Hmmm I was think that something is wrong.

Below running-connfig

Building configuration...

Current configuration : 13977 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname xxx

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 x

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-XXX

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-XXX

revocation-check none

rsakeypair TP-self-signed-XXX

!

!

crypto pki certificate chain TP-self-signed-XXX

certificate self-signed 01

XXXXX

      quit

dot11 syslog

no ip source-route

!

!

!

!

ip cef

no ip bootp server

ip domain name xxx.xxx

ip name-server 153.19.0.50

ip name-server 153.19.250.100

no ipv6 cef

!

multilink bundle-name authenticated

!

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

!

!

username test privilege 15 secret 5 xxx

!

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

class type inspect gnutella ccp-app-gnutella

  log

  allow

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

class type inspect http ccp-app-httpmethods

  log

  reset

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

  service-policy p2p ccp-action-app-p2p

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect CCP-Voice-permit

  inspect

class class-default

  pass

policy-map type inspect ccp-permit

class type inspect sdm-access

  inspect

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 100.100.100.100 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.179.12 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 213.192.73.209

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface FastEthernet4 overload

!

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.179.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 100.100.100.100 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any any

no cdp run

!

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Patryk,

Are you trying to connect using the windows VPN client or the IPsec client from Cisco?

Federico.

Above configuration is just before the rules which should allow to create vpn conection for user with laptops.

I was trying to connect using windows vpn and Cisco Easy VPN Client.

No success.

For me is beter to use windows client.

Many thanks for the help.

Above tutorial helped me a lot.

I have a some problme with standard ACL list n C871 but I hope I can handle it

Retturning to my problem I made a configuration unfortunattly

when I want to connect to router computer receiving VPN error 691.

This is log:

005742: *Jun 24 17:26:28.170 PCTime: VPDN Received L2TUN socket message
005743: *Jun 24 17:26:28.182 PCTime: VPDN uid:76 L2TUN socket session accept requested
005744: *Jun 24 17:26:28.182 PCTime: VPDN uid:76 Setting up dataplane for L2-L2, no idb
005745: *Jun 24 17:26:28.190 PCTime: VPDN Received L2TUN socket message
005746: *Jun 24 17:26:28.198 PCTime: VPDN uid:76 VPDN session up
005747: *Jun 24 17:26:28.210 PCTime: ppp76 PPP: Send Message[Dynamic Bind Response]
005748: *Jun 24 17:26:28.210 PCTime: ppp76 PPP: Using vpn set call direction
005749: *Jun 24 17:26:28.210 PCTime: ppp76 PPP: Treating connection as a callin
005750: *Jun 24 17:26:28.210 PCTime: ppp76 PPP: Session handle[BC00004E] Session id[76]
005751: *Jun 24 17:26:28.210 PCTime: ppp76 PPP: Phase is ESTABLISHING, Passive Open
005752: *Jun 24 17:26:28.210 PCTime: ppp76 LCP: State is Listen
005753: *Jun 24 17:26:30.202 PCTime: ppp76 LCP: I CONFREQ [Listen] id 1 len 21
005754: *Jun 24 17:26:30.202 PCTime: ppp76 LCP:    MRU 1400 (0x01040578)
005755: *Jun 24 17:26:30.202 PCTime: ppp76 LCP:    MagicNumber 0x4CDC3223 (0x05064CDC3223)
005756: *Jun 24 17:26:30.202 PCTime: ppp76 LCP:    PFC (0x0702)
005757: *Jun 24 17:26:30.202 PCTime: ppp76 LCP:    ACFC (0x0802)
005758: *Jun 24 17:26:30.202 PCTime: ppp76 LCP:    Callback 6  (0x0D0306)
005759: *Jun 24 17:26:30.202 PCTime: ppp76 PPP: Authorization NOT required
005760: *Jun 24 17:26:30.202 PCTime: ppp76 LCP: O CONFREQ [Listen] id 1 len 15
005761: *Jun 24 17:26:30.202 PCTime: ppp76 LCP:    AuthProto MS-CHAP (0x0305C22380)
005762: *Jun 24 17:26:30.202 PCTime: ppp76 LCP:    MagicNumber 0xA079A8CF (0x0506A079A8CF)
005763: *Jun 24 17:26:30.206 PCTime: ppp76 LCP: O CONFREJ [Listen] id 1 len 7
005764: *Jun 24 17:26:30.206 PCTime: ppp76 LCP:    Callback 6  (0x0D0306)
005765: *Jun 24 17:26:30.206 PCTime: ppp76 LCP: I CONFACK [REQsent] id 1 len 15
005766: *Jun 24 17:26:30.206 PCTime: ppp76 LCP:    AuthProto MS-CHAP (0x0305C22380)
005767: *Jun 24 17:26:30.206 PCTime: ppp76 LCP:    MagicNumber 0xA079A8CF (0x0506A079A8CF)
005768: *Jun 24 17:26:30.206 PCTime: ppp76 LCP: I CONFREQ [ACKrcvd] id 2 len 18
005769: *Jun 24 17:26:30.206 PCTime: ppp76 LCP:    MRU 1400 (0x01040578)
005770: *Jun 24 17:26:30.206 PCTime: ppp76 LCP:    MagicNumber 0x4CDC3223 (0x05064CDC3223)
005771: *Jun 24 17:26:30.206 PCTime: ppp76 LCP:    PFC (0x0702)
005772: *Jun 24 17:26:30.206 PCTime: ppp76 LCP:    ACFC (0x0802)
005773: *Jun 24 17:26:30.206 PCTime: ppp76 LCP: O CONFNAK [ACKrcvd] id 2 len 8
005774: *Jun 24 17:26:30.210 PCTime: ppp76 LCP:    MRU 1500 (0x010405DC)
005775: *Jun 24 17:26:30.210 PCTime: ppp76 LCP: I CONFREQ [ACKrcvd] id 3 len 18
005776: *Jun 24 17:26:30.210 PCTime: ppp76 LCP:    MRU 1400 (0x01040578)
005777: *Jun 24 17:26:30.210 PCTime: ppp76 LCP:    MagicNumber 0x4CDC3223 (0x05064CDC3223)
005778: *Jun 24 17:26:30.210 PCTime: ppp76 LCP:    PFC (0x0702)
005779: *Jun 24 17:26:30.210 PCTime: ppp76 LCP:    ACFC (0x0802)
005780: *Jun 24 17:26:30.210 PCTime: ppp76 LCP: O CONFNAK [ACKrcvd] id 3 len 8
005781: *Jun 24 17:26:30.210 PCTime: ppp76 LCP:    MRU 1500 (0x010405DC)
005782: *Jun 24 17:26:30.214 PCTime: ppp76 LCP: I CONFREQ [ACKrcvd] id 4 len 18
005783: *Jun 24 17:26:30.214 PCTime: ppp76 LCP:    MRU 1500 (0x010405DC)
005784: *Jun 24 17:26:30.214 PCTime: ppp76 LCP:    MagicNumber 0x4CDC3223 (0x05064CDC3223)
005785: *Jun 24 17:26:30.214 PCTime: ppp76 LCP:    PFC (0x0702)
005786: *Jun 24 17:26:30.214 PCTime: ppp76 LCP:    ACFC (0x0802)
005787: *Jun 24 17:26:30.214 PCTime: ppp76 LCP: O CONFACK [ACKrcvd] id 4 len 18
005788: *Jun 24 17:26:30.214 PCTime: ppp76 LCP:    MRU 1500 (0x010405DC)
005789: *Jun 24 17:26:30.214 PCTime: ppp76 LCP:    MagicNumber 0x4CDC3223 (0x05064CDC3223)
005790: *Jun 24 17:26:30.214 PCTime: ppp76 LCP:    PFC (0x0702)
005791: *Jun 24 17:26:30.214 PCTime: ppp76 LCP:    ACFC (0x0802)
005792: *Jun 24 17:26:30.214 PCTime: ppp76 LCP: State is Open
005793: *Jun 24 17:26:30.214 PCTime: ppp76 PPP: Phase is AUTHENTICATING, by this end
005794: *Jun 24 17:26:30.222 PCTime: ppp76 MS-CHAP: O CHALLENGE id 1 len 21 from "xxxx3 "
005795: *Jun 24 17:26:30.222 PCTime: ppp76 LCP: I IDENTIFY [Open] id 5 len 18 magic 0x4CDC3223 MSRASV5.10
005796: *Jun 24 17:26:30.222 PCTime: ppp76 LCP: I IDENTIFY [Open] id 6 len 31 magic 0x4CDC3223 MSRAS-0-IBM-T8O9EXO81ZA
005797: *Jun 24 17:26:30.222 PCTime: ppp76 MS-CHAP: I RESPONSE id 1 len 61 from "testowe"
005798: *Jun 24 17:26:30.226 PCTime: ppp76 PPP: Phase is FORWARDING, Attempting Forward
005799: *Jun 24 17:26:30.226 PCTime: ppp76 PPP: Phase is AUTHENTICATING, Unauthenticated User
005800: *Jun 24 17:26:30.226 PCTime: ppp76 PPP: Sent MSCHAP LOGIN Request
005801: *Jun 24 17:26:30.226 PCTime: ppp76 PPP: Received LOGIN Response FAIL
005802: *Jun 24 17:26:30.226 PCTime: ppp76 MS-CHAP: O FAILURE id 1 len 13 msg is "E=691 R=0"
005803: *Jun 24 17:26:30.230 PCTime: ppp76 PPP: Sending Acct Event[Down] id[80]
005804: *Jun 24 17:26:30.230 PCTime: ppp76 PPP: Phase is TERMINATING
005805: *Jun 24 17:26:30.230 PCTime: ppp76 LCP: O TERMREQ [Open] id 2 len 4
005806: *Jun 24 17:26:30.238 PCTime: ppp76 LCP: I TERMACK [TERMsent] id 2 len 4
005807: *Jun 24 17:26:30.238 PCTime: ppp76 LCP: State is Closed
005808: *Jun 24 17:26:30.238 PCTime: ppp76 PPP: Phase is DOWN
005809: *Jun 24 17:26:30.238 PCTime: ppp76 PPP: Send Message[Disconnect]
005810: *Jun 24 17:26:30.238 PCTime: VPDN uid:76 disconnect (AAA) IETF: 17/user-error Ascend: 26/PPP CHAP Fail
005811: *Jun 24 17:26:30.238 PCTime: VPDN uid:76 vpdn shutdown session, result=2, error=6, vendor_err=0, syslog_error_code=8, syslog_key_type=1
005812: *Jun 24 17:26:30.238 PCTime: VPDN uid:76 VPDN/AAA: accounting stop sent
005813: *Jun 24 17:26:30.266 PCTime: VPDN Received L2TUN socket message

I think the problem is creating user password with encryption using MD5.

Why?? Is this normally ??

Seems you're using MSCHAP.

Have you tried PAP and optional encryption just to see if it works?

Federico.

Simply creating user without MD5 encryption of the password works perfectly.

I have Win7 so I was forced to change configuration on MS-CHAP v2