Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1473
Views
0
Helpful
1
Replies

VPDN on Cisco 877: weird issues with authentication and encryption

MassimoPascucci
Level 1
Level 1

‎06-30-2011 02:03 PM

I have a Cisco 877 router at home, and I'm trying to configure it to act as a VPN server in order to be able to connect to my home network when I'm outside; I want it to work with standard Microsoft VPN client software (which supports PPTP and L2TP).

This is the output of the "show version" command:

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 30-Sep-09 08:42 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI6, RELEASE SOFTWARE

The router has quite a basic setup: a single username with privilege level 15, a single VLAN comprising all four Ethernet ports, an ADSL connection to my ISP, an internal IP address of 192.168.42.1/24, an external IP address assigned by my ISP, NAT enabled.

This is my current configuration (stripped of non-relevant or private informations):

service password-encryption

aaa new-model

aaa authentication login default local
aaa authorization console
aaa authorization exec default local

aaa session-id common

ip source-route
ip cef
ip domain name <my ISP's DNS name>
ip name-server <my ISP's DNS server>
no ipv6 cef

password encryption aes

username <Router's username> privilege 15 secret 5 <The encrypted password for my user account>

interface ATM0
no ip address
no atm ilmi-keepalive

interface ATM0.1 point-to-point
pvc 8/75
encapsulation aal5mux ppp dialer
dialer pool-member 1

interface FastEthernet0
spanning-tree portfast

interface FastEthernet1
spanning-tree portfast

interface FastEthernet2
spanning-tree portfast

interface FastEthernet3
spanning-tree portfast

interface Vlan1
ip address 192.168.42.1 255.255.255.0
ip nat inside
ip virtual-reassembly

interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username <My ISP's username> password 7 <The encrypted ISP password>

ip forward-protocol nd

ip dns server

ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0

access-list 1 permit 192.168.42.0 0.0.0.255

dialer-list 1 protocol ip permit

This is the configuration I'm currently testing for PPTP VPN (I'd prefer L2TP, but it looks a lot more complex, so I think it's better to get PPTP working before that):

vpdn enable

vpdn-group 1

accept-dialin

protocol pptp

virtual-template 1

interface Virtual-Template1

ip unnumbered Vlan1

peer default ip address pool clients

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap-v2 ms-chap

ip local pool clients 192.168.42.250 192.168.42.254

This sort of works, but I'm having some very strange problems with authentication and encryption:

  • Authentication only works if I configure user accounts using password instead of secret. That is, my main (and usually only) user account, which uses secret, doesn't work at all; if I create another one using secret, it doesn't work; if I create it using password, it then works. Is this supposed to work this way (and if so, why?), or is this some sort of bug? Why wouldn't secret work for VPN clients authentication?
  • Encryption doesn't work at all, even if I'm running a firmware which supports it, and I configured it in the Virtual-Template interface. If I configure my client to require encryption (which is the default), it fails the connection saying the remote endpoint doesn't support it; if I configure it to not require it, it connects succesfully, even if it shouldn't, because the router is configured to require it. What am I missing here?

Also, as a side note: I'm assigning local addresses to VPN clients; but what if I wanted to use other addresses for them and then route them to my local network? I've tried, but the client doesn't get a routing table entry for 192.168.42.0/24, so it can't talk with it. How should this be configured?

Thanks for any help.

Labels:
0 Helpful
1 Reply 1

MassimoPascucci
Level 1
Level 1

‎07-02-2011 09:44 AM

Looks like having to use password instead of secret is by design: http://www.cisco.com/en/US/docs/ios/12_1/12_1e8/feature/guide/8e_md5.html.

Still no luck with the encryption issue, though...

Also, it looks like the encryption issue was a bug; I updated the router's IOS from version 15.0(1) to 15.1(3) and now the problem is gone.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents