cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1779
Views
0
Helpful
14
Replies

ASR 1002 VPDN PPTP problem

Dima Dvorcovoy
Level 1
Level 1

I have ASR and want to configure is as VPN server

=Device:=

cisco ASR1002-X (2RU-X) processor (revision 2KP) with 3746359K/6147K bytes of memory.
Processor board ID FOX2449P4F0

=IOS:=

Cisco IOS XE Software, Version 17.05.01a
Cisco IOS Software [Bengaluru], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.5.1a, RELEASE SOFTWARE (fc3)

=Configuration=

aaa authentication ppp RADCIT group radius
!

vpdn-group pptp
description pptp loopback
accept-dialin
protocol any
virtual-template 2
source-ip 10.149.88.1
no l2tp tunnel authentication
!

license udi pid ASR1002-X sn JAE25090EE4

ip local pool vpn-pool 10.149.88.2 10.149.88.254

!

interface Virtual-Template2
description test pptp
ip unnumbered Loopback1
peer default ip address pool vpn-pool
ppp authentication chap ms-chap-v2 ms-chap RADCIT
!

interface Loopback1
description VPDN target
ip address 10.149.88.1 255.255.255.0
!

radius server CIT
address ipv4 1.2.3.4 auth-port 1812 acct-port 1813
key 7 **************
!
= problem=

CAN establish connection successfully.

who ...

Interface User Mode Idle Peer Address
Vi2.1 dvorc PPPoVPDN - 10.149.88.6

show vpdn session

PPTP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Intf Username State Last Chg Uniq ID
13388 31757 10395 Vi2.1 dvorc estabd 01:54:06 10

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.0.1
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.0.0.0/9 is directly connected, GigabitEthernet0/0/0
L 10.8.8.8/32 is directly connected, GigabitEthernet0/0/0
C 10.149.88.0/24 is directly connected, Loopback1
L 10.149.88.1/32 is directly connected, Loopback1
C 10.149.88.6/32 is directly connected, Virtual-Access2.1


But I can't pass any data to this interface. I I turned on icmp debug and do traceroute 10.132.0.1 from client.
I see:

Dec 10 11:05:54: ICMP: time exceeded (time to live) sent to 10.149.88.6 (dest was 10.132.0.1), topology BASE, dscp 0 topoid 0
Dec 10 11:05:57: ICMP: time exceeded (time to live) sent to 10.149.88.6 (dest was 10.132.0.1), topology BASE, dscp 0 topoid 0
And no incoming packets on client PC ppp interface ever.

14 Replies 14

Hello,

 

which VPN client (native Windows 10/11, AnyConnect) clients are you using ? Try and change the ip unnumbered in your Virtual Template from Loopback 1 to the actual WAN interface...

Windows 7/64 native, security: PPTP, no crypt, chap, net: ip4 only, no default gw, auto metrics

The problem is I have to use IP address not connected to any real providers, because they are changing.

Dima Dvorcovoy
Level 1
Level 1

Tried:
!
interface GigabitEthernet0/0/0
description CONNECTION
ip address 10.149.88.1 255.255.255.0 secondary
ip address 10.8.8.8 255.128.0.0
negotiation auto
crypto map VPNS
end

interface Virtual-Template2
description test pptp
ip unnumbered GigabitEthernet0/0/0
peer default ip address pool vpn-pool
ppp authentication chap ms-chap-v2 ms-chap RADCIT
end
----
Exactly the same result.

 

Dima Dvorcovoy
Level 1
Level 1

Dec 10 12:47:28: IP: tableid=0, s=10.149.88.16 (Virtual-Access2.1), d=10.132.0.1 (GigabitEthernet0/0/0) nexthop=10.0.0.1, routed via FIB
Dec 10 12:47:28: IP: s=10.149.88.16 (Virtual-Access2.1), d=10.132.0.1 (GigabitEthernet0/0/0), len 60, output feature, feature skipped, IPSec output classification(36), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Dec 10 12:47:28: IP: s=10.149.88.16 (Virtual-Access2.1), d=10.132.0.1 (GigabitEthernet0/0/0), len 60, output feature, feature skipped, IPSec: to crypto engine(85), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Dec 10 12:47:28: IP: s=10.149.88.16 (Virtual-Access2.1), d=10.132.0.1 (GigabitEthernet0/0/0), len 60, output feature, feature skipped, Post-encryption output features(86), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Dec 10 12:47:28: IP: s=10.149.88.16 (Virtual-Access2.1), d=10.132.0.1 (GigabitEthernet0/0/0), g=10.0.0.1, len 60, forward
Dec 10 12:47:28: IP: s=10.149.88.16 (Virtual-Access2.1), d=10.132.0.1 (GigabitEthernet0/0/0), len 60, pre-encap feature, feature skipped, IPSec Output Encap(1), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Dec 10 12:47:28: IP: s=10.149.88.16 (Virtual-Access2.1), d=10.132.0.1 (GigabitEthernet0/0/0), len 60, pre-encap feature, feature skipped, Crypto Engine(3), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Border-New#

Hello,

 

not good. Can you post your full running config (so I can see the crypto stuff) ?

Remains from an l2tp test. But I need pptp.

---
Border-New(config)#int g0/0/0
Border-New(config-if)#no crypto map
----

same result. Have I to remove it completely?

 

 

 

Hello,

 

not sure what you mean...

 

Either way, post the full output of:

 

sh run

Dima Dvorcovoy
Level 1
Level 1

!
! Last configuration change at 12:09:34 MST Fri Dec 10 2021
! NVRAM config last updated at 23:58:38 MST Thu Dec 9 2021 by dimad
!
version 17.5
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service internal
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Border-New
!
boot-start-marker
boot system flash bootflash:asr1002x-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login LDAPCITL group ldap
aaa authentication enable default none
aaa authentication ppp default local
aaa authentication ppp RADCIT group radius
aaa authentication ppp LDAPCIT group ldap
aaa authentication ppp FREE none
aaa authorization network FREE none
aaa authorization network LDAPCIT group ldap
!
!
!
!
!
!
aaa session-id common
aaa policy interface-config allow-subinterface
clock timezone MST 3 0
clock calendar-valid
ip address-pool local
!
!
!
!
!
!
!
!
!
ip name-server 10.0.0.20 10.0.0.21
ip domain name bsu
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
description loopback vpdn
accept-dialin
protocol l2tp
virtual-template 1
source-ip 10.8.8.8
no l2tp tunnel authentication
!
vpdn-group pptp
description pptp loopback
accept-dialin
protocol any
virtual-template 2
source-ip 10.149.88.1
no l2tp tunnel authentication
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1326173215
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1326173215
revocation-check none
rsakeypair TP-self-signed-1326173215
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint border
enrollment pkcs12
revocation-check crl
rsakeypair border
!
crypto pki trustpoint vpn
enrollment pkcs12
fqdn vpn.test.bsu
revocation-check crl
rsakeypair vpn
!
!
!
crypto pki certificate map CITUSER 1
issuer-name co "cn = bsu ad class 1 issuing subca 1"
!
crypto pki certificate map CITUSER 2
subject-name co "cn = inet, cn = bsu, cn = by"
!
crypto pki certificate chain TP-self-signed-1326173215
certificate self-signed 01
...
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
...
quit
crypto pki certificate chain border
certificate 5C000588618141251DDDD21FC3000200058861
...
quit
certificate ca 3C00000009DDDD8721FEDA5261000100000009
...
quit
crypto pki certificate chain vpn
certificate 5C000597F61935428B2A11F4230002000597F6
... quit
certificate ca 3C00000009DDDD8721FEDA5261000100000009
... quit
!
!
http client secure-trustpoint bsu
license udi pid ASR1002-X sn JAE25090EE4
memory free low-watermark processor 374622
!
!
spanning-tree extend system-id
diagnostic bootup level minimal
!
username dimad privilege 15 password 7 **************
username vpn nopassword type network-user
!
redundancy
mode none
!
!
!
!
!
!
cdp run
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encryption aes 256
group 20
!
crypto isakmp policy 11
encryption aes 256
authentication pre-share
group 20
crypto isakmp key ****** address 0.0.0.0 no-xauth
crypto isakmp identity dn
crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 3600
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group CREM
pool vpn-pool
crypto isakmp profile VPN_CLIENT
ca trust-point vpn
match certificate CITUSER
client configuration group CREM
!
!
crypto ipsec transform-set TL2TP7 esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map DMAP 10
set transform-set TL2TP7
!
crypto dynamic-map VPDNC 1
set transform-set TL2TP7
set isakmp-profile VPN_CLIENT
reverse-route
qos pre-classify
!
!
crypto map CMAP 10 ipsec-isakmp dynamic DMAP
!
crypto map VPNS client configuration address respond
crypto map VPNS 10 ipsec-isakmp dynamic VPDNC
!
!
!
!
!
!
!
!
interface Loopback1
description VPDN target
ip address 10.149.88.1 255.255.255.0
!
interface GigabitEthernet0/0/0
description CONNECTION
ip address 10.8.8.8 255.128.0.0
negotiation auto
crypto map VPNS
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/1/0
no ip address
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.0.0.5 255.128.0.0
negotiation auto
!
interface Virtual-Template1
description l2tp
ip unnumbered Loopback1
peer default ip address pool vpn-pool
ppp authentication pap LDAPCIT
!
interface Virtual-Template2
description test pptp
ip unnumbered Loopback1
peer default ip address pool vpn-pool
ppp authentication chap ms-chap-v2 ms-chap RADCIT
!
router ospf 10
router-id 10.88.88.88
area 0 range 10.0.0.0 255.0.0.0
!
ip local pool vpn-pool 10.149.88.2 10.149.88.254
ip default-gateway 10.0.0.1
ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint border
ip forward-protocol nd
!
ip tftp source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.0.0.1
ip ssh server certificate profile
server
trustpoint sign vpn
!
ip access-list extended ACRYL
20 permit ip 10.0.0.0 0.255.255.255 host 10.149.88.1
!
!
!
!
!
ldap attribute-map CIT
map type sAMAccountName username
!
ldap server CIT
ipv4 10.0.0.65
attribute map CIT
bind authenticate root-dn CN=******,CN=users,DC=inet,DC=bsu,DC=by password 7 *****
base-dn DC=inet,DC=bsu,DC=by
search-type nested
search-filter user-object-type user)(|(memberof=cn=VPN,cn=users,dc=inet,dc=bsu,dc=by)(memberof=cn=VPN_Cabinet,cn=users,dc=inet,dc=bsu,dc=by)
mode secure
!
!
radius server CIT
address ipv4 10.0.0.75 auth-port 1812 acct-port 1813
key 7 *******
!
!
control-plane
!
!
!
!
!
banner login --- 10G ---
!
line con 0
stopbits 1
line aux 0
line vty 0 4
session-timeout 3600
privilege level 15
session-disconnect-warning 3000
transport input all
line vty 5 15
session-timeout 3600
privilege level 15
session-disconnect-warning 3000
transport input all
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server 10.0.0.65
ntp server vrf Mgmt-intf 10.149.8.2
!
!
!
!
!
!
!
end

Dima Dvorcovoy
Level 1
Level 1

Version without L2TP

Building configuration...

Current configuration : 21976 bytes
!
! Last configuration change at 17:01:07 MST Fri Dec 10 2021 by dimad
! NVRAM config last updated at 23:58:38 MST Thu Dec 9 2021 by dimad
!
version 17.5
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service internal
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Border-New
!
boot-start-marker
boot system flash bootflash:asr1002x-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp RADCIT group radius
!
aaa session-id common
aaa policy interface-config allow-subinterface
clock timezone MST 3 0
clock calendar-valid
ip address-pool local
ip name-server 10.0.0.20 10.0.0.21
ip domain name bsu
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group pptp
description pptp loopback
accept-dialin
protocol any
virtual-template 2
source-ip 10.8.8.8
no l2tp tunnel authentication
!
!
!
license udi pid ASR1002-X sn JAE25090EE4
memory free low-watermark processor 374622
!
!
spanning-tree extend system-id
diagnostic bootup level minimal
!
username dimad privilege 15 password 7 ***************
!
redundancy
mode none
!
cdp run
!
!
interface GigabitEthernet0/0/0
description CONNECTION
ip address 10.8.8.8 255.128.0.0
negotiation auto
!
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.0.0.5 255.128.0.0
negotiation auto
!
interface Virtual-Template2
description test pptp
ip address 10.149.88.1 255.255.255.0
no ip unreachables
load-interval 30
peer default ip address pool vpn-pool
ppp authentication chap ms-chap-v2 ms-chap RADCIT
ip virtual-reassembly
!
!
ip local pool vpn-pool 10.149.88.2 10.149.88.254
ip default-gateway 10.0.0.1
ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint border
ip forward-protocol nd
!
ip tftp source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.0.0.1
ip ssh server certificate profile
server
trustpoint sign vpn
!
ip access-list extended ACRYL
20 permit ip 10.0.0.0 0.255.255.255 host 10.149.88.1
!
ip access-list extended 111
10 permit icmp any any
!
!
!
!
ldap attribute-map CIT
map type sAMAccountName username
!
radius server CIT
address ipv4 ********* auth-port 1812 acct-port 1813
key 7 *************
!
!
control-plane
!
banner login ^C--- 10G ---^C
!
line con 0
stopbits 1
line aux 0
line vty 0 4
session-timeout 3600
privilege level 15
session-disconnect-warning 3000
transport input all
line vty 5 15
session-timeout 3600
privilege level 15
session-disconnect-warning 3000
transport input all
!
call-home
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server 10.0.0.65
ntp server vrf Mgmt-intf 10.149.8.2
!

Hello,

 

it is getting a bit confusing since you are sending different versions of your configuration. Either way, are your VPN client PCs (the Windows 7 PCs) able to ping the Loopback1 IP address ?

 

In any case, take out the line:

 

ip default-gateway 10.0.0.1

I put different versions I tried - and all with the same result: connection established, IP issued,  ping FROM client to remote device is delivered to that device, responses are accepted packets delivered to this ASR, but there ARE NO INCOMING PACKETS on client.

I think there are some bugs on ip - tunneling encapsulation process. What have I to turn on debug to check it?

Can you give me a working sample of PPTP server configuration? Just simple pptp, no crypto-certificates-accounting etc.

Hello,

 

your config looks fine. I have a feeling that the problem is related to the Windows 7 client, which is obviously rather outdated. What if you enable split tunneling as in the short video described below (provided of course you are using the default, which is a full VPN tunnel)...

 

https://www.youtube.com/watch?v=La4YX-8BnAo

I am very angry, when somebody gives me "priceless" advices alike. No, most our clients are Windows 7, or even XP. If you have will to donate some thousands computers to our University, I can give you contacts.
And more, if you want to say something, please do it in text form. No video clips, rock music ballads, 3D presentations, abstract paintings. Just some words.

Hello,

 

--> Can you give me a working sample of PPTP server configuration? Just simple pptp, no crypto-certificates-accounting etc.

 

PPTP is not supported at all on the ASR 1000 series.

 

Check the link below, there is a 'Note' at the bottom of Figure 1:

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/vpdn/configuration/xe-16-7/vpd-xe-16-7-book/vpd-tech-overview.html#GUID-9E050FF0-D421-423F-AF68-B7CDA2B22D4B

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco