The ranting of an IT Professional » VPN

“Error 692: Hardware Failure in the Modem” Error Message When You Dial an RAS Server

Jason Tramer — Wed, 06 Apr 2011 18:45:16 +0000

Part of troubleshooting RAS (PPTP and L2TP) VPN connections is constantly tweaking your settings (both client and server) and reconnecting. This becomes a complete pain when Windows 7 decides its sick of trying and just starts generating a error 692, forcing you to reboot before you can try connecting again.

Finally after endless reboots I found a Microsoft hotfix which addresses this:

Download here:

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=980399&kbln=en-us

Cisco ASA: Accessing VPN networks using L2TP VPN

Jason Tramer — Tue, 08 Mar 2011 18:30:25 +0000

Troubleshooting this issue for a bit, user connects to a L2TP VPN presented by the ASA. They can connect to the inside network but not to a network connected to that ASA via IPSEC tunnel.

This is actually a simple fix and enter the command:

same-security-traffic permit intra-interface

This will allow the traffic to transverse the tunnel.

Using PAP in OSX L2TP VPN connections

Jason Tramer — Fri, 25 Feb 2011 22:25:35 +0000

I know some people go absolutely head over heels in love with Mac’s but personally I don’t see the appeal. They are a complete pain IMO to configure the simplest options.

For example, when you are setting up a L2TP VPN connection do you think it might be helpful to set the authentication protocol as something other than MSCHAP v2? Maybe you want to us PAP? Well you can’t, not in the screen any ways. Here is the convoluted MAC way of doing it.

Create the /etc/ppp/options file with the following contents:

refuse-chap

refuse-mschap

refuse-mschap-v2

Wow, that is just great.

Allowing management access to an ASA across a site to site VPN tunnel

Jason Tramer — Wed, 30 Dec 2009 14:54:20 +0000

Ok, so you want to manage your ASA from a network connected via site to site VPN tunnel. No prob. Two easy steps makes this happens.

First you have to add the network as an allowed access via the inside network. (I will use the 192.168.1.0/24 network in my example)

From CLI it’s:
http 192.168.1.0 255.255.255.0 inside

If this was a directly connected network then that is all you would have to do, however since it is connected from VPN you also need to specify the inside interface as a management interface with this command.

management-access inside

You can do all this from the ASDM as well:

Under Configuration, Device Management, Management Access:

Add the network on the inside interface in the ASDM/HTTPS/Telnet/SSH section

Then enable management access on the inside network under the Management Interface section

Security hole for SSL Clientless VPN

Jason Tramer — Tue, 01 Dec 2009 00:46:52 +0000

Check out this article:

http://www.theregister.co.uk/2009/11/30/vpn_authentication_weakness/

This is quite big news. Cisco has been pushing it’s clientless SSL VPN pretty hard.

Incompatibility on Site to site VPN tunnels between Watchguards and Cisco ASA’s

Jason Tramer — Mon, 30 Nov 2009 16:09:44 +0000

I have been working with a client with multiple sites and up until recently they have been using Watchguards at all sites. Recently we have been switching out some of the Watchguard for Cisco ASA’s but there have been a ton of site to site VPN issues. For example, a tunnel goes down, so you re-key it, it doesn’t come back up, but if you recreate then tunnel on the watchguard side with the exact same settings everything works fine. What is the point of having a Standard if companies aren’t following it. Yeesh.

Cisco ASA L2TP issues with LDAP authentication

Jason Tramer — Thu, 26 Nov 2009 22:40:55 +0000

So I configured my ASA to provide L2TP remote access VPN. I originally set it up with a local user database and it worked fine. After I decided to tie it in to LDAP so I could authenticate against Active Directory. I set up my LDAp integration and used the built-in test tool to make sure it worked, and it did. However every time I tried to log in with a AD account I got authentication failures. So I eventually gave up and placed a call with Cisco TAC and do you know what I found out? If you want to use LDAP authentication with L2TP RA vpn you have to use PAP because LDAP authentication isn’t supported with CHAP. The practical effect of this is that when your ASA sends the passwords to your DC it is in clear text.

Cisco kind of has you over the barrel when it comes to RA vpn. You could go with SSL vpn but the licences are hideously expensive. You could do IPSec vpn but they don’t have a 64 bit client nor are they planning on making one from what I heard. You could do L2TP but if you want LDAP integration you have to send passwords in clear text unless you set up LDAP over SSL. Not to mention that the ASA’s no longer even support PPTP.

It is more then a little annoying I have to say.

Configuring your Cisco ASA for L2TP Remote Access

Jason Tramer — Wed, 25 Nov 2009 19:32:39 +0000

Ok bad news, ASA’s do not support PPTP remote access VPN (though they can pass it through). However they will support L2TP with IPSEC VPN which windows is capable of doing.

Here is a great video tutorial I used for setting it up:

http://gregsowell.com/?p=805

Cisco ASA – Remote access VPN user’s can’t connect to internal resources on the same network

Jason Tramer — Wed, 27 May 2009 16:13:07 +0000

So I was working with a Cisco ASA 5510. The inside network was 10.0.0.0/24. I had created a remote access vpn policy for users and set them up to receive address’s on their inside network (10.0.0.0/24).

While the users we able to connect fine to the vpn they were not able to ping or access any resources on the internal network. The reason I found for this is that even though they are receiving address’s on the same network as the internal LAN, the ASA still considers them part of a separate network and will try to NAT the traffic using your dynamic NAT rule.

The way to resolve this is to create a NAT exemption rule from your inside network to your inside network. Sounds funny, but it works.

Hope this helps

Watchguard MUVPN not working due to Mcafee firewall

Jason Tramer — Thu, 30 Apr 2009 20:45:07 +0000

I hate personal firewall products but none so much as I hate mcafee. I was testing a MUVPN and the tunnell just wouldn’t established. I turned that thing into swiss cheese, it shouldn’t have been blocking anything but the VPN tunnel STILL wouldn’t come up until I actually turned off the service. Gah it’s frustrating.