Solved: VPN is connecting without asking for a Password !!!

Didier1966 · ‎01-30-2011

Hello,

I just moved my working VPN lab configuration to my main router , everything works has expected , except that when I try to connect , with VPN , it connect directly WITHOUT asking me for a Login or Password , I do not get the popup menu !!!

Both routers a equal HW(C1841) and SW (System image file is "flash:c1841-advsecurityk9-mz.124-24.T1.bin")

Here bellow the full working script :

(I know I have to clean up , I will do it next week )

Best Regards,

Didier

ROUTER1841#sh run

Building configuration...

Current configuration : 8440 bytes

!

! Last configuration change at 10:27:45 gmt+1 Sun Jan 30 2011 by admin

! NVRAM config last updated at 00:29:33 gmt+1 Sun Jan 30 2011 by admin

!

version 12.4

service timestamps debug datetime localtime

service timestamps log datetime msec

service password-encryption

!

hostname ROUTER1841

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096 notifications

enable password 7 05080F1C2243

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

clock timezone gmt+1 1

clock summer-time gmt+2 recurring last Sun Mar 2:00 last Sun Oct 3:00

dot11 syslog

no ip source-route

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.20.1

ip dhcp excluded-address 192.168.30.1

ip dhcp excluded-address 192.168.100.1

ip dhcp excluded-address 192.168.1.250 192.168.1.254

!

ip dhcp pool vlan10

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

lease 5

!

ip dhcp pool vlan20

import all

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

lease 5

!

ip dhcp pool vlan30

import all

network 192.168.30.0 255.255.255.0

default-router 192.168.30.1

!

ip dhcp pool TEST

host 192.168.100.20 255.255.255.0

client-identifier 0100.2241.353f.5e

!

ip dhcp pool internal

network 192.168.100.0 255.255.255.0

dns-server 192.168.100.1

default-router 192.168.100.1

!

ip dhcp pool vlan1

network 192.168.1.0 255.255.255.0

dns-server 8.8.8.8

default-router 192.168.1.1

lease 5

!

ip dhcp pool MAC

host 192.168.10.50 255.255.255.0

client-identifier 0100.2312.1c0a.39

!

ip dhcp pool PRINTER

host 192.168.10.20 255.255.255.0

client-identifier 0100.242b.4d0c.5a

!

ip dhcp pool MLGW

host 192.168.10.10 255.255.255.0

hardware-address 0004.f301.58b3

!

ip dhcp pool pc-vero

host 192.168.10.68 255.255.255.0

client-identifier 0100.1d92.5982.24

!

ip dhcp pool vlan245

import all

network 192.168.245.0 255.255.255.0

default-router 192.168.245.1

!

ip dhcp pool VPN_ROUTER

client-identifier 0100.0f23.604d.a0

!

ip dhcp pool QNAP_NAS

host 192.168.10.100 255.255.255.0

client-identifier 0100.089b.ad17.8f

client-name QNAP_NAS

!

ip cef

no ip bootp server

ip domain name dri

ip host SW12 192.168.1.252

ip host SW24 192.168.1.251

ip host tftp 192.168.10.50

ip host Router_A 192.168.10.5

ip host Router_B 10.0.1.1

ip ddns update method DynDNS

HTTP

add http://dri66:drv@members.dyndns.org/nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=drv@members.dyndns.org/nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=<a>

interval maximum 1 0 0 0

interval minimum 1 0 0 0

!

ntp server 66.27.60.10

!

multilink bundle-name authenticated

!

flow-sampler-map mysampler1

mode random one-out-of 100

!

crypto pki trustpoint TP-self-signed-2996752687

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2996752687

revocation-check none

rsakeypair TP-self-signed-2996752687

!

crypto pki certificate chain TP-self-signed-2996752687

certificate self-signed 01

30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32393936 37353236 3837301E 170D3130 31313330 31393036

34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39393637

35323638 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100E1D0 6D1EDC8A D7C6D4C4 FADC711E FB52B082 4F81BF1E 9B5BD3A0 DDB505E2

47168821 6E69B426 AA60E9ED C4B3F95B C0830935 F6B395BA EB6CFC82 E27B75EC

E45DE343 9D258765 4690634D 628EBF91 CBF13884 F5DA31EF 44C3D330 C9FF0D27

5F5EE55B 56429179 A4B53946 15687FFE 63A7C25C 259FA18E DB20F8C5 5F3065E1

02570203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603

551D1104 12301082 0E524F55 54455231 3834312E 64726930 1F060355 1D230418

30168014 6144EDD8 070B697B 38FC3D5E A2501396 D885B4D5 301D0603 551D0E04

16041461 44EDD807 0B697B38 FC3D5EA2 501396D8 85B4D530 0D06092A 864886F7

0D010104 05000381 810099FA B5F4D0B0 D51DA525 1AB96481 1D1732B3 CD080412

2255E8DB 84823CF5 ED9C077C 1FADFF17 A9A1D4BA B69B39B0 47A9CBA7 4A97C1E5

6A1B6FBD 511BA8AD 3E716EC3 654980DA F16A3B47 CE7BC6A4 CB1373E2 1902600E

863C6352 9074B62A 15E74894 BEDEDC14 D85753AF AD2EF852 6A4B2588 9759CABD

42AD878C 58504629 BE48

quit

!

vtp version 2

username Admin privilege 15 secret 5 $1$gAFQ$2ecAHSYEU9g7b6WYuTY9G/

username cisco password 7 02050D480809

archive

log config

hidekeys

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group 3000client

key cisco123

dns 8.8.8.8

domain cisco.com

pool VPNpool

acl 150

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clienmap client authentication list userauthen

!

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh port 8096 rotary 1

ip ssh version 2

!

interface Loopback0

ip address 192.66.66.66 255.255.255.0

!

interface FastEthernet0/0

description DMZ

ip ddns update hostname mlgw.dyndns.info

ip ddns update DynDNS

ip address dhcp

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface FastEthernet0/0.241

description VLAN 241

encapsulation dot1Q 241

ip address dhcp

ip access-group dri-acl-in in

ip nat outside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/0.245

encapsulation dot1Q 245

ip address dhcp

ip access-group dri-acl-in in

ip nat outside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/1

description INTERNAL$ETH-LAN$

ip address 192.168.100.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0/0

switchport access vlan 10

spanning-tree portfast

!

interface FastEthernet0/0/1

switchport access vlan 245

spanning-tree portfast

!

interface FastEthernet0/0/2

switchport access vlan 30

spanning-tree portfast

!

interface FastEthernet0/0/3

switchport mode trunk

!

interface Vlan1

ip address 192.168.1.250 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan30

ip address 192.168.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan245

ip address 192.168.245.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool VPNpool 172.16.0.1 172.16.0.200

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

ip flow-cache timeout inactive 130

ip flow-cache timeout active 20

ip flow-aggregation cache prefix

cache timeout inactive 400

cache timeout active 25

!

ip nat inside source static tcp 192.168.10.68 5800 interface FastEthernet0/0 5800

ip nat inside source list 170 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.10.68 5900 interface FastEthernet0/0 5900

ip nat inside source list NAT1 interface FastEthernet0/0.245 overload

ip nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

!

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 permit ip 192.168.10.0 0.0.0.255 any

access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 180 permit ip 192.168.10.0 0.0.0.255 any

no cdp run

!

route-map NAT permit 10

match ip address 180

!

control-plane

!

line con 0

speed 115200

line aux 0

line vty 0 4

access-class 5 in

privilege level 15

rotary 1

transport input telnet ssh

line vty 5 15

access-class 5 in

rotary 1

!

scheduler allocate 20000 1000

end

Federico Coto Fajardo · ‎01-30-2011

Didier,

You can configure the router to accept the VPN client connection without XAUTH (extended authentication), so by just authenticating the VPN client itself and not the user.

But, according to the configuration, you should be prompted for user/pass.

Are you saying the client connects fine and the tunnel gets fully establishes without this prompt?

Federico.

View solution in original post

Federico Coto Fajardo · ‎01-30-2011

Didier,

You can configure the router to accept the VPN client connection without XAUTH (extended authentication), so by just authenticating the VPN client itself and not the user.

But, according to the configuration, you should be prompted for user/pass.

Are you saying the client connects fine and the tunnel gets fully establishes without this prompt?

Federico.

Didier1966 · ‎01-30-2011

Hi Federico,

Yes , without pop-up , I get access to the VPN , I have even try on a other computer that has never been connected to my network !!!

In one click I was in

I just have to put the GROUPNAME and GROUP PASSWORD in the PCF file.

Thank you again for your help,

Best Regards,

Didier

Federico Coto Fajardo · ‎01-30-2011

I see XAUTH enabled on the configuration so it should ask for the password.

What I could think is happening is that the password is saved on the client side.

When you open the profile (the PCF file), you get something like this:

Username=fcoto
SaveUserPassword=0
UserPassword=

If you EDIT this file (with a text editor):

Username=fcoto
SaveUserPassword=1
UserPassword=mypassword

Then, the next time I try to conenct to the router, the client will already had saved the user/password for me.

Federico.

Didier1966 · ‎01-30-2011

Hi Federico,

Here you have the PCF file.

If you have a VPN client on your computer , just try with this :

81.83.201.32

You will see , it connect directly.

When you are in try : 192.168.10.10 , it will work

Due to that I still test , if it ask you for a login and password it is both "cisco"

[main]

Description=DRI

Host=mlgw.dyndns.info

AuthType=1

GroupName=3000client

GroupPwd=cisco123

Username=

SaveUserPassword=

EnableBackup=0

EnableNat=1

TunnelingMode=0

EnableLocalLAN=1

Didier1966 · ‎01-31-2011

Hello my friends,

Just to tell you that the problem is solved

It was a spelling mistake

Look bellow in the first line , I write clienmap instead of clientmap

!

crypto map clienmap client authentication list userauthen

!

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

Best Regards,

Didier

Federico Coto Fajardo · ‎01-31-2011

Hi Didier,

I should have noticed that! :-)

Thank you for the feedback.

Federico.