PPTP through Cisco 1841

Unanswered Question
Sep 29th, 2010
User Badges:

Hi All


Setup is as follows


c1841-advsecurityk9-mz.124-16.bin


Clients PC on Win 7 PPTP connection to a Public IP -----> Cisco 1841 onsite---->Internet


Client gets error 619. Now, client does have a site to site vpn configured on router to connect to a different customer and thats working fine.

When we dial pptp connection using windows 7, on cisco router I get


     %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

    (ip) vrf/dest_addr= /<Router's Wan IP>, src_addr= <Public IP of destination>, prot= 47




Destination in question is not cisco and doesnt use ipsec. It works if i use my wifi 3g card so destination is not an issue

Win7 Firewall is disabled (FYI)


interface Dialer0
description SHDSL Primary Dialer
ip address negotiated
ip nat outside
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 2147483
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ...
ppp chap password ...
crypto map VPN


ip nat source list 100 interface Dialer0 overload


access-list 100 deny   ip 192.168.0.0 0.0.0.255 host <Wan IP of different customer>
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit gre any any

access-list 100 permit tcp any any eq 1723


access-list 120 permit ip 192.168.0.0 0.0.0.255 host <Wan IP of different customer>


crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
lifetime 86000
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 28800


crypto isakmp key  sharedkey address <Wan IP of different customer>

crypto ipsec transform-set Pactolus-cc esp-3des esp-sha-hmac

crypto map VPN 20 ipsec-isakmp
set peer <Wan IP of different customer>
set transform-set Pactolus-cc
set pfs group2
match address 120


Since acl 120 is precisely for a source destination, I should be able to receive non ipsec packets on device.


Any clue/suggestions appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Fri, 10/01/2010 - 06:26
User Badges:
  • Cisco Employee,

i am not sure if i understand your requirement or setup correctly


please clarify to which interface of 1811 your r connecting win 7 clients


and what is its relevance to site to site


just too confused, please clarify

aman.kapuria Fri, 10/01/2010 - 06:55
User Badges:

ok lets make it as easy as following.



client pc using windows 7 PPTP VPN ---->Through Clients onsite 1841------>Destination Public IP


FAILS. Message logged on router being


%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

    (ip) vrf/dest_addr= /, src_addr= , prot= 47



Or in simple words, pptp doesnt work THROUGH cisco 1841.


I hope i have made it simple?


Thanks


Aman

Jitendriya Athavale Fri, 10/01/2010 - 07:00
User Badges:
  • Cisco Employee,

again this is what confuses me



FAILS. Message logged on router being


%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

    (ip) vrf/dest_addr= /, src_addr= , prot= 47



tells me pptp is terminating on router



Or in simple words, pptp doesnt work THROUGH cisco 1841.



this gives me a feeling that you are configuring router as pass through



please clarify which is true




or is it that these win 7 boxes are behind a router 1811 and are trying to conenct to pptp server on the outside


sorry but i am still confused

aman.kapuria Fri, 10/01/2010 - 07:37
User Badges:

yes mate you are right


win 7 boxes are behind a router 1811 and are trying to conenct to pptp server on the outside


and is pptp server

Jitendriya Athavale Fri, 10/01/2010 - 07:53
User Badges:
  • Cisco Employee,

do you have any firewall on the route, if so then use inspect pptp




also try doing static one to one nat to this client PC and then try pptp

aman.kapuria Fri, 10/01/2010 - 18:28
User Badges:

There is no ip inspection present on the router. I will do static nat
and reply back

patgeo1984 Sun, 12/19/2010 - 06:25
User Badges:


hello Aman


I'm having this same problem. Could you fix it? If so

could you share the solution.


Thanks

Pat

aman.kapuria Sun, 12/19/2010 - 14:01
User Badges:

Hi pat


Apparently the other end was not setup correctly in my case. They did setup the other end for ipsec. I ended up setting up a site to site vpn with them. Also, I was having an ACL  that was matching all gre packets and was passing it to another site to site vpn. i made it more precise. So make sure you have precise ACLs to isolate the issue. Make sure other end is configured correctly. Do you see any messages logged at other end? debugs?

patgeo1984 Sun, 12/19/2010 - 18:34
User Badges:


Thanks for answering Aman seems to me that my case is different from yours, I dont have deployed site to site

we establish VPNs to different customers from our office, the issue we have is when we try to connect to the network customers through PPTP, we have no problems against IPSEC clients, you had something similar?


Any recommendation,


I stay aware of your comments



PD: English is not my native language

aman.kapuria Sun, 12/19/2010 - 19:13
User Badges:

In first instance I was trying to setup pptp through 1841. THen I ended up deploying a site to site vpn.


I am not sure but based upon your response it sounds like PPTP works for you. it looks more of a windows client settings issue. if you check the security tab there is an option to enter preshared key for an ipsec conenction. try that if that is the issue

patgeo1984 Sun, 12/19/2010 - 19:21
User Badges:


Indeed passtrhough PPTP is the problem we have. Let me give you a picture of ourporblem for clarification.

user lan> 1811 router> dsl> customer IPSEC vpn OK


user lan> 1811 router> dsl> customer PPTP vpn  Fail




I stay aware of your comments


Thanks

aman.kapuria Sun, 12/19/2010 - 19:23
User Badges:

Has it ever worked? You might be encrypting entire traffic. Error messages, debug, config might help

patgeo1984 Sun, 12/19/2010 - 19:29
User Badges:
Thanks for responding Aman

PPTP has never worked, I see no logs listed in the CLI, sent the configuration that is operating on the router.

aman.kapuria Sun, 12/19/2010 - 20:36
User Badges:

I havent seen your config yet but you should remove it asap from here. you have provided all the password information in there


and please change all your passwords as well

aman.kapuria Sun, 12/19/2010 - 20:52
User Badges:

as i mentioned earlier you config has an acl to match all gre traffic and then tunnel it.


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

Windows pptp vpn using tcp/1723 and the gre (ip/47).


so make your acls precise as per reqquirement.

patgeo1984 Sun, 12/19/2010 - 21:40
User Badges:

Ok Aman but we have set these ACLs that allow this traffic.

aman.kapuria Sun, 12/19/2010 - 21:41
User Badges:

please make it specific. as in specify based on destination may be.

patgeo1984 Thu, 12/23/2010 - 12:35
User Badges:

Hello Aman

Perform the configuration that tells me, and did not get good results.

access lists to enter were:

access-list 101 permit tcp host and Stock [Server-IP] eq 1723log
access-list 101 permit gre host and Stock [Server-IP] log
access-list 101 permit tcp host and Stock [Server-IP] eq 47 log
access-list 101 permit tcp host and Stock [Server-IP] eq 1701 log
access-list 101 permit udp host and Stock [Server-IP] eq isakmp log
access-list 101 permit esp host and Stock [Server-IP]
access-list 101 permit ahp host and Stock [Server-IP]
access-list 101 permit ip any any

Also remove all ACL that is permitted all the traffic and I still have the same problem, I suggest something? another deployment eg

Greetings

Actions

This Discussion