Cisco 1941 und pptp VPN keine Verindung
Abend,
ich versuche einen Cisco 1941 als VPN (pptp) Server einzurichten, nur leider bekomme ich von meinen zwei Test Clienten keine Verindung aufgebaut.
Gerne würde ich Ipsec nutzen aber leider bekommen ich auch da keine Verbindung aufgebaut
Clienten:
Anyconnect für Windows und Iphone.
Config vom Router
Version:
AnyConnect Windows
[26.12.2012 20:31:09] Ready to connect.
[26.12.2012 21:45:53] Contacting 10.48.50.157.
[26.12.2012 21:45:59] Connection attempt has failed.
[26.12.2012 21:46:08] Contacting 10.48.50.157.
[26.12.2012 21:46:48] Connection attempt has failed.
[26.12.2012 21:47:19] Contacting 10.48.53.1.
[26.12.2012 21:47:23] Connection attempt has failed.
[26.12.2012 21:48:06] Contacting 10.48.50.157.
[26.12.2012 21:48:19] Connection attempt has failed.
[26.12.2012 21:48:53] Contacting 10.48.50.157.
[26.12.2012 21:48:57] Connection attempt has failed.
Danke für eure Hilfe.
ich versuche einen Cisco 1941 als VPN (pptp) Server einzurichten, nur leider bekomme ich von meinen zwei Test Clienten keine Verindung aufgebaut.
Gerne würde ich Ipsec nutzen aber leider bekommen ich auch da keine Verbindung aufgebaut
Clienten:
Anyconnect für Windows und Iphone.
Config vom Router
!
! Last configuration change at 21:58:50 CET Wed Dec 26 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname router_eng297
!
boot-start-marker
boot-end-marker
!
!
enable secret XXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXX
!
no aaa new-model
!
memory-size iomem 15
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.48.53.1 10.48.53.99
ip dhcp excluded-address 10.48.53.151 10.48.53.254
!
ip dhcp pool 1941-dhcp
network 10.48.53.0 255.255.255.0
default-router 10.48.53.1
domain-name XXXXXXXXXXXXXXXXX.secure.intern
dns-server 208.67.222.222 208.67.220.220
lease 7
!
!
ip domain name XXXXXXXXXXXXXXXXX.secure.intern
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name meinefw tcp
ip inspect name meinefw udp
ip ddns update method dyndns
!
login block-for 300 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2189981532
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2189981532
revocation-check none
rsakeypair TP-self-signed-2189981532
!
!
crypto pki certificate chain TP-self-signed-2189981532
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313839 39383135 3332301E 170D3132 31323233 32323033
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31383939
38313533 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009EDC E1D5EEF7 F2B128A7 0473D2A1 A6F119CD 3A99F94F 11CD4A60 0016B17E
1EB094A6 EC198B92 D88C9139 5A06152B 3B4437C7 882062CB 80DEB2B5 D2F86240
A0ACFD0C 67359E39 D8106B72 D4BA859F D7604FD0 1000BC6D 155D32DF 8D6789B3
994A6606 7D5926DC 5E83AF67 73A96652 9E0FF96D 9697377B 0375CC01 31A8772C
DEEB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14213091 1216EDC8 9ABD3EA6 54940336 AFB56F50 1C301D06
03551D0E 04160414 21309112 16EDC89A BD3EA654 940336AF B56F501C 300D0609
2A864886 F70D0101 05050003 8181003B 218A47AF CD1DBF81 05E5DA54 533EE732
1AB7A313 7270C170 71CD5B76 C2520203 5C5A1219 557F6C11 2FB5AB15 C3235F78
DB333C1F 9E4DC3E1 54EDA106 158A9C7C 59FFCAC2 2E20AC86 B757F5E9 747C9774
EE2638A6 9BFE9FAD 18E89781 A7375509 19D6B70D 43CEDB96 7F009EC2 F43E5336
7514E3DB B59FC4A6 C7D23086 250070
quit
license udi pid CISCO1941/K9 sn XXXXXXXXXXXXXXXXX
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
username vpnuser01 password 0 XXXXXXXXXXXXXXXXX
!
redundancy
!
!
!
!
!
class-map match-any SOCIAL_NET
match protocol http host "www.facebook.com"
match protocol http host "www.aol.de"
!
!
policy-map DROP_SOCIAL_NET
class SOCIAL_NET
drop
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Lokales Ethernet LAN $ES_LAN$
ip address 10.48.53.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description Internet Verbindung Kabel TV
ip address dhcp client-id GigabitEthernet0/1 hostname XXXXXXXXXXXXXXXXX
ip nat outside
ip inspect meinefw out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
service-policy output DROP_SOCIAL_NET
!
interface FastEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
peer default ip address pool pptp-Pool
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap ms-chap-v2
!
ip local pool pptp-Pool 10.18.0.10 10.18.0.40
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
access-list 1 permit 10.48.53.0 0.0.0.255
access-list 1 permit 10.48.50.0 0.0.0.255
!
!
!
!
!
snmp-server community read_me RO
snmp-server community write_me RW
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXXXXXXXXXXXXXXX
login
transport input all
!
scheduler allocate 20000 1000
end
Version:
sh ver
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
XXXXXXXXXXXXXXXXX uptime is 3 hours, 31 minutes
System returned to ROM by power-on
System restarted at 18:59:55 CET Wed Dec 26 2012
System image file is "flash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco CISCO1941/K9 (revision 1.0) with 446464K/77824K bytes of memory.
Processor board ID XXXXXXXXXXXXXXXXX
1 FastEthernet interface
2 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 XXXXXXXXXXXXXXXXX
Technology Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 RightToUse securityk9
data datak9 RightToUse datak9
AnyConnect Windows
[26.12.2012 20:31:09] Ready to connect.
[26.12.2012 21:45:53] Contacting 10.48.50.157.
[26.12.2012 21:45:59] Connection attempt has failed.
[26.12.2012 21:46:08] Contacting 10.48.50.157.
[26.12.2012 21:46:48] Connection attempt has failed.
[26.12.2012 21:47:19] Contacting 10.48.53.1.
[26.12.2012 21:47:23] Connection attempt has failed.
[26.12.2012 21:48:06] Contacting 10.48.50.157.
[26.12.2012 21:48:19] Connection attempt has failed.
[26.12.2012 21:48:53] Contacting 10.48.50.157.
[26.12.2012 21:48:57] Connection attempt has failed.
Danke für eure Hilfe.
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 196261
Url: https://administrator.de/forum/cisco-1941-und-pptp-vpn-keine-verindung-196261.html
Ausgedruckt am: 23.12.2024 um 08:12 Uhr
1 Kommentar
Hallo,
hier ist eine Konfiguration eines Routers, der IPSec zu einem iPhone schaft. Das iPhone wird in diesem Beispiel mit einem DynDNS Namen konfiguriert, der mit einem DynDNS Client auf einem Client im LAN aktuallisiert wird.
aaa new-model
!
aaa authentication enable default group tacacs+ enable
aaa authorization network CRYPTO_ISAKMP_CLIENT local
!
username {MyUsername} secret {MySecret}
!
crypto logging session
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group CRYPTO_ISAKMP_CLIENT
key {MyVpnKey}
dns {MyInternalDNS}
domain {MyInternalDomainName}
pool VPN-POOL
save-password
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set VPN-TRANSFORMSET esp-aes 256 esp-sha-hmac
!
crypto dynamic-map CRYPTO_ISAKMP_CLIENT 1
set transform-set VPN-TRANSFORMSET
reverse-route
!
crypto map STATIC_CRYPTO_MAP local-address Dialer0
crypto map STATIC_CRYPTO_MAP client authentication list CRYPTO_ISAKMP_CLIENT
crypto map STATIC_CRYPTO_MAP isakmp authorization list CRYPTO_ISAKMP_CLIENT
crypto map STATIC_CRYPTO_MAP client configuration address respond
crypto map STATIC_CRYPTO_MAP 1 ipsec-isakmp dynamic CRYPTO_ISAKMP_CLIENT
!
interface Vlan{MyVlanId}
ip address {MyInternalIpAddress} {MyInternalSubnetmask}
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
description "-> WAN"
ip access-group 101 in
ip address negotiated1
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname {MyProviderUsername}
ppp chap password {MyProviderPassowrd}
crypto map STATIC_CRYPTO_MAP
!
ip local pool VPN-POOL 10.0.0.250 10.0.0.254
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit {MyInternalNetwork} {MyInternalWildCard}
access-list 101 remark ---> Internet LAN
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 deny icmp any any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
!
dialer-list 1 protocol ip permit
hier ist eine Konfiguration eines Routers, der IPSec zu einem iPhone schaft. Das iPhone wird in diesem Beispiel mit einem DynDNS Namen konfiguriert, der mit einem DynDNS Client auf einem Client im LAN aktuallisiert wird.
aaa new-model
!
aaa authentication enable default group tacacs+ enable
aaa authorization network CRYPTO_ISAKMP_CLIENT local
!
username {MyUsername} secret {MySecret}
!
crypto logging session
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group CRYPTO_ISAKMP_CLIENT
key {MyVpnKey}
dns {MyInternalDNS}
domain {MyInternalDomainName}
pool VPN-POOL
save-password
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set VPN-TRANSFORMSET esp-aes 256 esp-sha-hmac
!
crypto dynamic-map CRYPTO_ISAKMP_CLIENT 1
set transform-set VPN-TRANSFORMSET
reverse-route
!
crypto map STATIC_CRYPTO_MAP local-address Dialer0
crypto map STATIC_CRYPTO_MAP client authentication list CRYPTO_ISAKMP_CLIENT
crypto map STATIC_CRYPTO_MAP isakmp authorization list CRYPTO_ISAKMP_CLIENT
crypto map STATIC_CRYPTO_MAP client configuration address respond
crypto map STATIC_CRYPTO_MAP 1 ipsec-isakmp dynamic CRYPTO_ISAKMP_CLIENT
!
interface Vlan{MyVlanId}
ip address {MyInternalIpAddress} {MyInternalSubnetmask}
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
description "-> WAN"
ip access-group 101 in
ip address negotiated1
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname {MyProviderUsername}
ppp chap password {MyProviderPassowrd}
crypto map STATIC_CRYPTO_MAP
!
ip local pool VPN-POOL 10.0.0.250 10.0.0.254
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit {MyInternalNetwork} {MyInternalWildCard}
access-list 101 remark ---> Internet LAN
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 deny icmp any any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
!
dialer-list 1 protocol ip permit