Networking

SolutionBase: Using a Cisco IOS router as a VPN server

If you want to provide remote access to your network for traveling users, you don't have to spend a lot of money on a dedicated VPN server. If you've already got a Cisco IOS router, all you have to do is make the changes described in this article.

As Cisco routers have about 85% of the router market, most businesses today have a Cisco router connecting them to the Internet. So, why not use that router for more than just routing? What if it could be a VPN server to connect roaming users with laptops or home PC's back into your business network? This article will explain to you how to do just that.

A router as a VPN Server?!

Your first objection to using a Cisco router as a VPN server might be that you don't want to have to install the Cisco VPN client software on all the remote PC's. Every Windows PC comes with a VPN client already, so you, like me, probably want to just use that. By using the already installed client, you save on the time it would take to train users to download and configure a different VPN client. Thus, you will use the built-in Microsoft VPN client to connect to our VPN server.

Author's note

The configuration on your existing Internet router may be complex. This download can't address all the possible configurations you may already have in place.

By the way, for your IOS router to act as a VPN server, at all, you will need the DES or 3DES versions of the IOS. These are the versions that offer encryption, including the PPTP encryption we are using in the configurations below. The DES or 3DES versions will have a k8 or k9 in the filename of the IOS. These features must be licensed from Cisco and are not free, unless you already own that version of the IOS.

For the purposes of this demonstration, we will be using a Cisco 2610 router as a basic PPTP VPN server. We will be demonstrating this using a local username/password database. The functionality is included to have the Cisco router go to a RADIUS server (like Microsoft IAS server) and authenticate with Windows Active Directory (AD) usernames/passwords. That type of configuration would be ideal with any more than a handful of VPN users. However, that configuration is more complex than this entry-level document will cover. For more information is, Cisco has published a document that covers using a Cisco IOS router with a MS IAS server for VPN.

Configuring the router

The biggest question you may have after reviewing this configuration is- how does this fit in with your firewall? Well, you can use a Cisco router as a firewall to with something called CBAC (Context-based access control). This is also known as the Firewall Feature-set and you need a special version of the IOS to do this.

The following configuration shows, step by step, how to configure the Cisco IOS router as a MS PPTP VPN server. The goal of this configuration is so that you can take all the defaults of the VPN client in Windows XP. All you will have to do is add a new connection, provide the name (or IP address) of the VPN server, and your username/password. Figure A shows your network will look like, in the end.

On the Cisco IOS router

First you must make some changes on your router. First, you must enable VPDN (virtual private dial-up networking). This is used for VPN client connectivity, as opposed to site-to-site, always up, VPN connectivity. To do so use this command:

Router(config)# vpdn enable

Create a VPDN group configured to PPTP, just like the Microsoft VPN client will use, by default:

Router(config)# vpdn-group TEST-VPN

Router(config-vpdn)# accept-dialin

Router(config-vpdn)# protocol pptp

Router(config-vpdn)# virtual-template 1

Router(config-vpdn)# exit

Here, we will configure our interfaces to match the diagram. Naturally, your IP address configuration will vary:

Router(config)# interface ethernet0/0

Router(config-if)# ip address 10.253.15.19 255.255.0.0

Router(config-if)# no shutdown

Router(config)# interface ethernet0/1

Router(config-if)# ip address 10.123.123.123 255.255.255.0

Router(config-if)# no shutdown

Next, create your virtual-template that will apply to the inbound VPN connections. This template references the e0/1 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:

Router(config)# interface Virtual-Template1

Router(config-if)# ip unnumbered Ethernet0/1

Router(config-if)# peer default ip address pool defaultpool

Router(config-if)# ppp encrypt mppe auto required

Router(config-if)# ppp authentication ms-chap ms-chap-v2

Now, create the pool of IP addresses. This pool should not already be in use on the internal network you are connecting to:

Router(config)# ip local pool defaultpool 10.123.123.1 10.123.123.10

After that, create a test user:

Router(config)# username test password 0 test

Finally, configure authentication for PPP to use the local database. If you had a RADIUS server, this where you would point to the RADIUS server instead of the local database:

Router(config)# aaa new-model

Router(config)# aaa authentication ppp default local

The complete configuration looks like this:

username test password 0 test

aaa new-model

!

!

aaa authentication ppp default local

!

vpdn enable

!

vpdn-group TEST-VPN

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

interface Ethernet0/0

ip address 10.253.15.19 255.255.0.0

no shutdown

interface Ethernet0/1

ip address 10.123.123.123 255.255.255.0

no shutdown

!

interface Virtual-Template1

ip unnumbered Ethernet0/1

peer default ip address pool defaultpool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip local pool defaultpool 10.123.123.1 10.123.123.10

Windows client

To connect to the new PPTP VPN server from a Windows workstation, click Start | Control Panel | Network Connections. Click on New Connection Wizard. Click Next on the welcome screen. Select Connect to a network at my workplace as shown in Figure B.

Figure B

Next, select Virtual Private Network Connection as shown in Figure C.

Figure C

You'll then see the Connection Name screen. Type in a name for the VPN Connection in the Company Name field as shown in Figure D. Click Next to continue.

Figure D

Next, the VPN Server Selection screen appears. Type in the IP address or hostname for the VPN server (your IOS router's interface) into the Host name field. In our case, this is 10.253.15.19 as you can see in Figure E.

Figure E

Take the default on the next screen (that this is for anyone's use) and click Next. Click Finish on the next screen. When done, you will see the screen shown in Figure F below. Type in your test username (test) and test password (test).

Figure F

Click Connect.

Once connected, you should see the VPN icon in your Windows tray, at the bottom right of your screen. If you open the VPN connection and click on details, you should see that you received an IP address from the pool, as seen in Figure G.

Figure G

You should be able to ping the LAN side of the router (the inside, private network) and any host on that network.

That's it!

The configuration is complete. Hopefully, you can take this configuration and fit it to your network, blending it with your personal Firewall, NAT, and active directory configuration.

63 comments
benny108
benny108

Everything is ok but windows client can't get the server ip address

chad
chad

Everything went fine through the cisco config, vpn via windows connects and works no prob. The issue is, windows looses it's internet connection after the vpn connection is established. I believe it is trying to use the remote gateway for internet. If I go into the vpn properties in window and de-selected "use remote gateway" the internet comes right back, but I can no longer access anything at the other end of the vpn link, not even the vpn gateway. Heres my config.....or at least the relevant portions. aaa new-model ! ! aaa authentication ppp default local aaa session-id common ip subnet-zero ! ! ip cef ip name-server 65.61.48.10 ip name-server 65.61.48.11 no ip dhcp conflict logging ip dhcp excluded-address 192.168.15.1 192.168.15.20 ! ip dhcp pool village network 192.168.15.0 255.255.255.0 dns-server 65.61.48.10 65.61.48.11 default-router 192.168.15.1 lease 7 ! ip dhcp-server 192.168.15.1 vpdn enable ! vpdn-group zaxvpn ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! ! ! ! ! ! ! ! ! ! ! ! username chad password 0 ****** username zax password 0 ****** username frank password 0 ****** ! ! ! class-map match-all voice match access-group 150 ! ! policy-map voip class voice priority 256 class class-default fair-queue ! ! ! ! ! ! interface Ethernet0/0 ip address 192.168.15.1 255.255.255.0 ip nat inside half-duplex fair-queue ! ! interface Virtual-Template1 ip unnumbered Ethernet0/0 peer default ip address pool defaultpool ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2 !

k_kamlesh2005
k_kamlesh2005

best article can u send me @ my mail address. k_kamlesh2005@hotmail.com

aelray
aelray

i get an error message after typing that line: xit(config-if)#peer default ip address pool defaultpool ^ % Invalid input detected at '^' marker. can anybody help me?

NetMan1958
NetMan1958

Are you typing "xit(config-if)#" along with "peer default ip address pool defaultpool" ? You don't type this part: "xit(config-if)#"

NetMan1958
NetMan1958

Here is an example of a working config: Router-831#conf t Router-831(config)#vpdn enable Router-831(config)#username ***** password ***** Router-831(config)#ip local pool vpdn_pool 192.168.101.2 192.168.101.22 Router-831(config)#vpdn-group 1 Router-831(config-vpdn)#accept-dialin Router-831(config-vpdn)#protocol pptp Router-831(config-vpdn)#virtual-template 1 Router-831(config-vpdn)#exit Router-831(config)#int virtual-template 1 Router-831(config-if)#ip unnumbered Ethernet1 Router-831(config-if)#peer default ip address pool vpdn_pool Router-831(config-if)#no keepalive Router-831(config-if)#ppp encrypt mppe auto Router-831(config-if)#ppp authentication ms-chap ms-chap-v2 Router-831(config-if)#CTRL-Z Router-831#

aelray
aelray

no, of course im not typing "xit(config-if)#" but i just copied this from the command line.

edwaa
edwaa

I would love it if someone could describe, line-by-line, what each command does. I am particularly interested in the line: ip unnumbered Ethernet1 I have a Cisco 871W and I'm not sure what my corresponding interface would be. Thanks!

aelray
aelray

last step wasn't neccessary, everything works, i'm so grateful, good that there are people like you ;)

NetMan1958
NetMan1958

Just for testing, you could also add a temporary static route like this: Suse#route add -net 192.168.101.0 netmask 255.255.255.0 gw 192.168.168.1

NetMan1958
NetMan1958

(1)This line from netstat -rn: 0.0.0.0 192.168.168.221 0.0.0.0 UG 40 0 0 eth0 Says that the server's default gateway is 192.168.168.221 It needs to be 192.168.168.1 I'm not a Suse man so the following may or not be correct but it is for RedHat. To change the gateway: cd /etc/sysconfig edit the file named network. It will look something like this: NETWORKING=yes HOSTNAME=name.domain.com GATEWAY=10.1.81.9 You will need to restart networking or reboot the server. That alone may solve the problem. If not, proceed to number (2) (2)These lines: S01SuSEfirewall_init -> ../SuSEfirewall_init S01personal-firewall.initial -> ../personal-firewall.initial S21SuSEfirewall_final ->../SuSEfirewall_final S22personal-firewall.final -> ../personal-firewall.final Are startup-scripts that run when the server boots and are at least trying to start some sort of firewall. When you tried to stop the Susefirewall, you got a message saying it had not been setup, so maybe you should look into the "personal-firewall.final" I'm afraid I can't be much help to you there because I've never used Suse. You may have to Google that one. I would try fixing the gateway first though as that may solve your problem.

aelray
aelray

output #1: slos:/etc/rc.d/rc3.d # ls -al total 8 drwxr-xr-x 2 root root 4096 Mar 2 2007 . drwxr-xr-x 11 root root 4096 Jun 21 2004 .. lrwxrwxrwx 1 root root 26 Mar 2 2007 K01personal-firewall.fin al -> ../personal-firewall.final lrwxrwxrwx 1 root root 8 Mar 2 2007 K01squid -> ../squid lrwxrwxrwx 1 root root 21 Mar 2 2007 K02SuSEfirewall_final -> ../SuSEfirewall_final lrwxrwxrwx 1 root root 12 Mar 2 2007 K02alsasound -> ../alsas ound lrwxrwxrwx 1 root root 9 Mar 2 2007 K02apache -> ../apache lrwxrwxrwx 1 root root 8 Mar 2 2007 K02atalk -> ../atalk lrwxrwxrwx 1 root root 6 Mar 2 2007 K03gpm -> ../gpm lrwxrwxrwx 1 root root 8 Mar 2 2007 K03inetd -> ../inetd lrwxrwxrwx 1 root root 7 Mar 2 2007 K11cron -> ../cron lrwxrwxrwx 1 root root 6 Mar 2 2007 K11fam -> ../fam lrwxrwxrwx 1 root root 7 Mar 2 2007 K11nscd -> ../nscd lrwxrwxrwx 1 root root 9 Mar 2 2007 K12autofs -> ../autofs lrwxrwxrwx 1 root root 8 Mar 2 2007 K12dhcpd -> ../dhcpd lrwxrwxrwx 1 root root 7 Mar 2 2007 K12frox -> ../frox lrwxrwxrwx 1 root root 6 Mar 2 2007 K12lpd -> ../lpd lrwxrwxrwx 1 root root 12 Mar 2 2007 K12nfsserver -> ../nfsse rver lrwxrwxrwx 1 root root 8 Mar 2 2007 K12smbfs -> ../smbfs lrwxrwxrwx 1 root root 9 Mar 2 2007 K12smpppd -> ../smpppd lrwxrwxrwx 1 root root 6 Mar 2 2007 K12xfs -> ../xfs lrwxrwxrwx 1 root root 8 Mar 2 2007 K12xntpd -> ../xntpd lrwxrwxrwx 1 root root 5 Mar 2 2007 K13at -> ../at lrwxrwxrwx 1 root root 8 Mar 2 2007 K13fbset -> ../fbset lrwxrwxrwx 1 root root 8 Mar 2 2007 K13mysql -> ../mysql lrwxrwxrwx 1 root root 8 Mar 2 2007 K13named -> ../named lrwxrwxrwx 1 root root 6 Mar 2 2007 K13raw -> ../raw lrwxrwxrwx 1 root root 11 Mar 2 2007 K13sendmail -> ../sendma il lrwxrwxrwx 1 root root 6 Mar 2 2007 K13smb -> ../smb lrwxrwxrwx 1 root root 10 Mar 2 2007 K13winbind -> ../winbind lrwxrwxrwx 1 root root 9 Mar 2 2007 K13ypbind -> ../ypbind lrwxrwxrwx 1 root root 12 Mar 2 2007 K13yppasswdd -> ../yppas swdd lrwxrwxrwx 1 root root 9 Mar 2 2007 K13ypxfrd -> ../ypxfrd lrwxrwxrwx 1 root root 6 Mar 2 2007 K14nfs -> ../nfs lrwxrwxrwx 1 root root 9 Mar 2 2007 K14usbmgr -> ../usbmgr lrwxrwxrwx 1 root root 9 Mar 2 2007 K14ypserv -> ../ypserv lrwxrwxrwx 1 root root 21 Mar 2 2007 K15SuSEfirewall_setup -> ../SuSEfirewall_setup lrwxrwxrwx 1 root root 7 Mar 2 2007 K15adsl -> ../adsl lrwxrwxrwx 1 root root 10 Mar 2 2007 K15portmap -> ../portmap lrwxrwxrwx 1 root root 8 Mar 2 2007 K15pptpd -> ../pptpd lrwxrwxrwx 1 root root 7 Mar 2 2007 K15sshd -> ../sshd lrwxrwxrwx 1 root root 9 Mar 2 2007 K15syslog -> ../syslog lrwxrwxrwx 1 root root 8 Mar 2 2007 K16route -> ../route lrwxrwxrwx 1 root root 9 Mar 2 2007 K17pcmcia -> ../pcmcia lrwxrwxrwx 1 root root 10 Mar 2 2007 K18network -> ../network lrwxrwxrwx 1 root root 11 Mar 2 2007 K21dhclient -> ../dhclie nt lrwxrwxrwx 1 root root 6 Mar 2 2007 K21i4l -> ../i4l lrwxrwxrwx 1 root root 20 Mar 2 2007 K22SuSEfirewall_init -> ../SuSEfirewall_init lrwxrwxrwx 1 root root 7 Mar 2 2007 K22apmd -> ../apmd lrwxrwxrwx 1 root root 8 Mar 2 2007 K22dummy -> ../dummy lrwxrwxrwx 1 root root 15 Mar 2 2007 K22i4l_hardware -> ../i4 l_hardware lrwxrwxrwx 1 root root 9 Mar 2 2007 K22idedma -> ../idedma lrwxrwxrwx 1 root root 28 Mar 2 2007 K22personal-firewall.ini tial -> ../personal-firewall.initial lrwxrwxrwx 1 root root 9 Mar 2 2007 K22random -> ../random lrwxrwxrwx 1 root root 20 Mar 2 2007 S01SuSEfirewall_init -> ../SuSEfirewall_init lrwxrwxrwx 1 root root 7 Mar 2 2007 S01apmd -> ../apmd lrwxrwxrwx 1 root root 8 Mar 2 2007 S01dummy -> ../dummy lrwxrwxrwx 1 root root 15 Mar 2 2007 S01i4l_hardware -> ../i4 l_hardware lrwxrwxrwx 1 root root 9 Mar 2 2007 S01idedma -> ../idedma lrwxrwxrwx 1 root root 28 Mar 2 2007 S01personal-firewall.ini tial -> ../personal-firewall.initial lrwxrwxrwx 1 root root 9 Mar 2 2007 S01random -> ../random lrwxrwxrwx 1 root root 11 Mar 2 2007 S02dhclient -> ../dhclie nt lrwxrwxrwx 1 root root 6 Mar 2 2007 S02i4l -> ../i4l lrwxrwxrwx 1 root root 10 Mar 2 2007 S05network -> ../network lrwxrwxrwx 1 root root 9 Mar 2 2007 S06pcmcia -> ../pcmcia lrwxrwxrwx 1 root root 8 Mar 2 2007 S07route -> ../route lrwxrwxrwx 1 root root 21 Mar 2 2007 S08SuSEfirewall_setup -> ../SuSEfirewall_setup lrwxrwxrwx 1 root root 7 Mar 2 2007 S08adsl -> ../adsl lrwxrwxrwx 1 root root 10 Mar 2 2007 S08portmap -> ../portmap lrwxrwxrwx 1 root root 8 Mar 2 2007 S08pptpd -> ../pptpd lrwxrwxrwx 1 root root 7 Mar 2 2007 S08sshd -> ../sshd lrwxrwxrwx 1 root root 9 Mar 2 2007 S08syslog -> ../syslog lrwxrwxrwx 1 root root 6 Mar 2 2007 S09nfs -> ../nfs lrwxrwxrwx 1 root root 9 Mar 2 2007 S09usbmgr -> ../usbmgr lrwxrwxrwx 1 root root 9 Mar 2 2007 S09ypserv -> ../ypserv lrwxrwxrwx 1 root root 5 Mar 2 2007 S10at -> ../at lrwxrwxrwx 1 root root 8 Mar 2 2007 S10fbset -> ../fbset lrwxrwxrwx 1 root root 6 Mar 2 2007 S10kbd -> ../kbd lrwxrwxrwx 1 root root 8 Mar 2 2007 S10mysql -> ../mysql lrwxrwxrwx 1 root root 8 Mar 2 2007 S10named -> ../named lrwxrwxrwx 1 root root 6 Mar 2 2007 S10raw -> ../raw lrwxrwxrwx 1 root root 11 Mar 2 2007 S10sendmail -> ../sendma il lrwxrwxrwx 1 root root 6 Mar 2 2007 S10smb -> ../smb lrwxrwxrwx 1 root root 10 Mar 2 2007 S10winbind -> ../winbind lrwxrwxrwx 1 root root 9 Mar 2 2007 S10ypbind -> ../ypbind lrwxrwxrwx 1 root root 12 Mar 2 2007 S10yppasswdd -> ../yppas swdd lrwxrwxrwx 1 root root 9 Mar 2 2007 S10ypxfrd -> ../ypxfrd lrwxrwxrwx 1 root root 9 Mar 2 2007 S11autofs -> ../autofs lrwxrwxrwx 1 root root 8 Mar 2 2007 S11dhcpd -> ../dhcpd lrwxrwxrwx 1 root root 7 Mar 2 2007 S11frox -> ../frox lrwxrwxrwx 1 root root 6 Mar 2 2007 S11lpd -> ../lpd lrwxrwxrwx 1 root root 12 Mar 2 2007 S11nfsserver -> ../nfsse rver lrwxrwxrwx 1 root root 8 Mar 2 2007 S11smbfs -> ../smbfs lrwxrwxrwx 1 root root 9 Mar 2 2007 S11smpppd -> ../smpppd lrwxrwxrwx 1 root root 6 Mar 2 2007 S11xfs -> ../xfs lrwxrwxrwx 1 root root 8 Mar 2 2007 S11xntpd -> ../xntpd lrwxrwxrwx 1 root root 7 Mar 2 2007 S12cron -> ../cron lrwxrwxrwx 1 root root 6 Mar 2 2007 S12fam -> ../fam lrwxrwxrwx 1 root root 7 Mar 2 2007 S12nscd -> ../nscd lrwxrwxrwx 1 root root 6 Mar 2 2007 S20gpm -> ../gpm lrwxrwxrwx 1 root root 8 Mar 2 2007 S20inetd -> ../inetd lrwxrwxrwx 1 root root 21 Mar 2 2007 S21SuSEfirewall_final -> ../SuSEfirewall_final lrwxrwxrwx 1 root root 12 Mar 2 2007 S21alsasound -> ../alsas ound lrwxrwxrwx 1 root root 9 Mar 2 2007 S21apache -> ../apache lrwxrwxrwx 1 root root 8 Mar 2 2007 S21atalk -> ../atalk lrwxrwxrwx 1 root root 26 Mar 2 2007 S22personal-firewall.fin al -> ../personal-firewall.final lrwxrwxrwx 1 root root 8 Mar 2 2007 S22squid -> ../squid output #2: slos:/etc/rc.d/rc5.d # ls -al total 8 drwxr-xr-x 2 root root 4096 Mar 2 2007 . drwxr-xr-x 11 root root 4096 Jun 21 2004 .. lrwxrwxrwx 1 root root 26 Mar 2 2007 K01personal-firewall.fin al -> ../personal-firewall.final lrwxrwxrwx 1 root root 8 Mar 2 2007 K01squid -> ../squid lrwxrwxrwx 1 root root 21 Mar 2 2007 K02SuSEfirewall_final -> ../SuSEfirewall_final lrwxrwxrwx 1 root root 12 Mar 2 2007 K02alsasound -> ../alsas ound lrwxrwxrwx 1 root root 9 Mar 2 2007 K02apache -> ../apache lrwxrwxrwx 1 root root 8 Mar 2 2007 K02atalk -> ../atalk lrwxrwxrwx 1 root root 8 Mar 2 2007 K03inetd -> ../inetd lrwxrwxrwx 1 root root 7 Mar 2 2007 K11cron -> ../cron lrwxrwxrwx 1 root root 6 Mar 2 2007 K11fam -> ../fam lrwxrwxrwx 1 root root 7 Mar 2 2007 K11nscd -> ../nscd lrwxrwxrwx 1 root root 9 Mar 2 2007 K12autofs -> ../autofs lrwxrwxrwx 1 root root 8 Mar 2 2007 K12dhcpd -> ../dhcpd lrwxrwxrwx 1 root root 7 Mar 2 2007 K12frox -> ../frox lrwxrwxrwx 1 root root 6 Mar 2 2007 K12lpd -> ../lpd lrwxrwxrwx 1 root root 12 Mar 2 2007 K12nfsserver -> ../nfsse rver lrwxrwxrwx 1 root root 8 Mar 2 2007 K12smbfs -> ../smbfs lrwxrwxrwx 1 root root 9 Mar 2 2007 K12smpppd -> ../smpppd lrwxrwxrwx 1 root root 6 Mar 2 2007 K12xdm -> ../xdm lrwxrwxrwx 1 root root 6 Mar 2 2007 K12xfs -> ../xfs lrwxrwxrwx 1 root root 8 Mar 2 2007 K12xntpd -> ../xntpd lrwxrwxrwx 1 root root 5 Mar 2 2007 K13at -> ../at lrwxrwxrwx 1 root root 8 Mar 2 2007 K13fbset -> ../fbset lrwxrwxrwx 1 root root 8 Mar 2 2007 K13mysql -> ../mysql lrwxrwxrwx 1 root root 8 Mar 2 2007 K13named -> ../named lrwxrwxrwx 1 root root 6 Mar 2 2007 K13raw -> ../raw lrwxrwxrwx 1 root root 11 Mar 2 2007 K13sendmail -> ../sendma il lrwxrwxrwx 1 root root 6 Mar 2 2007 K13smb -> ../smb lrwxrwxrwx 1 root root 10 Mar 2 2007 K13winbind -> ../winbind lrwxrwxrwx 1 root root 9 Mar 2 2007 K13ypbind -> ../ypbind lrwxrwxrwx 1 root root 12 Mar 2 2007 K13yppasswdd -> ../yppas swdd lrwxrwxrwx 1 root root 9 Mar 2 2007 K13ypxfrd -> ../ypxfrd lrwxrwxrwx 1 root root 6 Mar 2 2007 K14nfs -> ../nfs lrwxrwxrwx 1 root root 9 Mar 2 2007 K14usbmgr -> ../usbmgr lrwxrwxrwx 1 root root 9 Mar 2 2007 K14ypserv -> ../ypserv lrwxrwxrwx 1 root root 21 Mar 2 2007 K15SuSEfirewall_setup -> ../SuSEfirewall_setup lrwxrwxrwx 1 root root 7 Mar 2 2007 K15adsl -> ../adsl lrwxrwxrwx 1 root root 10 Mar 2 2007 K15portmap -> ../portmap lrwxrwxrwx 1 root root 8 Mar 2 2007 K15pptpd -> ../pptpd lrwxrwxrwx 1 root root 7 Mar 2 2007 K15sshd -> ../sshd lrwxrwxrwx 1 root root 9 Mar 2 2007 K15syslog -> ../syslog lrwxrwxrwx 1 root root 8 Mar 2 2007 K16route -> ../route lrwxrwxrwx 1 root root 9 Mar 2 2007 K17pcmcia -> ../pcmcia lrwxrwxrwx 1 root root 10 Mar 2 2007 K18network -> ../network lrwxrwxrwx 1 root root 11 Mar 2 2007 K21dhclient -> ../dhclie nt lrwxrwxrwx 1 root root 6 Mar 2 2007 K21i4l -> ../i4l lrwxrwxrwx 1 root root 20 Mar 2 2007 K22SuSEfirewall_init -> ../SuSEfirewall_init lrwxrwxrwx 1 root root 7 Mar 2 2007 K22apmd -> ../apmd lrwxrwxrwx 1 root root 8 Mar 2 2007 K22dummy -> ../dummy lrwxrwxrwx 1 root root 15 Mar 2 2007 K22i4l_hardware -> ../i4 l_hardware lrwxrwxrwx 1 root root 9 Mar 2 2007 K22idedma -> ../idedma lrwxrwxrwx 1 root root 28 Mar 2 2007 K22personal-firewall.ini tial -> ../personal-firewall.initial lrwxrwxrwx 1 root root 9 Mar 2 2007 K22random -> ../random lrwxrwxrwx 1 root root 20 Mar 2 2007 S01SuSEfirewall_init -> ../SuSEfirewall_init lrwxrwxrwx 1 root root 7 Mar 2 2007 S01apmd -> ../apmd lrwxrwxrwx 1 root root 8 Mar 2 2007 S01dummy -> ../dummy lrwxrwxrwx 1 root root 15 Mar 2 2007 S01i4l_hardware -> ../i4 l_hardware lrwxrwxrwx 1 root root 9 Mar 2 2007 S01idedma -> ../idedma lrwxrwxrwx 1 root root 28 Mar 2 2007 S01personal-firewall.ini tial -> ../personal-firewall.initial lrwxrwxrwx 1 root root 9 Mar 2 2007 S01random -> ../random lrwxrwxrwx 1 root root 11 Mar 2 2007 S02dhclient -> ../dhclie nt lrwxrwxrwx 1 root root 6 Mar 2 2007 S02i4l -> ../i4l lrwxrwxrwx 1 root root 10 Mar 2 2007 S05network -> ../network lrwxrwxrwx 1 root root 9 Mar 2 2007 S06pcmcia -> ../pcmcia lrwxrwxrwx 1 root root 8 Mar 2 2007 S07route -> ../route lrwxrwxrwx 1 root root 21 Mar 2 2007 S08SuSEfirewall_setup -> ../SuSEfirewall_setup lrwxrwxrwx 1 root root 7 Mar 2 2007 S08adsl -> ../adsl lrwxrwxrwx 1 root root 10 Mar 2 2007 S08portmap -> ../portmap lrwxrwxrwx 1 root root 8 Mar 2 2007 S08pptpd -> ../pptpd lrwxrwxrwx 1 root root 7 Mar 2 2007 S08sshd -> ../sshd lrwxrwxrwx 1 root root 9 Mar 2 2007 S08syslog -> ../syslog lrwxrwxrwx 1 root root 6 Mar 2 2007 S09nfs -> ../nfs lrwxrwxrwx 1 root root 9 Mar 2 2007 S09usbmgr -> ../usbmgr lrwxrwxrwx 1 root root 9 Mar 2 2007 S09ypserv -> ../ypserv lrwxrwxrwx 1 root root 5 Mar 2 2007 S10at -> ../at lrwxrwxrwx 1 root root 8 Mar 2 2007 S10fbset -> ../fbset lrwxrwxrwx 1 root root 6 Mar 2 2007 S10kbd -> ../kbd lrwxrwxrwx 1 root root 8 Mar 2 2007 S10mysql -> ../mysql lrwxrwxrwx 1 root root 8 Mar 2 2007 S10named -> ../named lrwxrwxrwx 1 root root 6 Mar 2 2007 S10raw -> ../raw lrwxrwxrwx 1 root root 11 Mar 2 2007 S10sendmail -> ../sendma il lrwxrwxrwx 1 root root 6 Mar 2 2007 S10smb -> ../smb lrwxrwxrwx 1 root root 10 Mar 2 2007 S10winbind -> ../winbind lrwxrwxrwx 1 root root 9 Mar 2 2007 S10ypbind -> ../ypbind lrwxrwxrwx 1 root root 12 Mar 2 2007 S10yppasswdd -> ../yppas swdd lrwxrwxrwx 1 root root 9 Mar 2 2007 S10ypxfrd -> ../ypxfrd lrwxrwxrwx 1 root root 9 Mar 2 2007 S11autofs -> ../autofs lrwxrwxrwx 1 root root 8 Mar 2 2007 S11dhcpd -> ../dhcpd lrwxrwxrwx 1 root root 7 Mar 2 2007 S11frox -> ../frox lrwxrwxrwx 1 root root 6 Mar 2 2007 S11lpd -> ../lpd lrwxrwxrwx 1 root root 12 Mar 2 2007 S11nfsserver -> ../nfsse rver lrwxrwxrwx 1 root root 8 Mar 2 2007 S11smbfs -> ../smbfs lrwxrwxrwx 1 root root 9 Mar 2 2007 S11smpppd -> ../smpppd lrwxrwxrwx 1 root root 6 Mar 2 2007 S11xdm -> ../xdm lrwxrwxrwx 1 root root 6 Mar 2 2007 S11xfs -> ../xfs lrwxrwxrwx 1 root root 8 Mar 2 2007 S11xntpd -> ../xntpd lrwxrwxrwx 1 root root 7 Mar 2 2007 S12cron -> ../cron lrwxrwxrwx 1 root root 6 Mar 2 2007 S12fam -> ../fam lrwxrwxrwx 1 root root 7 Mar 2 2007 S12nscd -> ../nscd lrwxrwxrwx 1 root root 8 Mar 2 2007 S20inetd -> ../inetd lrwxrwxrwx 1 root root 21 Mar 2 2007 S21SuSEfirewall_final -> ../SuSEfirewall_final lrwxrwxrwx 1 root root 12 Mar 2 2007 S21alsasound -> ../alsas ound lrwxrwxrwx 1 root root 9 Mar 2 2007 S21apache -> ../apache lrwxrwxrwx 1 root root 8 Mar 2 2007 S21atalk -> ../atalk lrwxrwxrwx 1 root root 26 Mar 2 2007 S22personal-firewall.fin al -> ../personal-firewall.final lrwxrwxrwx 1 root root 8 Mar 2 2007 S22squid -> ../squid output #3: slos:/ # netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.168.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 0.0.0.0 192.168.168.221 0.0.0.0 UG 40 0 0 eth0 slos:/ #

NetMan1958
NetMan1958

the pings as per the debug output. It's not receiving a reply though. Log in to that Suse box and cd to /etc/rc.d/rc3.d the run this command: Suse#ls -al post the output from that command Then cd to /etc/rc.d/rc5.d and repeat the same. Also post the output from this command: Suse#netstat -rn

aelray
aelray

that's the output: xit# 000101: *Sep 1 14:26:09.617 PCTime: IP: tableid=0, s=192.168.101.3 (Virtual-Acc ess4), d=192.168.168.222 (Vlan1), routed via FIB 000102: *Sep 1 14:26:09.617 PCTime: IP: s=192.168.101.3 (Virtual-Access4), d=19 2.168.168.222 (Vlan1), g=192.168.168.222, len 60, forward 000103: *Sep 1 14:26:14.225 PCTime: IP: tableid=0, s=192.168.101.3 (Virtual-Acc ess4), d=192.168.168.222 (Vlan1), routed via FIB 000104: *Sep 1 14:26:14.225 PCTime: IP: s=192.168.101.3 (Virtual-Access4), d=19 2.168.168.222 (Vlan1), g=192.168.168.222, len 60, forward 000105: *Sep 1 14:26:19.201 PCTime: IP: tableid=0, s=192.168.101.3 (Virtual-Acc ess4), d=192.168.168.222 (Vlan1), routed via FIB 000106: *Sep 1 14:26:19.201 PCTime: IP: s=192.168.101.3 (Virtual-Access4), d=19 2.168.168.222 (Vlan1), g=192.168.168.222, len 60, forward 000107: *Sep 1 14:26:24.201 PCTime: IP: tableid=0, s=192.168.101.3 (Virtual-Acc ess4), d=192.168.168.222 (Vlan1), routed via FIB 000108: *Sep 1 14:26:24.201 PCTime: IP: s=192.168.101.3 (Virtual-Access4), d=19 2.168.168.222 (Vlan1), g=192.168.168.222, len 60, forward

NetMan1958
NetMan1958

Well, it's time to do some debugging. Establish the VPN and telnet to the router. Enter the following commands: Router-831#conf t Router-831(config)#access-list 150 permit ip 192.168.101.0 0.0.0.255 host 192.168.168.222 Router-831(config)#access-list 150 permit ip host 192.168.168.222 192.168.101.0 0.0.0.255 Router-831(config)#exit Router-831#term mon Router-831#debug ip packet 150 Now try to ping 192.168.168.222 There should be some debugging output from the router. Copy and paste that output into a post. Then run these commands: Router-831#undebug all Router-831#conf t Router-831(config)#no access-list 150 then you can exit the router.

aelray
aelray

seems to be disabled, this is what i got: slos:/sbin # SuSEfirewall stop SuSEfirewall is not activated yet. Configure /etc/rc.config.d/firewall.rc.config and set START_FW in /etc/rc.config to "yes".

NetMan1958
NetMan1958

I found interesting about the Suse firewall feature. It appears that Sus does use iptables but has a custom "front-end" for it. See http://www.seismo.ethz.ch/linux/firewall.html According to that article you can start and stop the firewall with the following commands: /sbin/SuSEfirewall stop /sbin/SuSEfirewall start Newer versions may require /sbin/SuSEfirewall2 stop /sbin/SuSEfirewall2 start

aelray
aelray

i don't know if there's a firewall running, the distro is suse but i don't know which version.

NetMan1958
NetMan1958

No problem there since we are talking about a router and routers route traffic from 1 subnet to another. On my 831 which is my home router, I have the peer default ip that I posted for you (192.16.101.2 - 192.168.101.22) and my office subnet is 10.1.81.0/24. How old is the linux distro running on 192.168.168.222? Is it new enough to have iptables? If it is RedHat, you can temporarily kill the firewall by running: Linux#service iptables stop If it's another distro you may have to research it. If it is running iptables, someone has obviously entered a rule to allow traffic from it's own subnet (192.168.168.0/24). If you can verify that that is the problem by temp. stopping iptables and testing, then a rule can be added to allow traffic from 192.168.101.0/24 which will cover the addresses assigned by the VPDN setup.

aelray
aelray

a problem that i'm trying to access 192.168.168.222 from 192.168.101.2, because they have different subnets, i.e. the third part of numbers differ? as much as i know i can access this ip from local PCs without a problem, on 192.168.168.222 an old linux distribution is running.

NetMan1958
NetMan1958

something running on 192.168.168.222 that is filtering the traffic to 192.168.101.2 Are you absolutely sure there is no firewall, i.e. windows firewall or anti-virus software that includes a firewall running on it?

NetMan1958
NetMan1958

Is 212.114.250.113 the WAN ip address of the cisco 851?

aelray
aelray

C:\Dokumente und Einstellungen\andi>tracert -d 192.168.168.222 Routenverfolgung zu 192.168.168.222 ?ber maximal 30 Abschnitte 1 64 ms 54 ms 56 ms 212.114.250.113 2 * * * Zeit?berschreitung der Anforderung. 3 * * * Zeit?berschreitung der Anforderung. 4 * * * Zeit?berschreitung der Anforderung. 5 * * * Zeit?berschreitung der Anforderung. 6 * * * Zeit?berschreitung der Anforderung. 7 * * * Zeit?berschreitung der Anforderung. 8 * * * Zeit?berschreitung der Anforderung. 9 * * * Zeit?berschreitung der Anforderung. 10 * * * Zeit?berschreitung der Anforderung. 11 * * * Zeit?berschreitung der Anforderung. 12 * * * Zeit?berschreitung der Anforderung. 13 * * * Zeit?berschreitung der Anforderung. 14 * * * Zeit?berschreitung der Anforderung. 15 * * * Zeit?berschreitung der Anforderung. 16 * * * Zeit?berschreitung der Anforderung. 17 * * * Zeit?berschreitung der Anforderung. 18 * * * Zeit?berschreitung der Anforderung. 19 * * * Zeit?berschreitung der Anforderung. 20 * * * Zeit?berschreitung der Anforderung. 21 * * * Zeit?berschreitung der Anforderung. 22 * * * Zeit?berschreitung der Anforderung. 23 * * * Zeit?berschreitung der Anforderung. 24 * * * Zeit?berschreitung der Anforderung. 25 * * * Zeit?berschreitung der Anforderung. 26 * * * Zeit?berschreitung der Anforderung. 27 * * * Zeit?berschreitung der Anforderung. 28 * * * Zeit?berschreitung der Anforderung. 29 * * * Zeit?berschreitung der Anforderung. 30 * * * Zeit?berschreitung der Anforderung. Ablaufverfolgung beendet. after the first ip it says that it exceeds the time limit.

NetMan1958
NetMan1958

Establish the VPN and run this command from a prompt: tracert -d 192.168.168.x where x is the address of the computer you need to ping. post the output of that

aelray
aelray

i did all of it now via telnet from home. the local ip address is 192.168.2.8 the outside address is: 83.171.189.100 here is what route print said (sorry it's in german: C:\Dokumente und Einstellungen\andi>route print =========================================================================== Schnittstellenliste 0x1 ........................... MS TCP Loopback interface 0x2 ...00 0e 35 ed b3 be ...... Intel(R) PRO/Wireless 2200BG Network Connection - Paketplaner-Miniport 0x3 ...44 45 53 54 42 00 ...... Nortel IPSECSHM Adapter - Paketplaner-Miniport 0x60005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Aktive Routen: Netzwerkziel Netzwerkmaske Gateway Schnittstelle Anzahl 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.8 26 0.0.0.0 0.0.0.0 192.168.101.2 192.168.101.2 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.2.0 255.255.255.0 192.168.2.8 192.168.2.8 25 192.168.2.8 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.2.255 255.255.255.255 192.168.2.8 192.168.2.8 25 192.168.101.2 255.255.255.255 127.0.0.1 127.0.0.1 50 192.168.101.255 255.255.255.255 192.168.101.2 192.168.101.2 50 212.114.250.113 255.255.255.255 192.168.2.1 192.168.2.8 25 224.0.0.0 240.0.0.0 192.168.2.8 192.168.2.8 25 224.0.0.0 240.0.0.0 192.168.101.2 192.168.101.2 1 255.255.255.255 255.255.255.255 192.168.2.8 192.168.2.8 1 255.255.255.255 255.255.255.255 192.168.2.8 3 1 255.255.255.255 255.255.255.255 192.168.101.2 192.168.101.2 1 Standardgateway: 192.168.101.2 =========================================================================== St?ndige Routen: Keine

NetMan1958
NetMan1958

of the computer you are working from? Also, establish your VPN connection and the open a command prompt and run "route print" and post the output.

aelray
aelray

already tried that, works fine.

NetMan1958
NetMan1958

Try this, telnet to the router and try pinging the server/computer on the LAN from there.

aelray
aelray

no in this circuit is only this router which works as gateway and dhcp server

NetMan1958
NetMan1958

Do the computers on the network you are trying to use have this cisco 851(192.168.168.1) specified for their default gateway? If their is another circuit/router on the network, thay may be using it.

aelray
aelray

i cannot ping the ip when i'm disconnected. but i can't ping anythin inside the network and i know that there are no firewalls running.

NetMan1958
NetMan1958

If you can ping 192.168.168.1, you are pinging the router's inside interface and that means the VPN is working. Just for a test, you can disconnect from the vpn and try pinging that same IP and it should not work. Assuming all of the above, are there any firewalls running on the computers you are trying to ping/access shares?

aelray
aelray

pings successfully

NetMan1958
NetMan1958

When you connect can you ping 192.168.168.1?

aelray
aelray

xit#sh run Building configuration... Current configuration : 5251 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname xit ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 $1$.9Ps$TcD7AKIpplEp60bjjdjnG0 ! aaa new-model ! ! aaa authentication login rtr-remote local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sdm_vpn_xauth_ml_2 local aaa authentication ppp default local aaa authorization network rtr-remote local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local ! aaa session-id common ! resource policy ! clock timezone PCTime 1 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 ip subnet-zero no ip source-route no ip dhcp use vrf connected ip dhcp excluded-address 192.168.168.1 ! ip dhcp pool sdm-pool1 import all network 192.168.168.0 255.255.255.0 default-router 192.168.168.1 ! ! ip cef ip tcp synwait-time 10 no ip bootp server ip domain name yourdomain.com ip name-server 212.114.152.1 ip ssh time-out 60 ip ssh authentication-retries 2 vpdn enable ! vpdn-group TEST-VPN ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! ! crypto pki trustpoint TP-self-signed-367604582 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-367604582 revocation-check none rsakeypair TP-self-signed-367604582 ! ! crypto pki certificate chain TP-self-signed-367604582 certificate self-signed 01 30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33363736 30343538 32301E17 0D303830 35323231 36313135 335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 37363034 35383230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 B9477149 24F1DE0E 6C218AC8 01158B81 E4FA3C62 38798034 545FA1BB 7689BD60 ABD81B25 ED852182 B3840F12 DDEDD3BE C88276B6 CA1FE4B0 1A842FCC A895571B B72F9BE9 F8925B96 E618B8A3 C943732E A6AF7972 85B5475A 9F560D33 3C02834C 9070B13F 3354478D 94E6F6FE E4D54475 1D653B5F 0CCF510B D954B246 8090DFA5 02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 11041630 14821278 69742E79 6F757264 6F6D6169 6E2E636F 6D301F06 03551D23 04183016 8014BB66 E2F70906 4ED9AC19 EF315122 200CF9DB 719D301D 0603551D 0E041604 14BB66E2 F709064E D9AC19EF 31512220 0CF9DB71 9D300D06 092A8648 86F70D01 01040500 03818100 32846B30 BC85D87E D525B8F8 3B646068 BEB6C808 57DB4FFA 5D728C22 B724AD6E 8A4562F0 7F61FB1E 7E37344A 42B77302 08FE6416 D3D5D21D 7FC830C2 DDB8CE51 247A9C3F 2D5E711C 3521AC4C 04C382C7 86A31656 F1675A36 0460D052 F5C59F82 D0814DA4 EA1C452C 5D7B4CAB E0126BB9 9BD060F8 197C2E06 94A16309 A2998C06 quit username ***** privilege 15 secret 5 **************** username ***** privilege 15 password 7 ********* username ****** username **** password 7 ****** ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly ip route-cache flow duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Virtual-Template1 type serial ip unnumbered Dialer0 peer default ip address pool vpdn_pool no keepalive ppp encrypt mppe auto ppp authentication ms-chap ms-chap-v2 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.168.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname a1091006 ppp chap password 7 070E3B4A781C005007 ppp ipcp dns request ! ip local pool SDM_POOL_1 192.168.1.1 192.168.1.255 ip local pool vpdn_pool 192.168.101.2 192.168.101.22 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.168.0 0.0.0.255 no cdp run ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 privilege level 15 transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end

aelray
aelray

i think there is still somethin not correct in the configuration, because i can neither ping nor access the shares. i believe the problem lies within the ip addresses assigned to the vpn in the router.

NetMan1958
NetMan1958

I usually map a drive by right-clicking on "My Computer" and selecting "Map network drive" then enter: \\ip address of server\share name example: \\10.1.81.5\downloads It will prompt you for a username/password.

aelray
aelray

thanks for everything, i now was able to connect to the network from my remote PC, but now the next problem i'm facing is, how to access shares in this network?

aelray
aelray

everythin worked out, here is what it said: xit#conf t Enter configuration commands, one per line. End with CNTL/Z. xit(config)#int virtual-template 1 type serial xit(config-if)#ip unnumbered dialer 0 xit(config-if)#peer default ip address pool vpdn_pool xit(config-if)#no keepalive xit(config-if)#ppp encrypt mppe auto xit(config-if)#ppp authentication ms-chap ms-chap-v2 AAA: Warning, authentication list "default" is not defined for PPP. xit(config-if)#exit xit(config)#vpdn-group 1 xit(config-vpdn)#accept-dialin xit(config-vpdn-acc-in)#protocol pptp xit(config-vpdn-acc-in)#virtual-template 1 xit(config-vpdn-acc-in)#^Z xit#wr mem Building configuration... [OK] now another silly question how do i connect to it from my remote PC? thanks so far

NetMan1958
NetMan1958

I typed that in a hurry. "del" should be "no" so substitute "no" for "del" in all those commands and it should work. The virtual access interfaces won't go away until you reload the router.

aelray
aelray

is there perhaps another command instead of "del" because in config mode del doesn't work for me? this is the result of "sh int": Virtual-Access2 is down, line protocol is down Hardware is Virtual Access interface MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Closed Base VtMgr vaccess Vaccess status 0x0, loopback not set DTR is pulsed for 5 seconds on reset Last input never, output never, output hang never Last clearing of "show interface" counters 8w3d Input queue: 0/4096/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions FastEthernet0 is up, line protocol is down Hardware is Fast Ethernet, address is 001e.f7d8.9bb3 (bia 001e.f7d8.9bb3) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet1 is up, line protocol is down Hardware is Fast Ethernet, address is 001e.f7d8.9bb4 (bia 001e.f7d8.9bb4) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet2 is up, line protocol is down Hardware is Fast Ethernet, address is 001e.f7d8.9bb5 (bia 001e.f7d8.9bb5) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet3 is up, line protocol is up Hardware is Fast Ethernet, address is 001e.f7d8.9bb6 (bia 001e.f7d8.9bb6) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 7000 bits/sec, 5 packets/sec 5 minute output rate 5000 bits/sec, 3 packets/sec 40076745 packets input, 1125742976 bytes, 0 no buffer Received 14450999 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 26322986 packets output, 3403810972 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet4 is up, line protocol is up Hardware is PQUICC_FEC, address is 001e.f7d8.9bbd (bia 001e.f7d8.9bbd) Description: $ES_WAN$$FW_OUTSIDE$ MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 7w2d, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/12/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 7000 bits/sec, 5 packets/sec 5 minute output rate 9000 bits/sec, 6 packets/sec 29219962 packets input, 3763823441 bytes Received 0 broadcasts, 0 runts, 0 giants, 12 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 23125300 packets output, 4241848595 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 001e.f7d8.9bb3 (bia 001e.f7d8.9bb3) Description: $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ Internet address is 192.168.168.1/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 12000 bits/sec, 5 packets/sec 5 minute output rate 7000 bits/sec, 3 packets/sec 35751934 packets input, 609477701 bytes, 0 no buffer Received 14762567 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 26323666 packets output, 3281109579 bytes, 0 underruns 0 output errors, 1 interface resets 0 output buffer failures, 0 output buffers swapped out NVI0 is up, line protocol is up Hardware is NVI MTU 1514 bytes, BW 10000000 Kbit, DLY 0 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation UNKNOWN, loopback not set Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Dialer0 is up, line protocol is up (spoofing) Hardware is Unknown Internet address is 212.114.250.113/32 MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10 sec) DTR is pulsed for 1 seconds on reset Interface is bound to Vi1 Last input never, output never, output hang never Last clearing of "show interface" counters 00:20:33 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/16 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 42 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 10391 packets input, 5217795 bytes 9573 packets output, 1540307 bytes Bound to: Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec, reliability 255/255, txload 68/255, rxload 7/255 Encapsulation PPP, LCP Open Open: IPCP PPPoE vaccess, cloned from Dialer0 Vaccess status 0x44, loopback not set Keepalive set (10 sec) Interface is bound to Di0 (Encapsulation PPP) Last input 00:00:00, output never, output hang never Last clearing of "show interface" counters 7w2d Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 25000 bits/sec, 11 packets/sec 5 minute output rate 16000 bits/sec, 11 packets/sec 13876182 packets input, 2582320763 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 11246485 packets output, 1774774194 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec, reliability 255/255, txload 72/255, rxload 31/255 Encapsulation PPP, LCP Open Open: IPCP PPPoE vaccess, cloned from Dialer0 Vaccess status 0x44, loopback not set Keepalive set (10 sec) Interface is bound to Di0 (Encapsulation PPP) Last input 00:00:00, output never, output hang never Last clearing of "show interface" counters 7w2d Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 26000 bits/sec, 12 packets/sec 5 minute output rate 17000 bits/sec, 12 packets/sec 13876351 packets input, 2582342187 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 11246620 packets output, 1774783543 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions btw. after i wasn't able to delete these virtual templates from the CLI i deleted them via SDM but doesn't seem to be so successful, because the virtual access is still there.

aelray
aelray

is there perhaps another command instead of "del" because in config mode del doesn't work for me?

NetMan1958
NetMan1958

I have the answer. At least it worked on my 831. Never ran into this issue before, so I learned something. If you run the command: Router-831#sh int and scroll through the output, you will see some virtual access interfaces that are automatically created when you create a virtual-template interface. You can't change the type of the virtual-template interfaces while these "extra" interfaces are live in RAM. So you have to delete all virtual-template interfaces and then reload the router. Here are the commands: Router-831(config)#del vpdn-group 1 Router-831(config)#del vpdn-group TEST-VPN Router-831(config)#del interface Virtual-Template1 Router-831(config)#exit Router-831#wr mem Router-831#reload Confirm the reload and when it has restarted, run these commands: Router-831#conf t Router-831(config)#int virtual-template 1 type serial Router-831(config-if)#ip unnumbered dialer 0 Router-831(config-if)#peer default ip address pool vpdn_pool Router-831(config-if)#no keepalive Router-831(config-if)#ppp encrypt mppe auto Router-831(config-if)#ppp authentication ms-chap ms-chap-v2 Router-831(config-if)#exit Router-831(config)#vpdn-group 1 Router-831(config-vpdn)#accept-dialin Router-831(config-vpdn)#protocol pptp Router-831(config-vpdn)#virtual-template 1 Router-831(config-if)#CTRL-Z Router-831#wr mem Now you should be ready to go.

NetMan1958
NetMan1958

when I try to create an interface virtual-template with type tunnel on the 831 I have here, I get the same error. I've never run into this before, so I am going to try an experiment with my 831 that will require a reload. I can't do it during the day, so I will try it tonight and post back with the results.

aelray
aelray

here is what happened: xit#sh run int virtual-template 2 Building configuration... Current configuration : 94 bytes ! interface Virtual-Template2 type tunnel ip unnumbered Dialer0 tunnel mode ipsec ipv4 end xit#conf t Enter configuration commands, one per line. End with CNTL/Z. xit(config)#no int virtual-template 2 xit(config)#int virtual-template 2 type serial % Warning: cannot change vtemplate type

NetMan1958
NetMan1958

OK, now run this command: Router-831#sh run int virtual-template2 Did it default to type tunnel? If it did, run these commands: Router-831#conf t Router-831(config)#no int virtual-template2 Router-831(config)#int virtual-template 2 type serial Let me know the outcome.

aelray
aelray

the same error message at the p of peer.

NetMan1958
NetMan1958

I'm glad you sent that config. Your interface virtual-template1 is configured for tunnel mode ipsec ipv4. For now, let's just create another virtual-template interface for testing. Router-831#conf t Router-831(config)#int virtual-template 2 Router-831(config-if)#ip unnumbered dialer0 Router-831(config-if)#peer default ip address pool vpdn_pool Router-831(config-if)#CTRL-Z Router-831# Let me know if that is successful and then we will continue.

aelray
aelray

again i get an error message this time at setting the authentication method to chap: Router(config-if)# ppp authentication chap marker is again at the p of ppp. here is the config: xit#sh run Building configuration... Current configuration : 5159 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname xit ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 $1$.9Ps$TcD7AKIpplEp60bjjdjnG0 ! aaa new-model ! ! aaa authentication login rtr-remote local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sdm_vpn_xauth_ml_2 local aaa authorization network rtr-remote local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local ! aaa session-id common ! resource policy ! clock timezone PCTime 1 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 ip subnet-zero no ip source-route no ip dhcp use vrf connected ip dhcp excluded-address 192.168.168.1 ! ip dhcp pool sdm-pool1 import all network 192.168.168.0 255.255.255.0 default-router 192.168.168.1 ! ! ip cef ip tcp synwait-time 10 no ip bootp server ip domain name yourdomain.com ip name-server 212.114.152.1 ip ssh time-out 60 ip ssh authentication-retries 2 vpdn enable ! vpdn-group 1 accept-dialin protocol pptp virtual-template 1 ! vpdn-group TEST-VPN ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! ! crypto pki trustpoint TP-self-signed-367604582 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-367604582 revocation-check none rsakeypair TP-self-signed-367604582 ! ! crypto pki certificate chain TP-self-signed-367604582 certificate self-signed 01 30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33363736 30343538 32301E17 0D303830 35323231 36313135 335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 37363034 35383230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 B9477149 24F1DE0E 6C218AC8 01158B81 E4FA3C62 38798034 545FA1BB 7689BD60 ABD81B25 ED852182 B3840F12 DDEDD3BE C88276B6 CA1FE4B0 1A842FCC A895571B B72F9BE9 F8925B96 E618B8A3 C943732E A6AF7972 85B5475A 9F560D33 3C02834C 9070B13F 3354478D 94E6F6FE E4D54475 1D653B5F 0CCF510B D954B246 8090DFA5 02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 11041630 14821278 69742E79 6F757264 6F6D6169 6E2E636F 6D301F06 03551D23 04183016 8014BB66 E2F70906 4ED9AC19 EF315122 200CF9DB 719D301D 0603551D 0E041604 14BB66E2 F709064E D9AC19EF 31512220 0CF9DB71 9D300D06 092A8648 86F70D01 01040500 03818100 32846B30 BC85D87E D525B8F8 3B646068 BEB6C808 57DB4FFA 5D728C22 B724AD6E 8A4562F0 7F61FB1E 7E37344A 42B77302 08FE6416 D3D5D21D 7FC830C2 DDB8CE51 247A9C3F 2D5E711C 3521AC4C 04C382C7 86A31656 F1675A36 0460D052 F5C59F82 D0814DA4 EA1C452C 5D7B4CAB E0126BB9 9BD060F8 197C2E06 94A16309 A2998C06 quit username **** privilege 15 secret 5 ********* username **** privilege 15 password 7 ******* username ******** ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly ip route-cache flow duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Virtual-Template1 type tunnel ip unnumbered FastEthernet4 tunnel mode ipsec ipv4 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.168.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname a1091006 ppp chap password 7 070E3B4A781C005007 ppp ipcp dns request ! ip local pool SDM_POOL_1 192.168.1.1 192.168.1.255 ip local pool vpdn_pool 192.168.101.2 192.168.101.22 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.168.0 0.0.0.255 no cdp run ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 privilege level 15 transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end

NetMan1958
NetMan1958

That is a stickler. According to this: http://www.cisco.com/en/US/docs/ios/vpdn/configuration/guide/client_init_dial-in_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1105140 NOTE: You will need to scroll down a little ways to get to the actual config commands That should be a valid config on your version. The only thing I can think of that might make a difference is the interface you enter in this command: ip unnumbered type number Example: Router(config-if)# ip unnumbered FastEthernet 0/0 make sure it is the interface that connects to your cable/dsl line. If this doesn't help, you can post your entire config obtained by running the command: Router-831#sh run mask or change any usernames/passwords for security. Maybe I can spot something in the rest of the config that is causing the issue.

aelray
aelray

System image file is "flash:c850-advsecurityk9-mz.124-4.T8.bin"

NetMan1958
NetMan1958

Well, IOS commands do sometimes vary depending on which version of IOS is installed and the model of the device. Do this, run the command: Router-831#sh ver and look for a line similar to this: System image file is "flash:c831-k9o3y6-mz.124-5b.bin" and post back that image name so I can see exactly which beast we are dealing with.

aelray
aelray

i just want to simply configure a pptp vpn connection on a cisco 851 router. thanks for the help so far, but when i enter "accept-dialin" im no longer in (config-vpdn) but (config-vpdn-acc-in) is it supposed to be like that, because in your post you are still in (config-vpdn)? And also this time when i enter: peer default ip address pool vpdn_pool i get the same error, the marker is at the p of peer.

NetMan1958
NetMan1958

was because the error message you listed was: "% Invalid input detected at '^' marker." and the caret is pointing to the "x" in: "xit(config-if)#peer default ip address pool defaultpool" Perhaps if you listed the actual error message you are receiving, someone might have a clue as to what you are trying to do.