05-23-2009 10:07 AM - edited 03-04-2019 04:51 AM
Hello,
I have a simple vpn connection using pptp working on multiple routers. I have a newer 2821 running the firewall ios that I'm trying to do the same vpn connection to. It works on all of the other routers but not to the new one running the firewall IOS. Here is the relevant configuration that I use on all of the other routers:
user vpn password 0 vpn
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
interface Virtual-Template1
ip address 10.8.8.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
peer default ip address pool vpn
ppp authentication ms-chap-v2
!
ip local pool vpn 10.8.8.2 10.8.8.3
!
access-list 106 permit tcp any host x.x.x.x eq 1723
access-list 106 permit gre any host x.x.x.x
I'm wondering what is different on the newer router that does not allow any gre connections. I have tried disabling IPS and CBAC completely and just using the access list and the access list still won't match any of the gre traffic.
05-24-2009 04:30 AM
Hello Dan,
where is applied ACL 106 ?
if after removing IPS and CBAC the ACL is not invoked by any feature it cannot match anything.
another point is that if all routers are configured with accept-dialin who's going to make the virtual call ?
This can also be a problem of authentication on the VPDN.
see also the troubleshooting section of the following doc:
This can help you to understand what is wrong.
Hope to help
Giuseppe
see
RFC 2637
05-24-2009 07:46 AM
ACL 106 is applied incoming on the outside interface facing my ISP.
The virtual call is coming from a windows or linux host. This part is all working because I have tested it from inside the lan and I have tested it on other routers that are not running the IOS Firewall.
Even if I have IPS and CBAC enabled it only matches tcp port 1723 and not GRE.
This 2821 is running: c2800nm-adventerprisek9-mz.124-20.T.bin
I have now configured a 2801 for testing with: c2801-adventerprisek9-mz.124-13b.bin and it is running CBAC and the pptp connection works!
So this is leading me to believe that either the ISP that the 2821 is connected to is now allowing GRE traffic or there is something wrong with this ios version: c2800nm-adventerprisek9-mz.124-20.T.bin
05-24-2009 12:03 PM
Hello Dan,
it is possible you have hit a software bug on the C2821 with 12.4(20)T.
Or also you might need to add/modify configuration for it to work.
Cisco feature navigator reports only PPTP with MPPE as the only PPTP feature.
here it is the feature description
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/dt_pptp.html
But the configuration looks like similar to yours.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: