11-08-2008 03:45 PM
Hello,
I am looking for assistance with the following sample configuration. My issue is that I am trying to use the native Windows XP/Vista vpn client behind a NAT device to connect to the Remote Access VPN. It works fine when the workstation has a "public" IP address in my lab scenario. Would appreciate any insights or assistance that I can get with this configuration:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 512000 debugging
no logging console
no logging monitor
!
clock timezone Eastern -5
aaa new-model
!
!
aaa authentication login default local enable
aaa authentication ppp default local
aaa authentication login default local enable
aaa authentication ppp default local
aaa authorization network default if-authenticated local
aaa session-id common
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip dhcp excluded-address 192.168.66.1 192.168.66.50
!
ip dhcp pool 33
network 192.168.66.0 255.255.255.0
default-router 192.168.66.1
!
ip audit po max-events 100
vpdn enable
!
vpdn-group tdcVPN
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username dude password xxx
username test password xxx
!
!
!
!
crypto isakmp policy 13
encr 3des
authentication pre-share
group 2
crypto isakmp key tdcVPN_vpn!! address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set tdcset esp-3des ah-sha-hmac
mode transport
!
crypto dynamic-map tdc 13
set transform-set tdcset
!
!
!
!
crypto map tdcvpn 13 ipsec-isakmp dynamic tdc
!
!
interface Ethernet0/0
description WAN
ip address 10.179.79.2 255.255.255.252
ip nat outside
half-duplex
crypto map tdcvpn
!
interface Ethernet0/1
description LAN
ip address 192.168.66.1 255.255.255.0
ip nat inside
half-duplex
!
!
interface Virtual-Template1
ip unnumbered Ethernet0/1
peer default ip address pool vpnpool
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip local pool vpnpool 192.168.66.250 192.168.66.254
ip nat inside source list 10 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
access-list 10 permit 192.168.66.0 0.0.0.255
!
11-11-2008 06:26 AM
What is the config of the device the machine is behind?
it's easy to understand why the pc will work with a public IP. The device it is behind with a private IP needs to be NAT-T compliant or you need to use IPSEC over TCP or UDP.
HTH>
11-11-2008 12:31 PM
A linksys befw11s4 router with VPN passthrough for IPSEC enabled. Client operating systems tested are XP SP3 and Vista Business. Neither work with the NATting.
11-30-2008 05:09 AM
Under the dynamic crypto map add the command 'set nat demux' and try that. I have a similar configuration and other than where you are pointing the authentication to (I am using an external Radius server) and pre-shared keys (I am using a certificate) that is the only difference I can see. I have tested my setup with Windows XP/2003 & Windows Mobile 5/6 clients behind a NAT router.
HTH
Andy
12-01-2008 07:22 AM
Is there any chance I could look at your configuration file? I have a version with "set nat demux" and that's not working. I know there must be some way to get this to work.
Thanks,
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide