04-11-2003 04:39 PM - edited 02-21-2020 12:28 PM
When I try to connect from a remote workstation [Win2k] these are the error messages I get. It looks like it creates the tunnel, then tears it down.
What am I doing wrong?
......................
PPTP Tunnel created, tunnel_id is 12, remote_peer_ip is 4.xx.xxx.xxx, ppp_virtual_interface_id is 1, client_dynamic_ip is 192.168.26.1, username is , MPPE_key_strength is None
PPTP Tunnel deleted, tunnel_id = 12, remote_peer_ip = 4.xx.xxx.xxx
...........
I don't have 3DES but I do have DES enabled:
0: ethernet0: address is 000b.be57.6441, irq 9
1: ethernet1: address is 000b.be57.6442, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
Here is some of my config:
vpdn group vpn_work accept dialin pptp
vpdn group vpn_work ppp authentication chap
vpdn group vpn_work ppp authentication mschap
vpdn group vpn_work ppp encryption mppe 40
vpdn group vpn_work client configuration address local vpdnpool
vpdn group vpn_work client configuration dns xx.xx.xxx.xx
vpdn group vpn_work pptp echo 60
vpdn group vpn_work client authentication local
vpdn username **** password ********
vpdn enable outside
............................................................................
access-list 101 permit tcp any host <outside interface address> eq 1723
access-list 101 permit gre any host <outside interface address>
sysopt connection permit-pptp
access-group 101 in interface inside
Any help would be appreciated.
04-12-2003 11:51 AM
HI.
> MPPE_key_strength is None
The remote client might be dropping the connections because there is no encryption, and W2K clients require encryption by default.
Try the following:
> vpdn group vpn_work ppp authentication chap
Remove the above line. Use MSCHAP only.
(MPPE encryption can work only with MSCHAP).
> vpdn group vpn_work ppp encryption mppe 40
Try this:
vpdn group vpn_work ppp encryption mppe 40 required
I recommend using Cisco IPSec VPN instead, for additional features and stronger authentication using both group authentication and XAUTH.
Yizhar
04-12-2003 03:06 PM
Hi I added those commands that you wrote and I still get the same error message in the syslog:
PPTP Tunnel created, tunnel_id is 66, remote_peer_ip is x.xx.xxx.xxx, ppp_virtual_interface_id is 1, client_dynamic_ip is xxx.xxx.x.x, username is , MPPE_key_strength is None
PPTP Tunnel deleted, tunnel_id = 66, remote_peer_ip = x.xx.xxx.xxx
Here is the complete config. I hope you can see something in that I'm doing wrong.
Thanks
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname xxxxxx
domain-name xxxxxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit gre any host xx.xx.xx.xxx
access-list 101 permit tcp any host xx.xx.xx.xxx eq pptp
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside xxx.xxx.x.xx
logging host inside xxx.xxx.x.xx
logging host inside xxx.xxx.x.xx
logging host inside xxx.xxx.x.xx
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside xxx.xxx.x.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpdnpool xxx.xxx.x.x-xxx.xxx.x.x
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h22
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside xxx.xxx.x.x pix631
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group vpn_work accept dialin pptp
vpdn group vpn_work ppp authentication mschap
vpdn group vpn_work ppp encryption mppe 40 required
vpdn group vpn_work client configuration address local vpdnpool
vpdn group vpn_work client configuration dns xx.xx.xx.xx
vpdn group vpn_work pptp echo 60
vpdn group vpn_work client authentication local
vpdn username **** password ********
vpdn enable outside
dhcpd address xxx.xxx.xx.xinside
dhcpd lease 8640000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:ad85d2e955c42720614c758445b6e32c
04-13-2003 04:30 PM
Are you trying to PPTP TO the PIX, or to a host inside it. It sort of looks like the latter, but you have configured the PIX to accept the connection with all the VPDN commands. EXactly what are you trying to do here.
If you trying to get to a server on the inside of the PIX, remove all the vpdn commands. You'll need a one-to-one static translation for that inside host translated to a valid routable external IP address (you'll need to get one assigned from your ISP). Then allow the protocols thru with an ACL which you seem to have already done. your clients will then need to connect to that valid IP address, which the PIX will forward through to the internal PPTP server.
If you're tryingto PPTP TO the PIX, then you'll at least need a "nat 0" statement so you don't nat the return traffic, although this won't solve your initial connection problem. Please follow http://www.cisco.com/warp/public/110/pptppix.html and see how you go, especially check your client settings cause it seems that they're not matched to what you've configured on the PIX (encryption strength, encryption required, etc).
04-14-2003 04:22 PM
I'm trying to PPTP to the PIX. I added the "nat 0" and still the same error.
I'm using the Microsoft client on Windows 2003 server. [although I observed the same behavior with a WIN2K pro and server]
I've deleted and recreated the connection more times than I can remember,
always using different options [there are really not alot of different options].
Could if have anything to do with the fact that I coming from behind a PIX 515?
Or could it be the version I'm using 6.3.(1)? I have the PDM 3.0 beta version installed, but I do all the changes at the command line.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide