Windows VPN -> Cisco 1801 connection issue

Unanswered Question
Nov 26th, 2009

Hi,   Got a problem creating a Windows VPN connection to a remote office.  Setup is Cisco 1801 router & Windows 2003 with RRAS enabled.

1 x public IP address - xxx.xxx.xxx.xxx

Router IP 192.168.25.1

2003 server IP - 192.168.25.2

When trying to establish the connection from Windows XP we are getting stuck at the verifying username and password stage, before returning error 806.  This is a copy of the router config.

Any help much appreciated


Building configuration...

Current configuration : 11394 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-4217093447
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4217093447
revocation-check none
rsakeypair TP-self-signed-4217093447
!
!
crypto pki certificate chain TP-self-signed-4217093447
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323137 30393334 3437301E 170D3039 31313139 31343535
  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313730
  39333434 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E66B 87865C13 E6F22533 F0282353 B015C3A3 C557AB6E 9CC1F344 92203A0A
  846103AA D82FB663 3E0F8A7A C24ECD3D 33F4CD24 097E5CA9 E527DF55 2030039F
  F651E1E7 95AEBA1E 3FB716AA B6007379 F5044CDB 5EDB438B A0FCF6D4 3D80ED4D
  3C293818 2E0455AB E21E62E4 4FC8B872 690E8F94 FD0D47DC 0E27ED3C E442B891
  47050203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14C827B8 4D4F41EC EE52677B E39BA88D A4D57F95
  E0301D06 03551D0E 04160414 C827B84D 4F41ECEE 52677BE3 9BA88DA4 D57F95E0
  300D0609 2A864886 F70D0101 04050003 8181003B F46BC39C 3E877C1D 02CB3D6F
  3B61BB43 C3FF6A6B FFEA8586 9BD95430 526F08F0 C80CE55A 8EEA570E 755DFD29
  BE8E0148 3CEC37A9 6F8C8803 5132160A A0BF3387 C6683CC8 4217AD30 C211BB68
  D563C6D1 FFE424D5 C8090F15 509061AF 4DC2BB3F 36AC1D37 3C23B9E0 0966C32A
  BC1C2FA2 3895BBF7 C529BC34 66124AFF A37963
      quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip domain name yourdomain.com
ip name-server 194.72.6.51
ip name-server 194.72.6.52
ip port-map user-protocol--1 port tcp 3389
!
multilink bundle-name authenticated
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key proactive address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxxx.xxx.xxx.xxx
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
set pfs group2
match address 105
!
archive
log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 109
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 106
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-nat-pptp-1
match access-group 110
match protocol pptp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-2
  pass
class type inspect sdm-nat-pptp-1
  inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
  pass
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 192.168.25.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 0 xxxxxxxxxxx
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.26.0 255.255.255.0 Dialer0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.25.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.25.2 1723 interface Dialer0 1723
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.25.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.25.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.25.2
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp 192.168.25.0 0.0.0.255 host 192.168.25.1 eq telnet
access-list 102 permit tcp 192.168.25.0 0.0.0.255 host 192.168.25.1 eq 22
access-list 102 permit tcp 192.168.25.0 0.0.0.255 host 192.168.25.1 eq www
access-list 102 permit tcp 192.168.25.0 0.0.0.255 host 192.168.25.1 eq 443
access-list 102 permit tcp 192.168.25.0 0.0.0.255 host 192.168.25.1 eq cmd
access-list 102 permit tcp any host 192.168.25.2 eq 1723
access-list 102 permit udp any host 192.168.25.2 eq isakmp
access-list 102 permit udp any host 192.168.25.2 eq 1701
access-list 102 permit gre any host 192.168.25.2
access-list 102 deny   tcp any host 192.168.25.1 eq telnet
access-list 102 deny   tcp any host 192.168.25.1 eq 22
access-list 102 deny   tcp any host 192.168.25.1 eq www
access-list 102 deny   tcp any host 192.168.25.1 eq 443
access-list 102 deny   tcp any host 192.168.25.1 eq cmd
access-list 102 deny   udp any host 192.168.25.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.25.0 0.0.0.255 any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.25.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.25.0 0.0.0.255 192.168.26.0 0.0.0.255
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip host 217.36.221.167 any
access-list 107 remark SDM_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.26.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 108 remark SDM_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.25.0 0.0.0.255 192.168.26.0 0.0.0.255
access-list 108 permit ip 192.168.25.0 0.0.0.255 any
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.26.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip any host 192.168.25.2
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 108
!
!
!
!
control-plane
!
banner login ^C

^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 103 in
login local
transport input telnet ssh
line vty 5 15
access-class 104 in
login local
transport input telnet ssh
!
end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion