the beginning).

I am posting the relevant parts for my configuration here. I am using PAT for translating entries and I am using a Cisco 1811.

Thank you for your help

-snip-

r#show run

Building configuration...

Current configuration : 3483 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

!

aaa new-model

!

!

aaa authentication ppp VpdnAuth local

!

aaa session-id common

!

resource policy

!

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.200 192.168.0.240

ip dhcp excluded-address 192.168.0.1 192.168.0.100

!

ip dhcp pool XXXXXXXXX

network 192.168.0.0 255.255.255.0

default-router 129.168.0.1

dns-server 192.168.0.1

!

ip dhcp pool XXXXXXXXXX

network 192.168.9.0 255.255.255.0

default-router 192.168.9.1

dns-server 192.168.9.1

!

!

ip domain name XXXXXXXXXX

ip name-server XXXXXXXXXX

ip name-server XXXXXXXXXX

vpdn enable

!

vpdn-group L2TP

! Default L2TP VPDN group

description VPDN Group for L2TP/IPSec Clients

accept-dialin

protocol l2tp

virtual-template 2

no l2tp tunnel authentication

!

!

!

!

username -removed-

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXXX address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set MsIPSec esp-3des esp-md5-hmac

mode transport

!

crypto dynamic-map MsDynMap 1

set nat demux

set transform-set MsIPSec

!

!

crypto map IPSecIsaPmpMap 6000 ipsec-isakmp dynamic MsDynMap

!

!

!

!

interface Loopback2

ip address 192.168.3.1 255.255.255.255

!

interface FastEthernet0

ip address 78.X.X.2 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map IPSecIsaPmpMap

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

switchport access vlan 999

shutdown

!

interface FastEthernet6

switchport access vlan 999

shutdown

!

interface FastEthernet7

switchport access vlan 999

shutdown

!

interface FastEthernet8

switchport access vlan 999

shutdown

!

interface FastEthernet9

switchport access vlan 9

!

interface Virtual-Template2

ip unnumbered Loopback2

peer default ip address pool IPSecPool

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2 VpdnAuth

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan9

ip address 192.168.9.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip local pool IPSecPool 192.168.3.2 192.168.3.10

ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXX

!

ip dns server

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source list 2 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.0.96 22 interface FastEthernet0 XXXXXXX

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 192.168.9.0 0.0.0.255

access-list 3 permit XXXXXXXXXXX

access-list 3 permit 192.168.0.0 0.0.0.255

-snip-

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
purohit_810 Wed, 07/09/2008 - 19:57

Which version VPN client are you using?

For windows Vista you should have 5.X client, can you check more in detail or in SDM, Do you have Client Version permit/deny rule?

Check the detailed protcol, TCP 500 or UDP 10000 it tries to connect.

Tharnks,

Dharmesh Purohit

thomaslinder Wed, 07/09/2008 - 20:52

Hi Dharmesh Purohit

I am sorry, I forgot to say that I am trying to use the Windows integrated VPN Client (not the one from Cisco). As I said - it is working in Windows XP just fine, but Vista Clients appear to have problems.

I didn't configure it using SDM. How could I best debug vpn connection tries?

Thank you so far.

Actions

This Discussion