cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5067
Views
10
Helpful
9
Replies

VPN comes up briefly then goes down

Hi,

I'm testing out VPN with my Cisco 1801 router which uses a separate ADSL modem on FA1 to connect to the Internet. This port is assigned to VLAN 80.

I set up the modem to forward all ports to the Cisco and the Cisco is connected to the rest of my LAN on FA2

Whenever I try to use my Android phone to connect to the VPN, it tries for a while then just goes back to disconnected state.

The phone works with other VPN services I have tried.

I am using the same credentials I use to login to the router, but have also tried the chap credentials defined in the virtual template.

When I enable debugging of VPN events, I get the following output which seems to show that the connection comes up

VPDN Received L2TUN socket message <xCRQ - Session Incoming>

VPDN uid:2 L2TUN socket session accept requested

VPDN uid:2 Setting up dataplane for L2-L2, no idb

VPDN Received L2TUN socket message <xCCN - Session Connected>

VPDN uid:2 VPDN session up

VPDN uid:2 disconnect (AAA) IETF: 17/user-error Ascend: 26/PPP CHAP Fail

VPDN uid:2 vpdn shutdown session, result=2, error=6, vendor_err=0, syslog_error_code=8, syslog_key_type=1

VPDN Received L2TUN socket message <CDN - Session Disconnected>

Here is part of the config I am using...

vpdn enable

!

vpdn-group homevpn

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

l2tp tunnel timeout no-session 15

!

interface Virtual-Template1

ip unnumbered FastEthernet1

ip nat inside

ip virtual-reassembly in

peer default ip address pool VPN-pool

no keepalive

ppp encrypt mppe auto passive

ppp authentication chap eap ms-chap ms-chap-v2 pap

ppp chap hostname vpntest

ppp chap password 7 ****

!

ip local pool VPN-pool 192.168.1.10 192.168.1.15

Thanks for any help1

2 Accepted Solutions

Accepted Solutions

The reason is that with CHAP the router gets a response that is based on the hash of the password. To validate that, the router needs the cleartext-password and can't use the one that is configured with "username ... secret".

Another option is to authenticate with PAP where you can store users with hashed passwords. You just have to choose if you want cleartext passwords in transit (PAP) or on the router (CHAP).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

First: You configured a PPTP-VPN while EzVPN uses IPSec. But PPTP is not considered secure any more, so IPSec is the way to go (or SSL-VPN with AnyConnect). On the router you can configure an EzVPN-server and use the Shrew-client to connect to this server.

Here are example for the EzVPN-server. Go directly to Example 3:

http://nat0.net/ezvpn-server-on-ios-in-three-different-flavous/

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

9 Replies 9

The problem was that I was using an account that was using a secret password

I created another account and used

username a_user password a_password

I can now connect to my VPN using this account

The reason is that with CHAP the router gets a response that is based on the hash of the password. To validate that, the router needs the cleartext-password and can't use the one that is configured with "username ... secret".

Another option is to authenticate with PAP where you can store users with hashed passwords. You just have to choose if you want cleartext passwords in transit (PAP) or on the router (CHAP).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thank you for that Karsten.

I have another problem now though as although I can use my mobile phone to connect to the VPN using the 3G network, when I go to work and use their Wifi or use my work desktop and configure a VPN adapter connection in Windows, I cannot connect to my VPN.

My work must be blocking certain required ports on their firewall.

However, I do use a VPN connection from my work desktop for other services by using the Shrewsoft VPN client software.

In the details of the connection I can see that my client PC is being auto configured using ike config pull.

Also, the authentication method is Mutual PSK + XAuth

So, can I create a VPN configuration on my Cisco router that uses these protocols?

EZVPN seems to use some of these protocols so do you think this may be my best way forward?

Thanks again.

First: You configured a PPTP-VPN while EzVPN uses IPSec. But PPTP is not considered secure any more, so IPSec is the way to go (or SSL-VPN with AnyConnect). On the router you can configure an EzVPN-server and use the Shrew-client to connect to this server.

Here are example for the EzVPN-server. Go directly to Example 3:

http://nat0.net/ezvpn-server-on-ios-in-three-different-flavous/

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thank you for your help.

I'll give that a try.

Cheers.

When I use your example 3 configuration from the link, I then use my Android mobile using VpnCilla client which is known to work, but I cannot connect.

I get these debug messages:

ISAKMP:(0):Proposed key length does not match policy

ISAKMP:(0):atts are not acceptable. Next payload is 3

ISAKMP:(0):Hash algorithm offered does not match policy!

ISAKMP:(0):atts are not acceptable. Next payload is 3

In the client I have tried entering the clear text key of cisco, the crypto keyring preshared key, and also the isakmp client configuration key, but no luck.

Any ideas?

I just realized that that was not the example I wanted to post ... But doesn't matter. First, from example 3 you dont need the keyring commands, just delete them.

crypto isakmp profile ISAKMP-PROFILE

  no keyring EZVPN-KEYRING

no crypto keyring EZVPN-KEYRING

Then, I don't know VPNcilla, but can you control the Phase1-parameters in the client? Then set them to the following:

  • AES 128
  • SHA-1
  • DH-Group2
  • Pre-Shared-Key
  • Lifetime 86400s

If you can also specify the Phase2-parameters, use

  • AES 128
  • SHA-1

The error message points to parameters that are different on both ends.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten

I'm now using the Shrew Soft VPN client on my Windows PC at work. I've configured the client as recommended and the VPN connects but I cannot ping the router on its private address and I cannot connect to the console using SSH.

When I go to command line and run ipconfig, the VPN adapter has got the IP address I defined in the settings below, but it has no gateway settings assigned.

I have not configured DHCP for the VPN, but can I set the gateway details manually like I set the IP address?

Also, a while after connection, Shrew Soft VPN client reports failed security associations as shown below:

One other thing, I did not use the split tunnel access list from your config as I did not understand why it should be used and it does not appear in Cisco's documentation for configuring EZVPN.

Below is the complete Shrew Soft VPN client configuration.

Thanks for all your help so far.

General

hostname:

Port: 500

Local Host

Address Method: Use a virtual adapter and assigned address

MTU: 1380

Address:

Client

NAT Traversal: enabled

NAT Traversal Port: 4500

Keep-alive packet rate: 15 secs

IKE Fragmentation: enable

Maximum packet size: 540 Bytes

Other Options

Dead Peer Detection: enabled

ISAKMP Failure Notifications: enabled

Name Resolution

All disabled

Authetication

Method: Mutual PSK

Local Identity

Identification Type: IP Address

Use a discovered local host address: enabled

Remote Identity

Identification Type: IP Address

Use a discovered remote host address: enabled

Credentials

Pre Shared Key: cisco

Phase 1

Exchange Type: aggressive

DH Exchange: group 2

Cipher Algorithm: auto

Hash Algorithm: auto

Key Life Time limt: 86400 Secs

Phase 2

Transform Algorithm: auto

HMAC Algorithm: auto

PFS Exchange: auto

Compress Algorithm: disabled

Key Life Time limit: 3600 secs

Policy

Policy Generation Level: auto

Obtain Topology Automatically or Tunnel All: enabled

Just an update, I figured out how to get my VPN working a few weeks back....and here is the relevant config in case anyone else wants to set this up.

aaa authentication login default local

aaa authentication login authen local

aaa authorization network default none

aaa authorization network author local

aaa session-id common

!

username vpnconnect secret your_password

!

! VPN client connects using one of these policies where compatible in order of encryption strength

!

crypto isakmp policy 1

encr aes 256

hash sha256

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN-CONNECT

key 6 your_key

dns 8.8.8.8

pool VPNPOOL

max-users 1

crypto isakmp profile ISAKMP-PROFILE

   match identity group VPN-CONNECT

   client authentication list authen

   isakmp authorization list author

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-PROFILE

set transform-set TSET

interface Virtual-Template1 type tunnel

ip unnumbered your_internet_gateway_interface

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-PROFILE

!

ip local pool VPNPOOL 192.168.1.54

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list 10 interface your_internet_gateway_interface overload

!

access-list 10 remark Stop VPN traffic from being NATed

access-list 10 deny   192.168.1.54

And you set up your VPN client software as per the following sceen grab.

The only issue I have now is how to get split tunnelling working, as when I connect my PC to the VPN, I can no longer get on the Internet from that PC.

Any ideas?