Tunnel MS VPN through IOS firewall

sean.gray · ‎10-18-2004

I'm sure that this topic has been brought up before, but I'm having a slight issue allowing my 2621 to allow VPN passthrough to my internal MS VPN server. I've dedicated a public address for it using static nat, and allowed public access to port 1723 on that address using my ACLs, but clients are timing out trying to connect. Are there any config examples available for me to take a look at? I'm sure it's something small that I'm just missing. Thanks!

d-garnett · ‎10-18-2004

you also need to open 'gre' going and coming for it to work. PPTP is more or less a MPPE encrypted GRE tunnel.

PPTP control packets for setting up, maintaining, and tearing down the connection is sent over tcp 1723, but the actual data is sent over GRE (ip 47).

I have a better post that I will dig up and link in a minute.

that's all that you are missing

sean.gray · ‎10-19-2004

OK...I opened up gre as well, and still no dice. I've got port 1723 open both ways, as well as gre. But clients are still timing out trying to connect. It's funny, I had no problem setting this up using a PIX.

d-garnett · ‎10-20-2004

do you have any debugs, shows, or config to display (private stuff striped out of course)?

are they timing out during the authentication phase (after LCP negotiations)?

is the client side set to 'Require Encryption and Disconnect if none is Used'?

is it chap or ms-chap? i.e., have you checked your client side security settings against the firewall

sean.gray · ‎10-20-2004

Actually, I just figured it out last night. Stupid me had an "ip audit" statement that was killing it. **puts dunce cap on**

Thanks very much for the help, guys.

d-garnett · ‎10-20-2004

nah, don't sweat it :^)

as a matter of fact. I have done that many a time (had ip audit on) when i am trying to figure out why tracreroutes or ping will not work through the firewall when testing.