892 Router PPTP VPN Help Please

damo007nz — Tue, 12 Mar 2019 03:52:19 GMT

Hello,

I've just been trying to configure my 892 router to accept PPTP connections (not passthrough but it being the PPTP server) but I'm continuously getting 619 errors. I've tried multiple different configurations and I'm just hitting a brick wall. I was hoping someone could take a quick look for me please.

I'm not the normal administrator of this appliance and have not set up anything other than setting up user2 & user3 along with the PPTP settings.

The parts i've mainly been changing are the " ip unnumbered GigabitEthernet0", I've been changin between that and VLAN1 as the interfaces I'm tying it to.

User3 & User4 are the two users I want to connect with. It might also be good to add I'm testing from a Windows 7 PC which can successfully make PPTP VPN's to other servers external to my current location, but they are all windows based, I have no cisco devices to test from. Also the end configuration this router will be used for voip phones to make pptp connections.

Here is the config (IP addresses and some information changed for anonimity purposes):

Current configuration : 9077 bytes

version 15.1

service timestamps debug datetime msec localtime

service timestamps log datetime localtime

service password-encryption

hostname Generic

boot-start-marker

boot-end-marker

logging buffered 51200

enable secret 4 jhfkdjgfdf87687f687g67yfdjhfjd

no aaa new-model

clock timezone ********

clock summer-time ****** recurring last Sun Sep 2:00 1 Sun Apr 3:

crypto pki token default removal timeout 0

ip source-route

ip cef

ip inspect udp idle-time 300

ip inspect tcp max-incomplete host 100 block-time 0

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall ftp

ip inspect name firewall icmp

ip inspect name firewall sip

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall netshow

ip inspect name firewall rtsp

ip inspect name firewall pptp

ip inspect name firewall skinny

no ipv6 cef

multilink bundle-name authenticated

vpdn enable

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

l2tp tunnel timeout no-session 15

license udi pid CISCO892-K9 sn **************

username user1 privilege 15 secret 4 kjlghigyftuf867687ruygiygiyg

username user2 secret 4 fSpgIsbY.iggiyfiyyrtdd5768979yhjgjg

username user3 password 7 kgjggig876r5f6gi

username user4 password 7 khgvkhftuctcr577y9

track 100 ip sla 100 reachability

delay down 15 up 30

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key generic address 111.111.111.111

crypto ipsec transform-set generic esp-aes esp-sha-hmac

crypto map Connection1 10 ipsec-isakmp

set peer 111.111.111.111

set transform-set generic

match address 106

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

interface FastEthernet0

no ip address

interface FastEthernet1

no ip address

interface FastEthernet2

no ip address

interface FastEthernet3

no ip address

interface FastEthernet4

no ip address

interface FastEthernet5

no ip address

interface FastEthernet6

no ip address

interface FastEthernet7

no ip address

interface FastEthernet8

description Net1

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

interface Virtual-Template1

ip unnumbered GigabitEthernet0

peer default ip address pool phonepptp

no keepalive

ppp encrypt mppe 128

ppp authentication ms-chap ms-chap-v2

interface GigabitEthernet0

description Net2

ip address 192.168.200.2 255.255.255.252

ip access-group 102 in

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

duplex auto

speed auto

crypto map Connection1

interface Vlan1

description LAN

ip address 172.16.4.3 255.255.255.0

ip access-group 103 in

ip nat inside

ip virtual-reassembly in

ip policy route-map Connection2

interface Dialer1

description WAN1 Net1

mtu 1492

ip address negotiated

ip access-group 101 in

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1440

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username generic password 7 ggkdfhdty6587676565

no cdp enable

ip local pool phonepptp 172.16.4.160 172.16.4.169

ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat translation tcp-timeout 30

ip nat translation udp-timeout 30

ip nat translation icmp-timeout 30

ip nat inside source route-map Net2 interface GigabitEthernet0 overload

ip nat inside source route-map Net1 interface Dialer1 overload

ip nat inside source static tcp 172.16.4.205 25 192.168.200.2 25 extendable

ip nat inside source static tcp 172.16.4.205 443 192.168.200.2 443 extendable

ip nat inside source static tcp 172.16.4.205 587 192.168.200.2 587 extendable

ip nat inside source static tcp 172.16.4.204 3389 192.168.200.2 3389 extendable

ip route 0.0.0.0 0.0.0.0 192.168.200.1 10 track 100

ip route 0.0.0.0 0.0.0.0 Dialer1 251

ip route 10.0.0.0 255.255.255.0 172.16.4.19

ip route 100.30.40.1 255.255.255.255 192.168.200.1 permanent

ip access-list extended NSServices

permit tcp any any eq telnet

deny ip any any

ip sla 100

icmp-echo 100.30.40.1 source-interface GigabitEthernet0

threshold 500

timeout 500

frequency 5

ip sla schedule 100 life forever start-time now

access-list 2 remark Where management can be done from

access-list 2 permit 111.111.111.112

access-list 2 permit 172.16.4.0 0.0.0.255

access-list 101 remark Traffic allowed to enter the router from Net1 WAN

access-list 101 deny ip 0.0.0.0 0.255.255.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip 169.254.0.0 0.0.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.0.2.0 0.0.0.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 198.18.0.0 0.1.255.255 any

access-list 101 deny ip 224.0.0.0 0.15.255.255 any

access-list 101 deny ip any host 255.255.255.255

access-list 101 permit tcp host 111.111.111.112 any eq telnet

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

access-list 101 deny icmp any any echo

access-list 101 deny ip any any log

access-list 102 remark Traffic allowed to enter the router from Net2 WAN

access-list 102 deny ip 0.0.0.0 0.255.255.255 any

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip 169.254.0.0 0.0.255.255 any

access-list 102 deny ip 192.0.2.0 0.0.0.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 198.18.0.0 0.1.255.255 any

access-list 102 deny ip 224.0.0.0 0.15.255.255 any

access-list 102 deny ip any host 255.255.255.255

access-list 102 permit tcp host 111.111.111.112 any eq telnet

access-list 102 permit ip host 111.111.111.111 any

access-list 102 permit tcp any any eq smtp

access-list 102 permit tcp any any eq 587

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq 3389

access-list 102 permit tcp any any eq 1723

access-list 102 permit tcp any any eq 500

access-list 102 permit udp any any eq isakmp

access-list 102 permit gre any any

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any packet-too-big

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any traceroute

access-list 102 permit icmp any any administratively-prohibited

access-list 102 permit icmp any any echo

access-list 102 deny ip any any log

access-list 103 remark Traffic allowed to enter the router from the Ethernet

access-list 103 permit ip any host 172.16.4.3

access-list 103 permit ip any 192.168.50.0 0.0.0.255

access-list 103 permit ip any 10.0.0.0 0.0.0.255

access-list 103 deny ip any host 172.16.4.255

access-list 103 deny udp any any eq tftp log

access-list 103 deny ip any 0.0.0.0 0.255.255.255 log

access-list 103 deny ip any 10.0.0.0 0.255.255.255 log

access-list 103 deny ip any 127.0.0.0 0.255.255.255 log

access-list 103 deny ip any 169.254.0.0 0.0.255.255 log

access-list 103 deny ip any 172.16.0.0 0.15.255.255 log

access-list 103 deny ip any 192.0.2.0 0.0.0.255 log

access-list 103 deny ip any 172.16.4 0.0.255.255 log

access-list 103 deny ip any 198.18.0.0 0.1.255.255 log

access-list 103 deny udp any any eq 135 log

access-list 103 deny tcp any any eq 135 log

access-list 103 deny udp any any eq netbios-ns log

access-list 103 deny udp any any eq netbios-dgm log

access-list 103 deny tcp any any eq 445 log

access-list 103 permit ip 172.16.4.0 0.0.0.255 any

access-list 103 permit ip any host 255.255.255.255

access-list 103 deny ip any any log

access-list 105 deny ip 172.16.4.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 105 permit ip 172.16.4.0 0.0.0.255 any

access-list 106 permit ip 172.16.4.0 0.0.0.255 192.168.50.0 0.0.0.255

route-map Net1 permit 10

match interface Dialer1

route-map Connection2 permit 10

match ip address NSServices

set interface Dialer1

route-map Net2 permit 10

match ip address 105

control-plane

mgcp profile default

line con 0

exec-timeout 120 0

password 7 ,jhgghdtye655687687

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 120 0

password 7 jhhjftydrye534547656

transport input telnet ssh

end

topic 892 Router PPTP VPN Help Please in Network Security

892 Router PPTP VPN Help Please