06-10-2002 01:48 AM - edited 02-21-2020 11:47 AM
-- begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Since this was posted on a public forum, it is recommeded that passwords be changed including encrypted passwords. Please refrain from posting confidential information on the site to reduce security risks involved. -- end ciscomoderator note --
Hi.. got a problem here..
I'm setting up two PIX501 with a l2tp connection between them, this part i got running in no time.
But when i try to configure one of them to also accept l2tp connections from the built in VPN client in Win2k/XP I can't figure out why it's not answering..
Can anyone help me??
This is my config file without the PIXtoPIX part:
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password --moderator edit-- encrypted
passwd --moderator edit-- encrypted
hostname --moderator edit--
domain-name lokalnett.hinfo.no
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 90 permit ip 10.1.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 permit ip 10.1.1.0 255.255.255.0 192.168.6.0 255.255.255.0
pager lines 23
interface ethernet0 10baset
interface ethernet1 10full
icmp permit 192.168.5.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside --moderator edit-- 255.255.255.0
ip address inside 192.168.5.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.1.1.1-10.1.1.254
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.5.1 255.255.255.255 inside
pdm location 192.168.5.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 --moderator edit-- 1
route outside 10.1.1.0 255.255.255.0 10.1.1.1 1
route outside 192.168.6.0 255.255.255.0 --moderator edit-- 2
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server hinfo protocol radius
aaa-server hinfo (inside) host 192.168.5.50 test timeout 10
aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 hinfo
aaa authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 hinfo
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.5.1 255.255.255.255 inside
http 192.168.5.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside --moderator edit-- ciscoconfig.txt
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
no sysopt route dnat
crypto ipsec transform-set basic esp-des esp-md5-hmac
crypto ipsec transform-set basic mode transport
crypto dynamic-map cisco 4 set transform-set basic
crypto map tilkontor 20 ipsec-isakmp dynamic cisco
crypto map tilkontor interface outside
isakmp enable outside
isakmp key test address --moderator edit-- netmask 255.255.255.255
isakmp key test address --moderator edit-- netmask 255.255.255.0
isakmp key test address --moderator edit-- netmask 255.255.255.0
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin l2tp
vpdn group 1 ppp authentication pap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.5.50
vpdn group 1 client configuration wins 192.168.5.50
vpdn group 1 client authentication aaa hinfo
vpdn group 1 client accounting hinfo
vpdn group 1 l2tp tunnel hello 60
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:1de641f15482cd9ffd061893517be20d
: end
and this is the working config for PIXtoPIX vpn (with some NOT working vpdn stuff):
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password --moderator edit-- encrypted
passwd --moderator edit-- encrypted
hostname hinfopix1
domain-name lokalnett.hinfo.no
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 90 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 90 permit ip 10.1.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 90 permit ip 192.168.6.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 90 permit ip 10.1.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 90 permit ip host --moderator edit-- host --moderator edit--
access-list acl_out permit tcp any host --moderator edit-- eq telnet
access-list acl_out permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 70 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
pager lines 20
interface ethernet0 10baset
interface ethernet1 10full
icmp permit 192.168.5.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside --moderator edit-- 255.255.255.0
ip address inside 192.168.5.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.1.1.1-10.1.1.254
ip local pool loclapool 192.168.7.1
ip local pool localpool 192.168.2.1
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.5.1 255.255.255.255 inside
pdm location 192.168.5.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 --moderator edit-- 1
route outside 10.1.1.0 255.255.255.0 10.1.1.1 1
route outside 192.168.6.0 255.255.255.0 --moderator edit-- 2
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server hinfo protocol radius
aaa-server hinfo (inside) host 192.168.5.50 test timeout 10
aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 hinfo
aaa authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 hinfo
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.5.1 255.255.255.255 inside
http 192.168.5.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside --moderator edit-- ciscoconfig.txt
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
no sysopt route dnat
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec transform-set basic esp-des esp-md5-hmac
crypto ipsec transform-set basic mode transport
crypto dynamic-map cisco 4 set transform-set basic
crypto map tilkontor 20 ipsec-isakmp
crypto map tilkontor 20 match address 90
crypto map tilkontor 20 set peer --moderator edit--
crypto map tilkontor 20 set transform-set strong
crypto map tilkontor 21 ipsec-isakmp dynamic cisco
crypto map tilkontor interface outside
isakmp enable outside
isakmp key test address --moderator edit-- netmask 255.255.255.255
netmask 255.255.255.0
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin l2tp
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.5.50
vpdn group 1 client configuration wins 192.168.5.50
vpdn group 1 client authentication aaa hinfo
vpdn group 1 client accounting hinfo
vpdn group 1 l2tp tunnel hello 60
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:1de641f15482cd9ffd061893517be20d
: end
what am i doing wrong????
06-15-2002 02:53 PM
Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, its often difficult to do so for this type of issue.
To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
07-22-2002 06:25 AM
If you ever got your problems resolved with TAC help, please post the solution. It might benefit to many others.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: