Cisco 1721 Router

Discussion in 'Cisco' started by David, Oct 29, 2009.

  1. David

    David Guest

    I am having troubles getting my Windows computers using the Windows
    VPN to connect using data encryption from XP and Vista. If I uncheck
    the option "Require data encryption (disconnect if none)" in the
    Windows VPN client, everything works fine, I connect, authenticate,
    get the DHCP address, and everything is fine. If I check the option
    for Require data encryption, it will disconnect. Obviously I know
    that it's not encrypting the data, but I don't know how to get it to.
    Below is my configuration (IP addresses and Passwords changed):

    Current configuration : 5337 bytes
    !
    ! Last configuration change at 16:25:26 CST Wed Oct 28 2009 by david
    ! NVRAM config last updated at 16:43:08 CST Wed Oct 28 2009 by david
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    enable password 7 password
    !
    clock timezone CST -5
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    aaa new-model
    !
    !
    aaa authentication login TRAuthList group radius local
    aaa authentication login userauthen group radius local
    aaa authentication ppp default group radius local
    aaa authorization network default if-authenticated
    aaa authorization auth-proxy default group radius
    aaa session-id common
    ip subnet-zero
    !
    !
    no ip domain lookup
    !
    ip cef
    ip inspect name dialer1_out tcp
    ip inspect name dialer1_out udp
    ip inspect name dialer1_out ftp
    ip inspect name dialer1_out realaudio
    ip inspect name dialer1_out netshow
    ip inspect name dialer1_out h323
    ip inspect name dialer1_out streamworks
    ip inspect name dialer1_out vdolive
    ip inspect name dialer1_out rtsp
    ip inspect name dialer1_out cuseeme
    ip inspect name dialer1_out rcmd
    ip inspect name dialer1_out sqlnet
    ip inspect name dialer1_out fragment maximum 256 timeout 1
    ip inspect name dialer1_out rpc program-number 1
    ip audit po max-events 100
    vpdn enable
    vpdn ip udp ignore checksum
    !
    vpdn-group PPTP-Radius
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    vpdn-group pppoe
    request-dialin
    protocol pppoe
    !
    async-bootp dns-server 192.168.x.x 192.168.x.x
    async-bootp nbns-server 192.168.x.x 192.168.x.x
    !
    !
    username espadmin password 7 password
    username david privilege 15 password 7 password
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group neteng
    pool pptppool
    !
    crypto isakmp client configuration group VPN
    key 3spint
    dns 192.168.x.x 192.168.x.x
    domain esp-seals.com
    acl 111
    !
    !
    crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
    !
    crypto dynamic-map vpndyn 10
    set transform-set trans2
    !
    !
    crypto map nemap client authentication list vpnauthen
    crypto map nemap isakmp authorization list vpnauthor
    crypto map nemap client configuration address initiate
    crypto map nemap client configuration address respond
    crypto map nemap 10 ipsec-isakmp dynamic vpndyn
    !
    !
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    no atm ilmi-keepalive
    bundle-enable
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    pvc 0/32
    pppoe-client dial-pool-number 1
    !
    !
    interface FastEthernet0
    ip address 1.1.1.1 255.255.255.0
    ip helper-address 192.168.x.x
    ip nat inside
    ip policy route-map nonat
    speed 100
    full-duplex
    crypto map nemap
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0
    ip helper-address 192.168.x.x
    ip mroute-cache
    peer default ip address dhcp
    ppp encrypt mppe auto
    ppp authentication ms-chap ms-chap-v2
    !
    interface Dialer1
    mtu 1492
    ip address [outside IP] 255.255.255.240
    ip access-group 102 in
    ip nat outside
    encapsulation ppp
    dialer pool 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname username
    ppp chap password 7 password
    ppp pap sent-username username password 7 password
    !
    router eigrp 100
    network 1.1.1.1
    no auto-summary
    !
    ip local policy route-map nonat
    ip nat pool INTERNET [outside IP] [outside IP] netmask 255.255.255.240
    ip nat inside source route-map nat pool INTERNET overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    no ip http secure-server
    !
    !
    ip radius source-interface FastEthernet0
    logging trap debugging
    logging facility local2
    access-list 101 permit ip 1.1.1.0 0.0.0.255 192.168.221.0 0.0.0.255
    access-list 101 permit ip 2.2.2.0 0.0.0.255 192.168.221.0 0.0.0.255
    access-list 101 permit ip 3.3.3.0 0.0.0.255 192.168.221.0 0.0.0.255
    access-list 101 permit ip 4.4.4.0 0.0.0.255 192.168.221.0 0.0.0.255
    access-list 101 permit ip 5.5.5.0 0.0.0.255 192.168.221.0 0.0.0.255
    access-list 101 permit ip 192.168.x.0 0.0.0.31 192.168.221.0 0.0.0.255
    access-list 102 permit esp any any
    access-list 102 permit udp any any eq isakmp
    access-list 102 permit udp any any eq ntp
    access-list 102 permit tcp any any eq 1723
    access-list 102 permit gre any any
    access-list 102 permit icmp any any
    access-list 102 permit tcp any any eq www
    access-list 111 permit ip 1.1.1.0 0.0.0.255 any
    access-list 199 remark Global_NAT_Out
    access-list 199 permit ip 1.1.1.0 0.0.0.255 any
    access-list 199 permit ip 192.168.x.0 0.0.0.31 any
    access-list 199 permit ip 2.2.2.0 0.0.0.255 any
    access-list 199 permit ip 4.4.4.0 0.0.0.255 any
    access-list 199 permit ip 6.6.0.0 0.0.255.255 any
    !
    route-map nonat permit 20
    match ip address 101
    set ip next-hop 172.31.254.1
    !
    route-map nat permit 10
    match ip address 199
    !
    snmp-server community 3spint RO
    radius-server host 192.168.x.x auth-port 1645 acct-port 1646
    radius-server key 7 [key]
    radius-server vsa send authentication
    !
    line con 0
    exec-timeout 0 0
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    login authentication userauthen
    transport input telnet ssh
    !
    ntp clock-period 17180033
    ntp server 192.168.x.x
    end

    Then here is the part of the debug ppp negotiation after the
    authentication is successful but the option Require data encryption is
    checked and it fails to connect:

    Oct 29 13:07:03.387: Vi2 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=
    [long number letter combo]"
    Oct 29 13:07:03.387: Vi2 PPP: Phase is UP
    Oct 29 13:07:03.387: Vi2 IPCP: O CONFREQ [Closed] id 1 len 10
    Oct 29 13:07:03.387: Vi2 IPCP: Address 1.1.1.207 (0x0306DD1515CF)
    Oct 29 13:07:03.391: Vi2 PPP: Process pending ncp packets
    Oct 29 13:07:03.391: Vi2 CCP: O CONFREQ [Closed] id 1 len 10
    Oct 29 13:07:03.395: Vi2 CCP: MS-PPC supported bits 0x01000060
    (0x120601000060)
    Oct 29 13:07:03.459: Vi2 CCP: I CONFREQ [REQsent] id 7 len 10
    Oct 29 13:07:03.459: Vi2 CCP: MS-PPC supported bits 0x01000040
    (0x120601000040)
    Oct 29 13:07:03.459: Vi2 CCP: O CONFACK [REQsent] id 7 len 10
    Oct 29 13:07:03.463: Vi2 CCP: MS-PPC supported bits 0x01000040
    (0x120601000040)
    Oct 29 13:07:03.463: Vi2 CCP: I CONFNAK [ACKsent] id 1 len 10
    Oct 29 13:07:03.463: Vi2 CCP: MS-PPC supported bits 0x01000040
    (0x120601000040)
    Oct 29 13:07:03.463: Vi2 CCP: O CONFREQ [ACKsent] id 2 len 10
    Oct 29 13:07:03.463: Vi2 CCP: MS-PPC supported bits 0x01000040
    (0x120601000040)
    Oct 29 13:07:03.463: Vi2 IPCP: I CONFREQ [REQsent] id 8 len 34
    Oct 29 13:07:03.463: Vi2 IPCP: Address 0.0.0.0 (0x030600000000)
    Oct 29 13:07:03.463: Vi2 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
    Oct 29 13:07:03.467: Vi2 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
    Oct 29 13:07:03.467: Vi2 IPCP: SecondaryDNS 0.0.0.0
    (0x830600000000)
    Oct 29 13:07:03.467: Vi2 IPCP: SecondaryWINS 0.0.0.0
    (0x840600000000)
    Oct 29 13:07:03.467: Vi2 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0,
    we want 0.0.0.0
    Oct 29 13:07:03.467: Vi2 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0,
    we want 0.0.0.0
    Oct 29 13:07:03.535: Vi2 CCP: I CONFACK [ACKsent] id 2 len 10
    Oct 29 13:07:03.535: Vi2 CCP: MS-PPC supported bits 0x01000040
    (0x120601000040)
    Oct 29 13:07:03.539: Vi2 CCP: State is Open
    Oct 29 13:07:03.539: Vi2 CCP: O TERMREQ [Open] id 3 len 4
    Oct 29 13:07:03.595: Vi2 IPCP: Pool returned 1.1.1.51
    Oct 29 13:07:03.595: Vi2 IPCP: O CONFNAK [REQsent] id 8 len 34
    Oct 29 13:07:03.595: Vi2 IPCP: Address 1.1.1.51 (0x0306DD151533)
    Oct 29 13:07:03.595: Vi2 IPCP: PrimaryDNS 192.168.x.x
    (0x8106C0A80A02)
    Oct 29 13:07:03.595: Vi2 IPCP: PrimaryWINS 192.168.x.x
    (0x8206C0A80A02)
    Oct 29 13:07:03.595: Vi2 IPCP: SecondaryDNS 192.168.x.x
    (0x8306C0A80A14)
    Oct 29 13:07:03.595: Vi2 IPCP: SecondaryWINS 192.168.x.x
    (0x8406C0A80A14)
    Oct 29 13:07:03.595: Vi2 IPCP: I CONFACK [REQsent] id 1 len 10
    Oct 29 13:07:03.599: Vi2 IPCP: Address 1.1.1.207 (0x0306DD1515CF)
    Oct 29 13:07:03.607: Vi2 CCP: I TERMACK [TERMsent] id 3 len 4
    Oct 29 13:07:03.607: Vi2 CCP: State is Closed
    Oct 29 13:07:03.611: Vi2 LCP: I TERMREQ [Open] id 9 len 16
    (0x34185FD9003CCD74000002E6)
    Oct 29 13:07:03.611: Vi2 LCP: O TERMACK [Open] id 9 len 4
    Oct 29 13:07:03.611: Vi2 PPP: Sending Acct Event[Down] id[4A]
    Oct 29 13:07:03.615: Vi2 PPP: Phase is TERMINATING
    Oct 29 13:07:03.699: Vi2 PPP: Block vaccess from being freed [0x18]
    Oct 29 13:07:03.703: %LINK-3-UPDOWN: Interface Virtual-Access2,
    changed state to down
    Oct 29 13:07:03.703: Vi2 LCP: State is Closed
    Oct 29 13:07:03.703: Vi2 PPP: Phase is DOWN
    Oct 29 13:07:03.707: Vi2 IPCP: State is Closed
    Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x10] Still Locked by [0xA]
    Oct 29 13:07:03.707: Vi2 PPP: Send Message[Disconnect]
    Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x8] Still Locked by [0x2]
    Oct 29 13:07:03.707: Vi2 PPP: Unlocked by [0x2] Still Locked by [0x0]
    Oct 29 13:07:03.707: Vi2 PPP: Free previously blocked vaccess

    Any help is greatly appreciate. I have been fighting this for quite
    some time now and want to put it in production.
     
    David, Oct 29, 2009
    #1
    1. Advertising

  2. David

    Rob Guest

    In the interface Virtual-Template1 I use:

    compress mppc
    ppp encrypt mppe auto required
    ppp authentication ms-chap
    ppp pap refuse

    This works.
     
    Rob, Oct 29, 2009
    #2
    1. Advertising

  3. David

    David Guest

    On Oct 29, 10:50 am, Rob <> wrote:
    > In the interface Virtual-Template1 I use:
    >
    >  compress mppc
    >  ppp encrypt mppe auto required
    >  ppp authentication ms-chap
    >  ppp pap refuse
    >
    > This works.


    I tried this and it is still doing the same thing. If it helps too,
    this only happens after it authenticates, and is "Registering computer
    on the network." On the Vista machine it show you can try and
    diagnose, try again, or choose another connection, but on the XP
    machine it says "Error 742: the remote computer does not support the
    requred data encryption type." Is the data still being encrypted even
    if I have the box "require encryptions" unchecked?
     
    David, Oct 29, 2009
    #3
  4. David

    Rob Guest

    David <> wrote:
    > On Oct 29, 10:50 am, Rob <> wrote:
    >> In the interface Virtual-Template1 I use:
    >>
    >>  compress mppc
    >>  ppp encrypt mppe auto required
    >>  ppp authentication ms-chap
    >>  ppp pap refuse
    >>
    >> This works.

    >
    > I tried this and it is still doing the same thing. If it helps too,
    > this only happens after it authenticates, and is "Registering computer
    > on the network." On the Vista machine it show you can try and
    > diagnose, try again, or choose another connection, but on the XP
    > machine it says "Error 742: the remote computer does not support the
    > requred data encryption type." Is the data still being encrypted even
    > if I have the box "require encryptions" unchecked?


    I assumed you use PPTP with its associated encryption (mppe) but
    it seems you have configured network encryption on top of that?
     
    Rob, Oct 29, 2009
    #4
  5. David

    David Guest

    On Oct 29, 11:14 am, Rob <> wrote:
    > David <> wrote:
    > > On Oct 29, 10:50 am, Rob <> wrote:
    > >> In the interface Virtual-Template1 I use:

    >
    > >>  compress mppc
    > >>  ppp encrypt mppe auto required
    > >>  ppp authentication ms-chap
    > >>  ppp pap refuse

    >
    > >> This works.

    >
    > > I tried this and it is still doing the same thing.  If it helps too,
    > > this only happens after it authenticates, and is "Registering computer
    > > on the network."  On the Vista machine it show you can try and
    > > diagnose, try again, or choose another connection, but on the XP
    > > machine it says "Error 742: the remote computer does not support the
    > > requred data encryption type."  Is the data still being encrypted even
    > > if I have the box "require encryptions" unchecked?

    >
    > I assumed you use PPTP with its associated encryption (mppe) but
    > it seems you have configured network encryption on top of that?- Hide quoted text -
    >
    > - Show quoted text -


    How would I change it to use PPTP with it's associated encryption and
    not network encryption on top of it?
     
    David, Oct 29, 2009
    #5
  6. David

    Rob Guest

    David <> wrote:
    > On Oct 29, 11:14 am, Rob <> wrote:
    >> David <> wrote:
    >> > On Oct 29, 10:50 am, Rob <> wrote:
    >> >> In the interface Virtual-Template1 I use:

    >>
    >> >>  compress mppc
    >> >>  ppp encrypt mppe auto required
    >> >>  ppp authentication ms-chap
    >> >>  ppp pap refuse

    >>
    >> >> This works.

    >>
    >> > I tried this and it is still doing the same thing.  If it helps too,
    >> > this only happens after it authenticates, and is "Registering computer
    >> > on the network."  On the Vista machine it show you can try and
    >> > diagnose, try again, or choose another connection, but on the XP
    >> > machine it says "Error 742: the remote computer does not support the
    >> > requred data encryption type."  Is the data still being encrypted even
    >> > if I have the box "require encryptions" unchecked?

    >>
    >> I assumed you use PPTP with its associated encryption (mppe) but
    >> it seems you have configured network encryption on top of that?- Hide quoted text -
    >>
    >> - Show quoted text -

    >
    > How would I change it to use PPTP with it's associated encryption and
    > not network encryption on top of it?


    You configure only a PPTP connection on the calling PC. Not the
    whole network encryption (IPsec) stuff.
     
    Rob, Oct 29, 2009
    #6
  7. David

    David Guest

    I basically started from scratch and redid the config. Here is what
    it looks like now:

    Current configuration : 3084 bytes
    !
    ! Last configuration change at 14:50:35 CST Thu Oct 29 2009 by david
    ! NVRAM config last updated at 14:11:52 CST Thu Oct 29 2009 by david
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Inet3
    !
    boot-start-marker
    boot-end-marker
    !
    enable password 7 password
    !
    clock timezone CST -5
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    aaa new-model
    !
    !
    aaa authentication login TRAuthList group radius local
    aaa authentication login userauthen group radius local
    aaa authentication ppp default group radius local
    aaa authorization network default if-authenticated
    aaa authorization auth-proxy default group radius
    aaa session-id common
    ip subnet-zero
    !
    !
    no ip domain lookup
    ip domain name esp-seals.com
    !
    ip cef
    ip audit po max-events 100
    vpdn enable
    vpdn ip udp ignore checksum
    !
    vpdn-group PPTP-Radius
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    vpdn-group pppoe
    request-dialin
    protocol pppoe
    !
    async-bootp dns-server 192.168.x.x 192.168.x.x
    async-bootp nbns-server 192.168.x.x 192.168.x.x
    !
    !
    username espadmin password 7 password
    username david privilege 15 password 7 password
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    no atm ilmi-keepalive
    bundle-enable
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    pvc 0/32
    pppoe-client dial-pool-number 1
    !
    !
    interface FastEthernet0
    ip address 1.1.1.1 255.255.255.0
    speed 100
    full-duplex
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0
    ip helper-address 192.168.x.x
    peer default ip address dhcp
    compress mppc
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    ppp pap refuse

    !
    interface Dialer1
    mtu 1492
    ip address [outside IP] 255.255.255.240
    encapsulation ppp
    dialer pool 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname username
    ppp chap password 7 password
    ppp pap sent-username username password 7 password
    !
    router eigrp 100
    network 1.1.1.0
    no auto-summary
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http authentication local
    ip http secure-server
    !
    !
    logging trap debugging
    logging facility local2
    !
    snmp-server community key RO
    radius-server host 192.168.x.x auth-port 1645 acct-port 1646
    radius-server key 7 key
    radius-server vsa send authentication
    !
    line con 0
    exec-timeout 0 0
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    login authentication userauthen
    transport input telnet ssh
    !
    ntp clock-period 17180080
    ntp server 192.168.x.x
    end


    The same thing is happening, but now there is another line in the
    debug ppp negotiation:

    Oct 29 20:28:57.429: Vi5 MPPE: Required encryption not negotiated

    I'm assuming it is disconnecting due to no encryption, but the client
    (Windows Vista vpn) has the require encryption checked. I took off
    all NAT and ACLs just to make sure. I am really confused here.
     
    David, Oct 29, 2009
    #7
  8. David

    David Guest

    Anyone have any ideas on this one?
     
    David, Oct 30, 2009
    #8
  9. David

    mikeyb Guest

    On Oct 30, 6:06 pm, David <> wrote:
    > Anyone have any ideas on this one?

    try
    ppp encrypt mppe auto passive
    ppp authentication ms-chap-v2

    and leave Require data encryption (disconnect if none) unticked at the
    client.

    once connected look at the vpn connection details and you should see
    mppe encryption on the connection

    Mike
     
    mikeyb, Nov 10, 2009
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Said SIM

    Reset cisco router 1721

    Said SIM, Apr 29, 2004, in forum: Cisco
    Replies:
    1
    Views:
    2,187
    Phillip Remaker
    May 1, 2004
  2. Larry

    Cisco 1721 Router Help

    Larry, Aug 31, 2004, in forum: Cisco
    Replies:
    4
    Views:
    694
    Larry
    Sep 1, 2004
  3. Paul
    Replies:
    1
    Views:
    2,228
  4. dr_rockstar66
    Replies:
    2
    Views:
    6,525
    Hansang Bae
    Feb 5, 2005
  5. Scooter
    Replies:
    1
    Views:
    887
    BradReeseCom
    Feb 25, 2005
Loading...

Share This Page