Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
4
Replies

Trying to VPN using pptp through PIX 501

Paul.Lane
Level 1
Level 1

‎04-11-2003 04:39 PM - edited ‎02-21-2020 12:28 PM

When I try to connect from a remote workstation [Win2k] these are the error messages I get. It looks like it creates the tunnel, then tears it down.

What am I doing wrong?

......................

PPTP Tunnel created, tunnel_id is 12, remote_peer_ip is 4.xx.xxx.xxx, ppp_virtual_interface_id is 1, client_dynamic_ip is 192.168.26.1, username is , MPPE_key_strength is None

PPTP Tunnel deleted, tunnel_id = 12, remote_peer_ip = 4.xx.xxx.xxx

...........

I don't have 3DES but I do have DES enabled:

0: ethernet0: address is 000b.be57.6441, irq 9

1: ethernet1: address is 000b.be57.6442, irq 10

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Unlimited

IKE peers: 10

Here is some of my config:

vpdn group vpn_work accept dialin pptp

vpdn group vpn_work ppp authentication chap

vpdn group vpn_work ppp authentication mschap

vpdn group vpn_work ppp encryption mppe 40

vpdn group vpn_work client configuration address local vpdnpool

vpdn group vpn_work client configuration dns xx.xx.xxx.xx

vpdn group vpn_work pptp echo 60

vpdn group vpn_work client authentication local

vpdn username **** password ********

vpdn enable outside

............................................................................

access-list 101 permit tcp any host <outside interface address> eq 1723

access-list 101 permit gre any host <outside interface address>

sysopt connection permit-pptp

access-group 101 in interface inside

Any help would be appreciated.

Labels:
0 Helpful
4 Replies 4

yizhar
Level 1
Level 1

‎04-12-2003 11:51 AM

HI.

> MPPE_key_strength is None

The remote client might be dropping the connections because there is no encryption, and W2K clients require encryption by default.

Try the following:

> vpdn group vpn_work ppp authentication chap

Remove the above line. Use MSCHAP only.

(MPPE encryption can work only with MSCHAP).

> vpdn group vpn_work ppp encryption mppe 40

Try this:

vpdn group vpn_work ppp encryption mppe 40 required

I recommend using Cisco IPSec VPN instead, for additional features and stronger authentication using both group authentication and XAUTH.

Yizhar

0 Helpful

Paul.Lane
Level 1
Level 1
In response to yizhar

‎04-12-2003 03:06 PM

Hi I added those commands that you wrote and I still get the same error message in the syslog:

PPTP Tunnel created, tunnel_id is 66, remote_peer_ip is x.xx.xxx.xxx, ppp_virtual_interface_id is 1, client_dynamic_ip is xxx.xxx.x.x, username is , MPPE_key_strength is None

PPTP Tunnel deleted, tunnel_id = 66, remote_peer_ip = x.xx.xxx.xxx

Here is the complete config. I hope you can see something in that I'm doing wrong.

Thanks

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

hostname xxxxxx

domain-name xxxxxxxxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit gre any host xx.xx.xx.xxx

access-list 101 permit tcp any host xx.xx.xx.xxx eq pptp

pager lines 24

logging on

logging timestamp

logging trap informational

logging host inside xxx.xxx.x.xx

logging host inside xxx.xxx.x.xx

logging host inside xxx.xxx.x.xx

logging host inside xxx.xxx.x.xx

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside xxx.xxx.x.xx 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpdnpool xxx.xxx.x.x-xxx.xxx.x.x

pdm logging informational 512

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 101 in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h22

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http xxx.xxx.x.x 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside xxx.xxx.x.x pix631

floodguard enable

sysopt connection permit-pptp

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group vpn_work accept dialin pptp

vpdn group vpn_work ppp authentication mschap

vpdn group vpn_work ppp encryption mppe 40 required

vpdn group vpn_work client configuration address local vpdnpool

vpdn group vpn_work client configuration dns xx.xx.xx.xx

vpdn group vpn_work pptp echo 60

vpdn group vpn_work client authentication local

vpdn username **** password ********

vpdn enable outside

dhcpd address xxx.xxx.xx.xinside

dhcpd lease 8640000

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:ad85d2e955c42720614c758445b6e32c

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to Paul.Lane

‎04-13-2003 04:30 PM

Are you trying to PPTP TO the PIX, or to a host inside it. It sort of looks like the latter, but you have configured the PIX to accept the connection with all the VPDN commands. EXactly what are you trying to do here.

If you trying to get to a server on the inside of the PIX, remove all the vpdn commands. You'll need a one-to-one static translation for that inside host translated to a valid routable external IP address (you'll need to get one assigned from your ISP). Then allow the protocols thru with an ACL which you seem to have already done. your clients will then need to connect to that valid IP address, which the PIX will forward through to the internal PPTP server.

If you're tryingto PPTP TO the PIX, then you'll at least need a "nat 0" statement so you don't nat the return traffic, although this won't solve your initial connection problem. Please follow http://www.cisco.com/warp/public/110/pptppix.html and see how you go, especially check your client settings cause it seems that they're not matched to what you've configured on the PIX (encryption strength, encryption required, etc).

0 Helpful

Paul.Lane
Level 1
Level 1
In response to gfullage

‎04-14-2003 04:22 PM

I'm trying to PPTP to the PIX. I added the "nat 0" and still the same error.

I'm using the Microsoft client on Windows 2003 server. [although I observed the same behavior with a WIN2K pro and server]

I've deleted and recreated the connection more times than I can remember,

always using different options [there are really not alot of different options].

Could if have anything to do with the fact that I coming from behind a PIX 515?

Or could it be the version I'm using 6.3.(1)? I have the PDM 3.0 beta version installed, but I do all the changes at the command line.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents