tomcatshs
Goto Top

Cisco 1941 und pptp VPN keine Verindung

Abend,
ich versuche einen Cisco 1941 als VPN (pptp) Server einzurichten, nur leider bekomme ich von meinen zwei Test Clienten keine Verindung aufgebaut.

Gerne würde ich Ipsec nutzen aber leider bekommen ich auch da keine Verbindung aufgebaut

Clienten:

Anyconnect für Windows und Iphone.

Config vom Router

!
! Last configuration change at 21:58:50 CET Wed Dec 26 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname router_eng297
!
boot-start-marker
boot-end-marker
!
!
enable secret XXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXX
!
no aaa new-model
!
memory-size iomem 15
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.48.53.1 10.48.53.99
ip dhcp excluded-address 10.48.53.151 10.48.53.254
!
ip dhcp pool 1941-dhcp
 network 10.48.53.0 255.255.255.0
 default-router 10.48.53.1 
 domain-name XXXXXXXXXXXXXXXXX.secure.intern
 dns-server 208.67.222.222 208.67.220.220 
 lease 7
!
!
ip domain name XXXXXXXXXXXXXXXXX.secure.intern
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name meinefw tcp
ip inspect name meinefw udp
ip ddns update method dyndns
!
login block-for 300 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
 ! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 l2tp tunnel timeout no-session 15
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2189981532
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2189981532
 revocation-check none
 rsakeypair TP-self-signed-2189981532
!
!
crypto pki certificate chain TP-self-signed-2189981532
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32313839 39383135 3332301E 170D3132 31323233 32323033 
  32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31383939 
  38313533 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81009EDC E1D5EEF7 F2B128A7 0473D2A1 A6F119CD 3A99F94F 11CD4A60 0016B17E 
  1EB094A6 EC198B92 D88C9139 5A06152B 3B4437C7 882062CB 80DEB2B5 D2F86240 
  A0ACFD0C 67359E39 D8106B72 D4BA859F D7604FD0 1000BC6D 155D32DF 8D6789B3 
  994A6606 7D5926DC 5E83AF67 73A96652 9E0FF96D 9697377B 0375CC01 31A8772C 
  DEEB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 14213091 1216EDC8 9ABD3EA6 54940336 AFB56F50 1C301D06 
  03551D0E 04160414 21309112 16EDC89A BD3EA654 940336AF B56F501C 300D0609 
  2A864886 F70D0101 05050003 8181003B 218A47AF CD1DBF81 05E5DA54 533EE732 
  1AB7A313 7270C170 71CD5B76 C2520203 5C5A1219 557F6C11 2FB5AB15 C3235F78 
  DB333C1F 9E4DC3E1 54EDA106 158A9C7C 59FFCAC2 2E20AC86 B757F5E9 747C9774 
  EE2638A6 9BFE9FAD 18E89781 A7375509 19D6B70D 43CEDB96 7F009EC2 F43E5336 
  7514E3DB B59FC4A6 C7D23086 250070
  	quit
license udi pid CISCO1941/K9 sn XXXXXXXXXXXXXXXXX
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
username vpnuser01 password 0 XXXXXXXXXXXXXXXXX
!
redundancy
!
!
!
!
!
class-map match-any SOCIAL_NET
 match protocol http host "www.facebook.com"  
 match protocol http host "www.aol.de"  
!
!
policy-map DROP_SOCIAL_NET
 class SOCIAL_NET
  drop
!
! 
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Lokales Ethernet LAN $ES_LAN$
 ip address 10.48.53.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description Internet Verbindung Kabel TV 
 ip address dhcp client-id GigabitEthernet0/1 hostname XXXXXXXXXXXXXXXXX
 ip nat outside
 ip inspect meinefw out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 service-policy output DROP_SOCIAL_NET
!
interface FastEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 peer default ip address pool pptp-Pool
 no keepalive
 ppp encrypt mppe 128
 ppp authentication ms-chap ms-chap-v2
!
ip local pool pptp-Pool 10.18.0.10 10.18.0.40
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
access-list 1 permit 10.48.53.0 0.0.0.255
access-list 1 permit 10.48.50.0 0.0.0.255
!
!
!
!
!
snmp-server community read_me RO
snmp-server community write_me RW
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password XXXXXXXXXXXXXXXXX
 login
 transport input all
!
scheduler allocate 20000 1000
end

Version:

sh ver
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

XXXXXXXXXXXXXXXXX uptime is 3 hours, 31 minutes
System returned to ROM by power-on
System restarted at 18:59:55 CET Wed Dec 26 2012
System image file is "flash0:c1900-universalk9-mz.SPA.151-4.M4.bin"  
Last reload type: Normal Reload


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO1941/K9 (revision 1.0) with 446464K/77824K bytes of memory.
Processor board ID XXXXXXXXXXXXXXXXX
1 FastEthernet interface
2 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO1941/K9          XXXXXXXXXXXXXXXXX



Technology Package License Information for Module:'c1900'  

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    RightToUse     securityk9
data          datak9        RightToUse     datak9

AnyConnect Windows

[26.12.2012 20:31:09] Ready to connect.
[26.12.2012 21:45:53] Contacting 10.48.50.157.
[26.12.2012 21:45:59] Connection attempt has failed.
[26.12.2012 21:46:08] Contacting 10.48.50.157.
[26.12.2012 21:46:48] Connection attempt has failed.
[26.12.2012 21:47:19] Contacting 10.48.53.1.
[26.12.2012 21:47:23] Connection attempt has failed.
[26.12.2012 21:48:06] Contacting 10.48.50.157.
[26.12.2012 21:48:19] Connection attempt has failed.
[26.12.2012 21:48:53] Contacting 10.48.50.157.
[26.12.2012 21:48:57] Connection attempt has failed.


Danke für eure Hilfe.

Content-ID: 196261

Url: https://administrator.de/forum/cisco-1941-und-pptp-vpn-keine-verindung-196261.html

Ausgedruckt am: 23.12.2024 um 08:12 Uhr

mayjalin
mayjalin 21.01.2013 um 20:20:46 Uhr
Goto Top
Hallo,

hier ist eine Konfiguration eines Routers, der IPSec zu einem iPhone schaft. Das iPhone wird in diesem Beispiel mit einem DynDNS Namen konfiguriert, der mit einem DynDNS Client auf einem Client im LAN aktuallisiert wird.


aaa new-model
!
aaa authentication enable default group tacacs+ enable
aaa authorization network CRYPTO_ISAKMP_CLIENT local
!
username {MyUsername} secret {MySecret}
!
crypto logging session
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group CRYPTO_ISAKMP_CLIENT
key {MyVpnKey}
dns {MyInternalDNS}
domain {MyInternalDomainName}
pool VPN-POOL
save-password
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set VPN-TRANSFORMSET esp-aes 256 esp-sha-hmac
!
crypto dynamic-map CRYPTO_ISAKMP_CLIENT 1
set transform-set VPN-TRANSFORMSET
reverse-route
!
crypto map STATIC_CRYPTO_MAP local-address Dialer0
crypto map STATIC_CRYPTO_MAP client authentication list CRYPTO_ISAKMP_CLIENT
crypto map STATIC_CRYPTO_MAP isakmp authorization list CRYPTO_ISAKMP_CLIENT
crypto map STATIC_CRYPTO_MAP client configuration address respond
crypto map STATIC_CRYPTO_MAP 1 ipsec-isakmp dynamic CRYPTO_ISAKMP_CLIENT
!
interface Vlan{MyVlanId}
ip address {MyInternalIpAddress} {MyInternalSubnetmask}
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
description "-> WAN"
ip access-group 101 in
ip address negotiated1
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname {MyProviderUsername}
ppp chap password {MyProviderPassowrd}
crypto map STATIC_CRYPTO_MAP
!
ip local pool VPN-POOL 10.0.0.250 10.0.0.254
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit {MyInternalNetwork} {MyInternalWildCard}
access-list 101 remark ---> Internet LAN
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 deny icmp any any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
!
dialer-list 1 protocol ip permit