Windows 2K/XP -> Cisco 827 VPN?

Windows 2K/XP -> Cisco 827 VPN?

Post by 63k05pv0 » Sun, 21 Dec 2003 04:20:25


'm trying to use the windows 2k/XP built-in VPN client (roaming
laptop user) to connect to a Cisco 827.

I've tried to get PPTP to work, but am not sure why I'm stranded, so
any help would be appreciated. Sorry for the length of the post, but I
thought I'd include all relevant info.

1) Are there any problems with my configuration? (I'm an IOS and VPN
newbie. The correct question may be: "How many?" ;-) )
2) Do I have a sufficient IOS version? (I think so)

As far as I can see there are two options for this: PPTP and L2TP. The
second option is called "Layer 2 Tunneling Protocol L2TP" in Windows
2K and "L2TP IPSec VPN" in Windows XP. I assume this second option is
the same for both Windows 2K and XP, even though the names differ on
IPSec. Would L2TP be a better/more secure/easier choice to get working
(would then the LAC be the VPN client program and the LNS be the 827.
All the cisco examples have too many networks involved... :-( )? Any
good pointers to _simple_ configuration examples? Most examples at
www.cisco.com involve several pieces of Cisco equipment - maybe my
scenario is just too simple...

(The following may be obvious :-D) The 827 is running NAT and I want
the outside VPN client to end up with two addresses: the one he had
from the start and one so he can access hosts in the network inside
the NAT. I want the VPN terminated at the 827.

*********************************************
Are there any problems with my configuration?
*********************************************
I've tried to follow what looked like the best guide:
http://www.ifm.net.nz/cookbooks/827_fw_pptp_nz.html
and I've looked at:
http://www.nzdsl.co.nz/howtos/Cisco/craigcisco.html

I had to add
"aaa new-model
aaa authentication ppp default local"
To avoid a warning in the "ppp authentication ms-chap" line, and have
no idea whether that is right. Now, at least, there is no warning! :-D

(Description of behavior and packet trace and inline debug output
below config)

When I attempt to connect, the client sits around for a while
displaying "Verifying username and password", and then finally fails.
A packet sniffer trace (ethereal - available on request) shows that
the router sends numerous PPP LCP Configuration Requests, and the
client answers them all (that is what takes all the time.) Finally,
the router sends a PPTP disconnect-notify message.

Configuration (I've changed passwords in post, and for testing, my
access list is very weak):

!
! Last configuration change at 01:16:36 MET Fri Dec 19 2003
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
!
hostname 6x125403
!
logging buffered 8192 debugging
logging rate-limit console 10 except errors
logging console warnings
aaa new-model
!
!
aaa authentication ppp default local
aaa session-id common
enable secret 5 $1$5oy4.bb0nXP/
!
username pvm password 7 026
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct
3:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
ip dhcp pool 827
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.54.64.170 212.54.64.171
lease 0 1
!
ip ssh time-out 120
ip ssh authentication-retries 3
 
 
 

1. problem with cisco 827 and cisco vpn client 3.6.3A

2. Howto: Windows client - cisco 827 VPN? Possible?

Hi,

What I'd like to accomplish is to be able to see the inside of a NAT
created by the 827 from remote windows 2k/XP workstations.

In order of preference, I'd like to use:
1) The native VPN client on 2k/XP
2) Some 3rd party application that does not require SW installation
(Is this even possible? I'd really like to avoid having to
install software just to access my inside network to get
a file or whatever)
3) VPN client that requires software installation

For some reason, this seems terribly complicated if at all possible.
(?)

Right now, I'm using SSH (via tcp port 22 forwarded to a linux box) to
forward selected ports when I need them. What I really want is for the
host to get an IP address from the inside of the 827's NAT in addition
to the one it already has.

Isn't this a very-FAQ? I have found no solutions to this. Especially
no easy ones.... I tried with a post detailing my failed attempt,
http://www.yqcomputer.com/ %40posting.google.com
but since that didn't get any replies I'm rephrasing it:

What are my options? IPSec? VPN/SSL?? (PPTP?) How is this done?
Or: Why is this a brain-dead idea?

Sincerely + Happy New Year!

Peter

3. Cisco 827 VPN routering

4. VPN through Cisco 827 / 837

5. Configuring a vpn with cisco router 827

6. Publishing internal VPN Server through a Cisco 827 ADSL Router

7. VPN between Safenet Client and cisco 827 ?

8. Cisco 827 VPN over bridged DSL

9. Cisco 827 and VPN client 4.0 help please

10. Cisco 827 -> SMTP nat problem!

11. CISCO VPN client -> ISA 2000 -> CISCO VPN Concentrator

12. Cisco 877 & Cisco 827 as backup

13. URGENT: need help in QOS for cisco 827 and cisco 1600

14. Port forwarding on a cisco 827

15. Cisco 827 Security Question