Firewall IOS and PPTP

Unanswered Question
May 23rd, 2009
User Badges:

Hello,


I have a simple vpn connection using pptp working on multiple routers. I have a newer 2821 running the firewall ios that I'm trying to do the same vpn connection to. It works on all of the other routers but not to the new one running the firewall IOS. Here is the relevant configuration that I use on all of the other routers:


user vpn password 0 vpn


vpdn enable

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

interface Virtual-Template1

ip address 10.8.8.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

peer default ip address pool vpn

ppp authentication ms-chap-v2

!

ip local pool vpn 10.8.8.2 10.8.8.3

!

access-list 106 permit tcp any host x.x.x.x eq 1723

access-list 106 permit gre any host x.x.x.x


I'm wondering what is different on the newer router that does not allow any gre connections. I have tried disabling IPS and CBAC completely and just using the access list and the access list still won't match any of the gre traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sun, 05/24/2009 - 04:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dan,

where is applied ACL 106 ?

if after removing IPS and CBAC the ACL is not invoked by any feature it cannot match anything.


another point is that if all routers are configured with accept-dialin who's going to make the virtual call ?


This can also be a problem of authentication on the VPDN.


see also the troubleshooting section of the following doc:


http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml#maintask1


This can help you to understand what is wrong.


Hope to help

Giuseppe




see

RFC 2637

danletkeman Sun, 05/24/2009 - 07:46
User Badges:

ACL 106 is applied incoming on the outside interface facing my ISP.


The virtual call is coming from a windows or linux host. This part is all working because I have tested it from inside the lan and I have tested it on other routers that are not running the IOS Firewall.


Even if I have IPS and CBAC enabled it only matches tcp port 1723 and not GRE.


This 2821 is running: c2800nm-adventerprisek9-mz.124-20.T.bin


I have now configured a 2801 for testing with: c2801-adventerprisek9-mz.124-13b.bin and it is running CBAC and the pptp connection works!


So this is leading me to believe that either the ISP that the 2821 is connected to is now allowing GRE traffic or there is something wrong with this ios version: c2800nm-adventerprisek9-mz.124-20.T.bin



Giuseppe Larosa Sun, 05/24/2009 - 12:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dan,

it is possible you have hit a software bug on the C2821 with 12.4(20)T.

Or also you might need to add/modify configuration for it to work.


Cisco feature navigator reports only PPTP with MPPE as the only PPTP feature.


here it is the feature description


http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/dt_pptp.html


But the configuration looks like similar to yours.


Hope to help

Giuseppe


Actions

This Discussion