07-08-2008 12:49 PM
Hi
I've been building a VPN configuration to allow Windows Clients using the Windows VPN Client to access our internal LAN. Well, it comes out I didn't do a good job.
The VPN connection is working perfectly fine as long as XP clients are used. As soon as a Vista client tries to connect, it doesn't even get past the "Connecting to -IP-" stage (actually it asks me for a password and username, but I guess that's right at the beginning).
I am posting the relevant parts for my configuration here. I am using PAT for translating entries and I am using a Cisco 1811.
Thank you for your help
-snip-
r#show run
Building configuration...
Current configuration : 3483 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication ppp VpdnAuth local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.200 192.168.0.240
ip dhcp excluded-address 192.168.0.1 192.168.0.100
!
ip dhcp pool XXXXXXXXX
network 192.168.0.0 255.255.255.0
default-router 129.168.0.1
dns-server 192.168.0.1
!
ip dhcp pool XXXXXXXXXX
network 192.168.9.0 255.255.255.0
default-router 192.168.9.1
dns-server 192.168.9.1
!
!
ip domain name XXXXXXXXXX
ip name-server XXXXXXXXXX
ip name-server XXXXXXXXXX
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
description VPDN Group for L2TP/IPSec Clients
accept-dialin
protocol l2tp
virtual-template 2
no l2tp tunnel authentication
!
!
!
!
username -removed-
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MsIPSec esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map MsDynMap 1
set nat demux
set transform-set MsIPSec
!
!
crypto map IPSecIsaPmpMap 6000 ipsec-isakmp dynamic MsDynMap
!
!
!
!
interface Loopback2
ip address 192.168.3.1 255.255.255.255
!
interface FastEthernet0
ip address 78.X.X.2 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSecIsaPmpMap
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport access vlan 999
shutdown
!
interface FastEthernet6
switchport access vlan 999
shutdown
!
interface FastEthernet7
switchport access vlan 999
shutdown
!
interface FastEthernet8
switchport access vlan 999
shutdown
!
interface FastEthernet9
switchport access vlan 9
!
interface Virtual-Template2
ip unnumbered Loopback2
peer default ip address pool IPSecPool
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2 VpdnAuth
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan9
ip address 192.168.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool IPSecPool 192.168.3.2 192.168.3.10
ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXX
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.96 22 interface FastEthernet0 XXXXXXX
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.9.0 0.0.0.255
access-list 3 permit XXXXXXXXXXX
access-list 3 permit 192.168.0.0 0.0.0.255
-snip-
07-09-2008 07:57 PM
Which version VPN client are you using?
For windows Vista you should have 5.X client, can you check more in detail or in SDM, Do you have Client Version permit/deny rule?
Check the detailed protcol, TCP 500 or UDP 10000 it tries to connect.
Tharnks,
Dharmesh Purohit
07-09-2008 08:52 PM
Hi Dharmesh Purohit
I am sorry, I forgot to say that I am trying to use the Windows integrated VPN Client (not the one from Cisco). As I said - it is working in Windows XP just fine, but Vista Clients appear to have problems.
I didn't configure it using SDM. How could I best debug vpn connection tries?
Thank you so far.
08-30-2008 03:50 AM
If it works in XP, it should not be a configuration problem in the router.
Follow this step for Vista https://www.publicvpn.com/support/Vista.php
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide