Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

CHAP/PAP authen not working while having VPN IPSEC

I used to have a point2point IPSEC VPN over IP to connect my office to the HQ. Recently, I manage to get a hi-speed PPP Leased Line to the HQ as well. I simply programmed two default routes to the HQ, but giving lower PREF to the leased line. Everything is working fine, except PAP/CHAP authentication on the ppp leased line: As soon as I activate authentication on the leased line intreface, the router starts to bring the line protocol up and down continiusely. Bellow is the PPP debug of the link.

The authentication steps seems to be OK without any problem, but just after it the link goes down.I guess the ppp leased line confilics with the AAA configuration of the VPN link. In this case, is there any way to exclude the leased line interface from the AAA authentication process? or any other idea? You can find bellow the AAA config as well.

==================================================

PPP Debug

==================================================

Serial0

PPP I LCP(c021) Pkt, Len 23

State opened, code ConfReq(01), id 70, len 19

MRU(1), len 4, val 05dc

AuthProto(3), len 5, CHAP c22305

MagicNumber(5), len 6, val 003cfc65

Serial0

PPP O LCP(c021) Pkt, Len 18

State opened, code ConfReq(01), id 232, len 14

MRU(1), len 4, val 05dc

MagicNumber(5), len 6, val 05ed6dac

Serial0

PPP O LCP(c021) Pkt, Len 23

State opened, code ConfAck(02), id 70, len 19

MRU(1), len 4, val 05dc

AuthProto(3), len 5, CHAP c22305

MagicNumber(5), len 6, val 003cfc65

Serial0

PPP I LCP(c021) Pkt, Len 18

State acksent, code ConfAck(02), id 232, len 14

MRU(1), len 4, val 05dc

MagicNumber(5), len 6, val 05ed6dac

Serial0

PPP I CHAP(c223) Pkt, Len 36

CHAP ChapChallenge, id 156, length 32

Host name(11): xyxyxy

% Line protocol ip on interface Serial0, changed state to UP

Serial0

PPP O CHAP(c223) Pkt, Len 35

CHAP ChapResponse, id 156, length 31

Host name(10): xzxzxz

Serial0

PPP I CHAP(c223) Pkt, Len 31

CHAP ChapSuccess, id 156, length 27

Message(23):Welcome to xyxyxy.

CHAP authentication successed: our name .

Serial0

PPP O IPCP(8021) Pkt, Len 14

State initial, code ConfReq(01), id 144, len 10

IP Address(3), len 6, val c0a80102

PPP Serial0 IFNET Serial0 PPP-STATE change: IPXCP initial ==> disabled

Serial0

PPP I IPCP(8021) Pkt, Len 14

State reqsent, code ConfReq(01), id 160, len 10

IP Address(3), len 6, val c0a80101

Serial0

PPP O IPCP(8021) Pkt, Len 14

State reqsent, code ConfAck(02), id 160, len 10

IP Address(3), len 6, val c0a80101

Serial0

PPP I IPCP(8021) Pkt, Len 14

State acksent, code ConfAck(02), id 144, len 10

IP Address(3), len 6, val c0a80102

Serial0

PPP O LCP(c021) Pkt, Len 12

State opened, code EchoReqst(09), id 88, len 8

Magic Number 05ed6dac

Serial0

PPP O LCP(c021) Pkt, Len 12

State opened, code EchoReqst(09), id 89, len 8

Magic Number 05ed6dac

Serial0

PPP O LCP(c021) Pkt, Len 12

State opened, code EchoReqst(09), id 90, len 8

Magic Number 05ed6dac

% Line protocol ip on interface Serial0, changed state to DOWN

==================================================

End of Debug

==================================================

===================================================

AAA Config

===================================================

user xxxxxxxx service-type ppp password 0 xxxxxxxx

firewall enable

access-list normal 103 deny ip any any

aaa-enable

aaa authentication ppp default local

aaa authentication login default local

hostname xxxxxxxx

====================================================

End

====================================================

1 REPLY
Bronze

Re: CHAP/PAP authen not working while having VPN IPSEC

The debug output says the authentication is success, But can be problems with authorization also .

Check configuring AAA and VPN seprately.

For refer use these documents

regarding PPP

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4130.shtml

Regarding VPN

http://www.cisco.com/en/US/tech/tk801/tk703/technologies_design_guide_chapter09186a00800de9d7.html#37331

255
Views
0
Helpful
1
Replies
CreatePlease to create content