11-08-2008 03:45 PM
Hello,
I am looking for assistance with the following sample configuration. My issue is that I am trying to use the native Windows XP/Vista vpn client behind a NAT device to connect to the Remote Access VPN. It works fine when the workstation has a "public" IP address in my lab scenario. Would appreciate any insights or assistance that I can get with this configuration:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 512000 debugging
no logging console
no logging monitor
!
clock timezone Eastern -5
aaa new-model
!
!
aaa authentication login default local enable
aaa authentication ppp default local
aaa authentication login default local enable
aaa authentication ppp default local
aaa authorization network default if-authenticated local
aaa session-id common
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip dhcp excluded-address 192.168.66.1 192.168.66.50
!
ip dhcp pool 33
network 192.168.66.0 255.255.255.0
default-router 192.168.66.1
!
ip audit po max-events 100
vpdn enable
!
vpdn-group tdcVPN
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username dude password xxx
username test password xxx
!
!
!
!
crypto isakmp policy 13
encr 3des
authentication pre-share
group 2
crypto isakmp key tdcVPN_vpn!! address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set tdcset esp-3des ah-sha-hmac
mode transport
!
crypto dynamic-map tdc 13
set transform-set tdcset
!
!
!
!
crypto map tdcvpn 13 ipsec-isakmp dynamic tdc
!
!
interface Ethernet0/0
description WAN
ip address 10.179.79.2 255.255.255.252
ip nat outside
half-duplex
crypto map tdcvpn
!
interface Ethernet0/1
description LAN
ip address 192.168.66.1 255.255.255.0
ip nat inside
half-duplex
!
!
interface Virtual-Template1
ip unnumbered Ethernet0/1
peer default ip address pool vpnpool
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip local pool vpnpool 192.168.66.250 192.168.66.254
ip nat inside source list 10 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
access-list 10 permit 192.168.66.0 0.0.0.255
!
11-11-2008 06:26 AM
What is the config of the device the machine is behind?
it's easy to understand why the pc will work with a public IP. The device it is behind with a private IP needs to be NAT-T compliant or you need to use IPSEC over TCP or UDP.
HTH>
11-11-2008 12:31 PM
A linksys befw11s4 router with VPN passthrough for IPSEC enabled. Client operating systems tested are XP SP3 and Vista Business. Neither work with the NATting.
11-30-2008 05:09 AM
Under the dynamic crypto map add the command 'set nat demux' and try that. I have a similar configuration and other than where you are pointing the authentication to (I am using an external Radius server) and pre-shared keys (I am using a certificate) that is the only difference I can see. I have tested my setup with Windows XP/2003 & Windows Mobile 5/6 clients behind a NAT router.
HTH
Andy
12-01-2008 07:22 AM
Is there any chance I could look at your configuration file? I have a version with "set nat demux" and that's not working. I know there must be some way to get this to work.
Thanks,
Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: