How do you setup a local VPN?

[caryfields]

I've setup the vpdn from the examples in the book, but it doesn't seem to work. I dont have any authentication servers, just want to authenticate from the local user on the pix. The config is not setup for real world use, its just for evaluation on a private network. As soon as I can get the VPN to work, its going back. So some of the config settings maybe red flags.

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password QV98Fh8cjH.YiBSL encrypted
passwd QV98Fh8cjH.YiBSL encrypted
hostname pix
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq domain
access-list acl_in permit udp any any eq domain
access-list acl_in permit tcp any any eq 443
access-list acl_in permit udp any any eq 443
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any host 66.xxx.xxx.xx0 eq www
access-list acl_out permit tcp any any eq domain
access-list acl_out permit udp any any eq domain
access-list acl_dmz permit icmp any any
pager lines 24
logging on
logging trap errors
logging history errors
logging host inside 1.1.0.52
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 66.xxx.xxx.xx5 255.255.255.192
ip address inside 1.1.0.254 255.255.0.0
ip address dmz 10.254.0.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool my-addr-pool 1.1.2.1-1.1.2.50
pdm history enable
arp timeout 14400
global (outside) 1 66.xxx.xxx.xx6
global (dmz) 1 10.254.0.253
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 66.xxx.xxx.xx0 10.254.10.3 netmask 255.255.255.255 0 0
static (dmz,outside) 66.xxx.xxx.xx1 10.254.10.4 netmask 255.255.255.255 0 0
static (dmz,outside) 66.xxx.xxx.xx2 10.254.10.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xx3 1
route inside 1.0.0.0 255.0.0.0 1.1.0.1 1
route inside 158.61.231.0 255.255.255.0 1.1.0.30 1
route inside 193.1.0.0 255.255.0.0 1.1.0.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 1.5.0.0 255.255.0.0 inside
telnet 1.1.0.0 255.255.0.0 inside
telnet timeout 60
ssh 63.xxx.xxx.xxx 255.255.255.255 outside
ssh 66.xxx.xxx.xxx 255.255.255.255 outside
ssh 1.5.0.86 255.255.255.255 inside
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 client configuration address local my-addr-pool
vpdn group 1 client configuration dns 1.1.0.17
vpdn group 1 client configuration wins 1.1.0.25
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxxx password xxxxxx
vpdn enable outside
terminal width 80
Cryptochecksum:65c8d6cc028e3953fb6b4b877e6f86e5
: end

 

[yizhar]

HI.

***
ip address inside 1.1.0.254 255.255.0.0
ip local pool my-addr-pool 1.1.2.1-1.1.2.50

This seems wrong.
Use a different nonexisting subnet like 192.168.55.0 for VPN users.

You will also need something like this:
access-list nonat permit ip 1.1.0.0 255.255.0.0 192.168.55.0 255.255.255.0
nat (inside) 0 access-list nonat


***
This command is missing:

vpdn group 1 ppp authentication mschap

***
Your pix isn't configured for PPTP encryption, but your clients might require it - so add encryption or verify client settings.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[caryfields]

Hmm, ok.. made those changes. I'm using the VPN client that comes with Win2000 and I have all check boxes checked for encryption. PAP. What needs to be done to get PPTP working with my config. I must have missed that in the docs.

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password QV98Fh8cjH.YiBSL encrypted
passwd QV98Fh8cjH.YiBSL encrypted
hostname pix
domain-name ci.corona.ca.us
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq domain
access-list acl_in permit udp any any eq domain
access-list acl_in permit tcp any any eq 443
access-list acl_in permit udp any any eq 443
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any host 66.xxx.xxx.xx0 eq www
access-list acl_out permit tcp any any eq domain
access-list acl_out permit udp any any eq domain
access-list acl_dmz permit icmp any any
access-list vpn permit ip 1.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging trap errors
logging history errors
logging host inside 1.1.0.52
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 66.xxx.xxx.x5 255.255.255.0
ip address inside 1.1.0.254 255.255.0.0
ip address dmz 10.254.0.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool my-addr-pool 192.168.1.1-192.168.1.50
pdm history enable
arp timeout 14400
global (outside) 1 66.xxx.xxx.xx6
global (dmz) 1 10.254.0.253
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 66.xxx.xxx.xx0 10.254.10.3 netmask 255.255.255.255 0 0
static (dmz,outside) 66.xxx.xxx.xx1 10.254.10.4 netmask 255.255.255.255 0 0
static (dmz,outside) 66.xxx.xxx.xx2 10.254.10.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xx3 1
route inside 1.0.0.0 255.0.0.0 1.1.0.1 1
route inside 158.61.231.0 255.255.255.0 1.1.0.30 1
route inside 193.1.0.0 255.255.0.0 1.1.0.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 1.5.0.0 255.255.0.0 inside
telnet 1.1.0.0 255.255.0.0 inside
telnet timeout 60
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local my-addr-pool
vpdn group 1 client configuration dns 1.1.0.17
vpdn group 1 client configuration wins 1.1.0.25
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxxx password xxxxxx
vpdn enable outside
terminal width 80

 

[yizhar]

HI.

You still haven't mentioned anything about encryption.

First try to debug, at the pix type:

debug ppp ?
(I don't remember exact syntax).

Type "show version" at the pix.
Do you have DES activation key???
If you have DES enabled, then add this to your configuration:
vpdn group 1 ppp encryption mppe 40 required

Now try again.

If you don't have DES, then ask your dealer to provide you!

Meanwhile, you can try configuring the client to not require data encryption.
Windows 2000 by default requires encryption.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar