05-29-2003 12:07 PM - edited 03-09-2019 03:28 AM
Hi all,
I'm hoping that someone can help with a strange PPTP / MS-Chap problem that I have. We are installing a number of Cisco 827H (now 837's) in our customer sites for Internet access and VPN's (using Ipsec).
As an extra feature I would like to set up the 827H as a PPTP end point so that our support personal can use the Windows VPN client to attach to the IP network (a mixture of MS W2K server and W2K peer to peer).
I'm using 12.2(8)YM IOS on the IOS. When I try and connect the W2K never passes the username and password section. I've done a debug and I can see a MS-CHAP success packet been returned, but it never gets to the W2K machine, I've used MS network monitor to see the packets coming from the 827H and there is no PPPCHAP success, I can see the PPPCHAP challange and response. Is it possible that the 827 is sending the PPPCHAP sucess as an encrypted GRE packet ?
827H Debug PPP AUTH
*Mar 1 08:59:08.469: ppp4 PPP: Using set call direction
*Mar 1 08:59:08.469: ppp4 PPP: Treating connection as a callin
*Mar 1 08:59:08.469: ppp4 PPP: Phase is ESTABLISHING, Active Open
*Mar 1 08:59:08.469: ppp4 PPP: Authorization required
*Mar 1 08:59:08.473: ppp4 LCP: O CONFREQ [Closed] id 1 len 15
*Mar 1 08:59:08.473: ppp4 LCP: AuthProto MS-CHAP (0x0305C22380)
*Mar 1 08:59:08.473: ppp4 LCP: MagicNumber 0x0B31185F (0x05060B31185F)
*Mar 1 08:59:10.461: ppp4 LCP: TIMEout: State REQsent
*Mar 1 08:59:10.461: ppp4 LCP: O CONFREQ [REQsent] id 2 len 15
*Mar 1 08:59:10.461: ppp4 LCP: AuthProto MS-CHAP (0x0305C22380)
*Mar 1 08:59:10.465: ppp4 LCP: MagicNumber 0x0B31185F (0x05060B31185F)
*Mar 1 08:59:10.545: ppp4 LCP: I CONFACK [REQsent] id 2 len 15
*Mar 1 08:59:10.545: ppp4 LCP: AuthProto MS-CHAP (0x0305C22380)
*Mar 1 08:59:10.545: ppp4 LCP: MagicNumber 0x0B31185F (0x05060B31185F)
*Mar 1 08:59:10.589: ppp4 LCP: I CONFREQ [ACKrcvd] id 1 len 21
*Mar 1 08:59:10.593: ppp4 LCP: MRU 1400 (0x01040578)
*Mar 1 08:59:10.593: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)
*Mar 1 08:59:10.593: ppp4 LCP: PFC (0x0702)
*Mar 1 08:59:10.593: ppp4 LCP: ACFC (0x0802)
*Mar 1 08:59:10.597: ppp4 LCP: Callback 6 (0x0D0306)
*Mar 1 08:59:10.597: ppp4 LCP: O CONFREJ [ACKrcvd] id 1 len 7
*Mar 1 08:59:10.597: ppp4 LCP: Callback 6 (0x0D0306)
*Mar 1 08:59:10.673: ppp4 LCP: I CONFREQ [ACKrcvd] id 2 len 18
*Mar 1 08:59:10.673: ppp4 LCP: MRU 1400 (0x01040578)
*Mar 1 08:59:10.673: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)
*Mar 1 08:59:10.677: ppp4 LCP: PFC (0x0702)
*Mar 1 08:59:10.677: ppp4 LCP: ACFC (0x0802)
*Mar 1 08:59:10.677: ppp4 LCP: O CONFNAK [ACKrcvd] id 2 len 8
*Mar 1 08:59:10.681: ppp4 LCP: MRU 1500 (0x010405DC)
*Mar 1 08:59:10.753: ppp4 LCP: I CONFREQ [ACKrcvd] id 3 len 18
*Mar 1 08:59:10.753: ppp4 LCP: MRU 1400 (0x01040578)
*Mar 1 08:59:10.753: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)
*Mar 1 08:59:10.757: ppp4 LCP: PFC (0x0702)
*Mar 1 08:59:10.757: ppp4 LCP: ACFC (0x0802)
*Mar 1 08:59:10.757: ppp4 LCP: O CONFNAK [ACKrcvd] id 3 len 8
*Mar 1 08:59:10.757: ppp4 LCP: MRU 1500 (0x010405DC)
*Mar 1 08:59:10.833: ppp4 LCP: I CONFREQ [ACKrcvd] id 4 len 18
*Mar 1 08:59:10.837: ppp4 LCP: MRU 1500 (0x010405DC)
*Mar 1 08:59:10.837: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)
*Mar 1 08:59:10.837: ppp4 LCP: PFC (0x0702)
*Mar 1 08:59:10.837: ppp4 LCP: ACFC (0x0802)
*Mar 1 08:59:10.841: ppp4 LCP: O CONFACK [ACKrcvd] id 4 len 18
*Mar 1 08:59:10.841: ppp4 LCP: MRU 1500 (0x010405DC)
*Mar 1 08:59:10.841: ppp4 LCP: MagicNumber 0x360D64B6 (0x0506360D64B6)
*Mar 1 08:59:10.841: ppp4 LCP: PFC (0x0702)
*Mar 1 08:59:10.845: ppp4 LCP: ACFC (0x0802)
*Mar 1 08:59:10.845: ppp4 LCP: State is Open
*Mar 1 08:59:10.845: ppp4 PPP: Phase is AUTHENTICATING, by this end
*Mar 1 08:59:10.849: ppp4 MS-CHAP: O CHALLENGE id 1 len 22 from "Cisco827H"
*Mar 1 08:59:10.933: ppp4 LCP: I IDENTIFY [Open] id 5 len 18 magic 0x360D64B6 M
SRASV5.10
*Mar 1 08:59:10.941: ppp4 LCP: I IDENTIFY [Open] id 6 len 24 magic 0x360D64B6 M
SRAS-0-MOZ-LPXP
*Mar 1 08:59:10.957: ppp4 MS-CHAP: I RESPONSE id 1 len 63 from "Cisco827H"
*Mar 1 08:59:10.961: ppp4 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 08:59:10.961: ppp4 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar 1 08:59:10.965: ppp4 PPP: Sent MSCHAP LOGIN Request
*Mar 1 08:59:11.133: ppp4 PPP: Received LOGIN Response PASS
*Mar 1 08:59:11.133: ppp4 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 08:59:11.285: Vi5.1 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar 1 08:59:11.285: Vi5.1 MS-CHAP: O SUCCESS id 1 len 4
*Mar 1 08:59:11.289: Vi5.1 PPP: Phase is UP
*Mar 1 08:59:11.289: Vi5.1 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 1 08:59:11.289: Vi5.1 IPCP: Address 10.10.11.50 (0x03060A0A0B32)
*Mar 1 08:59:11.293: Vi5.1 PPP: Process pending packets
*Mar 1 08:59:13.277: Vi5.1 IPCP: TIMEout: State REQsent
*Mar 1 08:59:13.277: Vi5.1 IPCP: O CONFREQ [REQsent] id 2 len 10
*Mar 1 08:59:13.277: Vi5.1 IPCP: Address 10.10.11.50 (0x03060A0A0B32)
*Mar 1 08:59:13.605: Vi5.1 MS-CHAP: I RESPONSE id 1 len 63 from "Cisco827H"
*Mar 1 08:59:13.605: Vi5.1 MS-CHAP: O SUCCESS id 1 len 4
*Mar 1 08:59:15.293: Vi5.1 IPCP: TIMEout: State REQsent
*Mar 1 08:59:15.293: Vi5.1 IPCP: O CONFREQ [REQsent] id 3 len 10
*Mar 1 08:59:15.293: Vi5.1 IPCP: Address 10.10.11.50 (0x03060A0A0B32)
*Mar 1 08:59:16.609: Vi5.1 MS-CHAP: I RESPONSE id 1 len 63 from "Cisco827H"
*Mar 1 08:59:16.609: Vi5.1 MS-CHAP: O SUCCESS id 1 len 4
827H IOS
Using 2789 out of 131072 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco827H
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authentication ppp local local
aaa authorization network default local
aaa authorization network groupauthor local
aaa session-id common
enable secret xxxxx
!
username xxxx password xxxxx
ip subnet-zero
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
interface Loopback0
ip address 10.10.11.50 255.255.255.0
!
interface Ethernet0
ip address 10.10.10.50 255.255.255.0
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface Virtual-Template1
ip unnumbered Loopback0
ip mroute-cache
no keepalive
peer default ip address pool 801-Group-2
ppp max-bad-auth 3
ppp encrypt mppe auto
ppp authentication ms-chap
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address x.x.x.x
ip access-group 112 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxx
ppp chap password xxxx
ppp pap sent-username xxxxxpassword xxxx
hold-queue 224 in
!
ip local pool vpnclient-pool 10.10.11.180 10.10.11.199
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.1 25 interface Dialer1 25
ip nat inside source static tcp 10.10.10.1 3389 interface Dialer1 3389
ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
ip nat inside source static tcp 10.10.10.50 23 interface Dialer1 23
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
!
logging trap debugging
logging 10.10.10.1
access-list 105 deny ip 10.10.10.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
radius-server retransmit 3
radius-server authorization permit missing Service-Type
!
line con 0
password xxxx
stopbits 1
line vty 0 4
exec-timeout 120 0
password xxxx
length 0
!
scheduler max-task-time 5000
end
05-29-2003 09:05 PM
Hi
Couple things I am seeing in your configuration, the virtual Template is using the loopback interface, and access-group 112 applied to the dialer interface, but no access list 112 defined.
You might want to point your virtual template to the dialer interface, and add access list 112, you will need to allow tcp port 1723 and GRE, GRE is part of PPTP and the encryption is MPPE.
Hope it helps
05-29-2003 11:00 PM
I did start with a access-list 112 as below, but it didn't work so I removed the access-list . I've now removed the access-group 112 in command from dialer1.
I've tried it with the virtual template unnumbered to Dialer1, but it's still the same. I've also noticed that I'm getting a memory error.
*Mar 1 00:03:05.459: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x804D89E8 reading 0x21C
access-list 112 permit icmp any any administratively-prohibited
access-list 112 permit icmp any any echo
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any packet-too-big
access-list 112 permit icmp any any time-exceeded
access-list 112 permit icmp any any traceroute
access-list 112 permit icmp any any unreachable
access-list 112 permit udp any eq bootps any eq bootpc
access-list 112 permit udp any eq bootps any eq bootps
access-list 112 permit udp any eq domain any
access-list 112 permit esp any any
access-list 112 permit udp any any eq isakmp
access-list 112 permit udp any any eq 10000
access-list 112 permit tcp any any eq 1723
access-list 112 permit gre any any
access-list 112 deny ip any any
06-03-2003 10:01 PM
I've upgraded the 827H to 12.2(11) and it works fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide