Solved: Re: PPTP VPN on a Cisco 2811

Fabio Francisco · ‎01-18-2011

Hi Guys,

Can someone please advise what I am doing wrong? I'm trying to test one of our routers to use pptp protocol for VPN.

Please see below the config:

vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15

interface Virtual-Template1
ip nat inside
ip virtual-reassembly
peer default ip address pool POOL_IP
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap
!
!
ip local pool POOL_IP 192.168.42.50 192.168.42.100

running debug I am getting this:

NTCSYD2#sh debugging
PPP:
PPP authentication debugging is on
PPP protocol errors debugging is on
PPP protocol negotiation debugging is on

NTCSYD2#
*Jan 18 23:43:21.855: PPP: Alloc Context [4670C550]
*Jan 18 23:43:21.859: ppp8 PPP: Phase is ESTABLISHING
*Jan 18 23:43:21.859: ppp8 PPP: Using vpn set call direction
*Jan 18 23:43:21.859: ppp8 PPP: Treating connection as a callin
*Jan 18 23:43:21.859: ppp8 PPP: Session handle[8] Session id[8]
*Jan 18 23:43:21.859: ppp8 LCP: Event[OPEN] State[Initial to Starting]
*Jan 18 23:43:21.859: ppp8 PPP LCP: Enter passive mode, state[Stopped]
*Jan 18 23:43:22.203: ppp8 LCP: I CONFREQ [Stopped] id 0 len 21
*Jan 18 23:43:22.207: ppp8 LCP:    MRU 1400 (0x01040578)
*Jan 18 23:43:22.207: ppp8 LCP:    MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.207: ppp8 LCP:    PFC (0x0702)
*Jan 18 23:43:22.207: ppp8 LCP:    ACFC (0x0802)
*Jan 18 23:43:22.207: ppp8 LCP:    Callback 6 (0x0D0306)
*Jan 18 23:43:22.207: ppp8 LCP: O CONFREQ [Stopped] id 1 len 15
*Jan 18 23:43:22.207: ppp8 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 18 23:43:22.207: ppp8 LCP:    MagicNumber 0x3710B12D (0x05063710B12D)
*Jan 18 23:43:22.207: ppp8 LCP: O CONFREJ [Stopped] id 0 len 7
*Jan 18 23:43:22.207: ppp8 LCP:    Callback 6 (0x0D0306)
*Jan 18 23:43:22.207: ppp8 LCP: Event[Receive ConfReq-] State[Stopped to REQsent
]
*Jan 18 23:43:22.211: ppp8 LCP: I CONFACK [REQsent] id 1 len 15
*Jan 18 23:43:22.211: ppp8 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 18 23:43:22.211: ppp8 LCP:    MagicNumber 0x3710B12D (0x05063710B12D)
*Jan 18 23:43:22.211: ppp8 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
*Jan 18 23:43:22.211: ppp8 LCP: I CONFREQ [ACKrcvd] id 1 len 18
*Jan 18 23:43:22.211: ppp8 LCP:    MRU 1400 (0x01040578)
*Jan 18 23:43:22.211: ppp8 LCP:    MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.211: ppp8 LCP:    PFC (0x0702)
*Jan 18 23:43:22.211: ppp8 LCP:    ACFC (0x0802)
*Jan 18 23:43:22.211: ppp8 LCP: O CONFNAK [ACKrcvd] id 1 len 8
*Jan 18 23:43:22.211: ppp8 LCP:    MRU 1500 (0x010405DC)
*Jan 18 23:43:22.211: ppp8 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd
]
*Jan 18 23:43:22.211: ppp8 LCP: I CONFREQ [ACKrcvd] id 2 len 18
*Jan 18 23:43:22.211: ppp8 LCP:    MRU 1400 (0x01040578)
*Jan 18 23:43:22.211: ppp8 LCP:    MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.211: ppp8 LCP:    PFC (0x0702)
*Jan 18 23:43:22.211: ppp8 LCP:    ACFC (0x0802)
*Jan 18 23:43:22.215: ppp8 LCP: O CONFNAK [ACKrcvd] id 2 len 8
*Jan 18 23:43:22.215: ppp8 LCP:    MRU 1500 (0x010405DC)
*Jan 18 23:43:22.215: ppp8 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrcvd
]
*Jan 18 23:43:22.215: ppp8 LCP: I CONFREQ [ACKrcvd] id 3 len 18
*Jan 18 23:43:22.215: ppp8 LCP:    MRU 1500 (0x010405DC)
*Jan 18 23:43:22.215: ppp8 LCP:    MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.215: ppp8 LCP:    PFC (0x0702)
*Jan 18 23:43:22.215: ppp8 LCP:    ACFC (0x0802)
*Jan 18 23:43:22.215: ppp8 LCP: O CONFACK [ACKrcvd] id 3 len 18
*Jan 18 23:43:22.215: ppp8 LCP:    MRU 1500 (0x010405DC)
*Jan 18 23:43:22.215: ppp8 LCP:    MagicNumber 0x48C56584 (0x050648C56584)
*Jan 18 23:43:22.215: ppp8 LCP:    PFC (0x0702)
*Jan 18 23:43:22.215: ppp8 LCP:    ACFC (0x0802)
*Jan 18 23:43:22.219: ppp8 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
*Jan 18 23:43:22.219: ppp8 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x48C56584MS
RASV5.20
*Jan 18 23:43:22.219: ppp8 LCP: I IDENTIFY [Open] id 5 len 20 magic 0x48C56584MS
RAS-0-MIS4
*Jan 18 23:43:22.219: ppp8 LCP: I IDENTIFY [Open] id 6 len 24 magic 0x48C56584qY
GSQK'IGC"xKt6e
*Jan 18 23:43:22.239: ppp8 PPP: Phase is AUTHENTICATING, by this end
*Jan 18 23:43:22.239: ppp8 MS-CHAP-V2: O CHALLENGE id 1 len 28 from "NTCSYD2"
*Jan 18 23:43:22.239: ppp8 LCP: State is Open
*Jan 18 23:43:22.243: ppp8 MS-CHAP-V2: I RESPONSE id 1 len 67 from "administrato
r"
*Jan 18 23:43:22.243: ppp8 PPP: Phase is FORWARDING, Attempting Forward
*Jan 18 23:43:22.247: ppp8 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Jan 18 23:43:22.247: ppp8 PPP: Sent MSCHAP_V2 LOGIN Request
*Jan 18 23:43:22.251: ppp8 PPP: Received LOGIN Response FAIL
*Jan 18 23:43:22.255: ppp8 MS-CHAP-V2: O FAILURE id 1 len 13 msg is "E=691 R=0"
*Jan 18 23:43:22.255: ppp8 PPP DISC: User failed MSCHAP-V2 authentication
*Jan 18 23:43:22.255: ppp8 PPP: Sending Acct Event[Down] id[2A]
*Jan 18 23:43:22.255: ppp8 LCP: O TERMREQ [Open] id 2 len 4
*Jan 18 23:43:22.255: ppp8 LCP: Event[CLOSE] State[Open to Closing]
*Jan 18 23:43:22.255: ppp8 PPP: Phase is TERMINATING
*Jan 18 23:43:22.259: ppp8 LCP: I TERMACK [Closing] id 2 len 4
*Jan 18 23:43:22.259: ppp8 LCP: Event[Receive TermAck] State[Closing to Closed]
*Jan 18 23:43:22.259: ppp8 LCP: Event[DOWN] State[Closed to Initial]
*Jan 18 23:43:22.259: ppp8 PPP: Phase is DOWN

Any help would be extremelly appreciated.

Cheers,

Fabio

jyoung · ‎01-18-2011

It would appear that the users are failing to authenticate. What are you using to authenticate the users? Do you have a default aaa authentication pool that is checking the ms-chap-v2 usernames against radius via AD?

View solution in original post

andamani · ‎01-18-2011

Hi Fabio,

What do you have your AAA server configured as ? Could you please place the configuration of the same.

I see you have configured:

aaa authentication login Users_DataBase local
aaa authentication ppp Users_DataBase local

Here the request will first hit your AAA server Users_DataBase. if this AAA server is not reachable then it will fallback on local. But if the user credentials are not present on this AAA server, it will just say authentication failed. the fallback to local will not be hit.

You must have the user crendentials defined on the AAA server.

Regards,

Anisha

View solution in original post

jyoung · ‎01-19-2011

Users_DataBase is the authentication group name so you are fine leaving that the way it is, however if you want the router to do local authentication you need to add chap to the Virtual-Template ppp authentication statement because a cisco router does not do ms-chap or ms-chapv2.

ppp authentication chap pap Users_DataBase

You can do ms-chap-v2 ms-chap but you have to setup a radius server that can authenticate ms-chap-v2 or ms-chap like IAS.

View solution in original post

jyoung · ‎01-19-2011

Did that work for you?

View solution in original post

andamani · ‎01-19-2011

hi,

Here is the link for PPTP configuration with radius authentication:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008009436a.shtml

Regards,

Anisha

P.S.: please rat ethe helpful posts.

View solution in original post

jyoung · ‎01-19-2011

The users in ios have to have passwords and not secrets as well. I can help with the radius as well if you need it.

View solution in original post

andamani · ‎01-19-2011

hi Fabio,

Thats great please rate and mark this thread answered, so that it is easy for others to search as well.

Regards,

Anisha

View solution in original post

jyoung · ‎01-18-2011

It would appear that the users are failing to authenticate. What are you using to authenticate the users? Do you have a default aaa authentication pool that is checking the ms-chap-v2 usernames against radius via AD?

Fabio Francisco · ‎01-18-2011

Hi,

Thanks for your reply.

aaa authetication is local it used to be:

aaa authentication ppp local

but now I changed to

aaa authentication login Users_DataBase local
aaa authentication ppp Users_DataBase local
aaa authorization network default if-authenticated

and I also edited the Virtual-Template interface

interface Virtual-Template1
ip nat inside
ip virtual-reassembly
peer default ip address pool POOL_IP
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2 ms-chap Users_DataBase

cheers,

Fabio

*Jan 19 02:51:53.423: PPP: Alloc Context [4670C550]
*Jan 19 02:51:53.423: ppp14 PPP: Phase is ESTABLISHING
*Jan 19 02:51:53.423: ppp14 PPP: Using AAA Unique Id = 58
*Jan 19 02:51:53.423: ppp14 PPP: Authorization required
*Jan 19 02:51:53.423: ppp14 PPP: Using vpn set call direction
*Jan 19 02:51:53.423: ppp14 PPP: Treating connection as a callin
*Jan 19 02:51:53.423: ppp14 PPP: Session handle[500000E] Session id[14]
*Jan 19 02:51:53.423: ppp14 LCP: Event[OPEN] State[Initial to Starting]
*Jan 19 02:51:53.423: ppp14 PPP LCP: Enter passive mode, state[Stopped]
*Jan 19 02:51:53.675: ppp14 LCP: I CONFREQ [Stopped] id 0 len 21
*Jan 19 02:51:53.675: ppp14 LCP:    MRU 1400 (0x01040578)
*Jan 19 02:51:53.675: ppp14 LCP:    MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.675: ppp14 LCP:    PFC (0x0702)
*Jan 19 02:51:53.675: ppp14 LCP:    ACFC (0x0802)
*Jan 19 02:51:53.675: ppp14 LCP:    Callback 6 (0x0D0306)
*Jan 19 02:51:53.675: ppp14 LCP: O CONFREQ [Stopped] id 1 len 15
*Jan 19 02:51:53.675: ppp14 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 19 02:51:53.675: ppp14 LCP:    MagicNumber 0x37BD5A09 (0x050637BD5A09)
*Jan 19 02:51:53.675: ppp14 LCP: O CONFREJ [Stopped] id 0 len 7
*Jan 19 02:51:53.675: ppp14 LCP:    Callback 6 (0x0D0306)
*Jan 19 02:51:53.675: ppp14 LCP: Event[Receive ConfReq-] State[Stopped to REQse
t]
*Jan 19 02:51:53.679: ppp14 LCP: I CONFACK [REQsent] id 1 len 15
*Jan 19 02:51:53.679: ppp14 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
*Jan 19 02:51:53.679: ppp14 LCP:    MagicNumber 0x37BD5A09 (0x050637BD5A09)
*Jan 19 02:51:53.679: ppp14 LCP: Event[Receive ConfAck] State[REQsent to ACKrcv
]
*Jan 19 02:51:53.679: ppp14 LCP: I CONFREQ [ACKrcvd] id 1 len 18
*Jan 19 02:51:53.679: ppp14 LCP:    MRU 1400 (0x01040578)
*Jan 19 02:51:53.679: ppp14 LCP:    MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.679: ppp14 LCP:    PFC (0x0702)
*Jan 19 02:51:53.679: ppp14 LCP:    ACFC (0x0802)
*Jan 19 02:51:53.679: ppp14 LCP: O CONFNAK [ACKrcvd] id 1 len 8
*Jan 19 02:51:53.679: ppp14 LCP:    MRU 1500 (0x010405DC)
*Jan 19 02:51:53.679: ppp14 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrc
d]
*Jan 19 02:51:53.683: ppp14 LCP: I CONFREQ [ACKrcvd] id 2 len 18
*Jan 19 02:51:53.683: ppp14 LCP:    MRU 1400 (0x01040578)
*Jan 19 02:51:53.683: ppp14 LCP:    MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.683: ppp14 LCP:    PFC (0x0702)
*Jan 19 02:51:53.683: ppp14 LCP:    ACFC (0x0802)
*Jan 19 02:51:53.683: ppp14 LCP: O CONFNAK [ACKrcvd] id 2 len 8
*Jan 19 02:51:53.683: ppp14 LCP:    MRU 1500 (0x010405DC)
*Jan 19 02:51:53.683: ppp14 LCP: Event[Receive ConfReq-] State[ACKrcvd to ACKrc
d]
*Jan 19 02:51:53.687: ppp14 LCP: I CONFREQ [ACKrcvd] id 3 len 18
*Jan 19 02:51:53.687: ppp14 LCP:    MRU 1500 (0x010405DC)
*Jan 19 02:51:53.687: ppp14 LCP:    MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.687: ppp14 LCP:    PFC (0x0702)
*Jan 19 02:51:53.687: ppp14 LCP:    ACFC (0x0802)
*Jan 19 02:51:53.687: ppp14 LCP: O CONFACK [ACKrcvd] id 3 len 18
*Jan 19 02:51:53.687: ppp14 LCP:    MRU 1500 (0x010405DC)
*Jan 19 02:51:53.687: ppp14 LCP:    MagicNumber 0x70A62CD9 (0x050670A62CD9)
*Jan 19 02:51:53.687: ppp14 LCP:    PFC (0x0702)
*Jan 19 02:51:53.687: ppp14 LCP:    ACFC (0x0802)
*Jan 19 02:51:53.687: ppp14 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
*Jan 19 02:51:53.691: ppp14 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x70A62CD9
SRASV5.20
*Jan 19 02:51:53.691: ppp14 LCP: I IDENTIFY [Open] id 5 len 20 magic 0x70A62CD9
SRAS-0-MIS4
*Jan 19 02:51:53.691: ppp14 LCP: I IDENTIFY [Open] id 6 len 24 magic 0x70A62CD9
h/Ys+.M]C#K+BpY
*Jan 19 02:51:53.695: ppp14 PPP: Phase is AUTHENTICATING, by this end
*Jan 19 02:51:53.695: ppp14 MS-CHAP-V2: O CHALLENGE id 1 len 28 from "NTCSYD2"
*Jan 19 02:51:53.695: ppp14 LCP: State is Open
*Jan 19 02:51:53.695: ppp14 MS-CHAP-V2: I RESPONSE id 1 len 67 from "administra
or"
*Jan 19 02:51:53.699: ppp14 PPP: Phase is FORWARDING, Attempting Forward
*Jan 19 02:51:53.699: ppp14 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Jan 19 02:51:53.699: ppp14 PPP: Sent MSCHAP_V2 LOGIN Request
*Jan 19 02:51:53.707: ppp14 PPP: Received LOGIN Response FAIL
*Jan 19 02:51:53.707: ppp14 PPP AUTHOR: Author Data NOT Available
*Jan 19 02:51:53.707: ppp14 PPP: Receive Attrs from[authen] Keep[LCP] MERGE
*Jan 19 02:51:53.707: ppp14 PPP: Keep Attr: Framed-Protocol      1 [PPP]
*Jan 19 02:51:53.707: ppp14 PPP: Skip Attr: username             "administrator
*Jan 19 02:51:53.707: ppp14 PPP: Skip Attr: challenge
*Jan 19 02:51:53.707: ppp14 PPP: Skip Attr: id
*Jan 19 02:51:53.707: ppp14 PPP: Skip Attr: response
*Jan 19 02:51:53.711: ppp14 MS-CHAP-V2: O FAILURE id 1 len 13 msg is "E=691 R=0
*Jan 19 02:51:53.711: ppp14 PPP DISC: User failed MSCHAP-V2 authentication
*Jan 19 02:51:53.711: ppp14 PPP: Sending Acct Event[Down] id[58]
*Jan 19 02:51:53.711: ppp14 LCP: O TERMREQ [Open] id 2 len 4
*Jan 19 02:51:53.711: ppp14 LCP: Event[CLOSE] State[Open to Closing]
*Jan 19 02:51:53.711: ppp14 PPP: Phase is TERMINATING
*Jan 19 02:51:53.715: ppp14 LCP: I TERMACK [Closing] id 2 len 4
*Jan 19 02:51:53.715: ppp14 LCP: Event[Receive TermAck] State[Closing to Closed
*Jan 19 02:51:53.715: ppp14 LCP: Event[DOWN] State[Closed to Initial]
*Jan 19 02:51:53.715: ppp14 PPP: Clearing AAA Unique Id = 58
*Jan 19 02:51:53.715: ppp14 PPP: Phase is DOWN

I can see by debug messages that I'm not authenticating but I wonder why? the local username and password that I'm using to authenticate is the same for my VTY access....

Thanks

andamani · ‎01-18-2011

Hi Fabio,

What do you have your AAA server configured as ? Could you please place the configuration of the same.

I see you have configured:

aaa authentication login Users_DataBase local
aaa authentication ppp Users_DataBase local

Here the request will first hit your AAA server Users_DataBase. if this AAA server is not reachable then it will fallback on local. But if the user credentials are not present on this AAA server, it will just say authentication failed. the fallback to local will not be hit.

You must have the user crendentials defined on the AAA server.

Regards,

Anisha

jyoung · ‎01-19-2011

Users_DataBase is the authentication group name so you are fine leaving that the way it is, however if you want the router to do local authentication you need to add chap to the Virtual-Template ppp authentication statement because a cisco router does not do ms-chap or ms-chapv2.

ppp authentication chap pap Users_DataBase

You can do ms-chap-v2 ms-chap but you have to setup a radius server that can authenticate ms-chap-v2 or ms-chap like IAS.

jyoung · ‎01-19-2011

Did that work for you?

Fabio Francisco · ‎01-19-2011

Hi Mate,

Thanks for following it up. Your instructions made a lot of sense to me but unfortunately it did not work... same error running debugging... I thought it would be good to start with local authentication... However my main goal is to use RADIUS. I've got RADIUS working and is currently authenticating wireless users that are connecting through a 1250 AP.

If you or anyonelse could help me with a sample config for VPN using PPTP protocol and RADIUS authentication I would extremelly appreciate.

My IOS versionL Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 15.0(1)M2, RELEASE SOFTWARE (fc2)

Thanks in advance.

Fabio

andamani · ‎01-19-2011

hi,

Here is the link for PPTP configuration with radius authentication:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008009436a.shtml

Regards,

Anisha

P.S.: please rat ethe helpful posts.

jyoung · ‎01-19-2011

The users in ios have to have passwords and not secrets as well. I can help with the radius as well if you need it.

Fabio Francisco · ‎01-19-2011

I managed to get it working with RADIUS I struggled but in the end is very rewarding to get this kind of stuff working....

Thank you very much for all for your help!!!!!

below is my working config

aaa authentication login Users_DataBase local
aaa authentication ppp default group radius group Users_DataBase local
aaa authentication ppp Users_DataBase local
aaa authorization network default group radius group Users_DataBase local

vpdn-group 1
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
lcp renegotiation always
no l2tp tunnel authentication

interface Virtual-Template1
ip unnumbered FastEthernet0/0
ip nat inside
ip virtual-reassembly
peer default ip address pool POOL_IP
no keepalive
compress mppc
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
!
ip local pool POOL_IP 192.168.42.50 192.168.42.100

radius-server host 0.0.0.0 auth-port 1645 acct-port 1646 key xxxxxxxxx

Cheers,

Fabio

andamani · ‎01-19-2011

hi Fabio,

Thats great please rate and mark this thread answered, so that it is easy for others to search as well.

Regards,

Anisha