VPN connection issues

[Blunted One]

Thanks for the help and I was now wondering what is the best/easiest way to upgrade the firmware on our cisco router? I am willing to do this, but I am not the most confident when it comes to messing around with the router. Also where can I see if there is an update for my Cisco 2600 router?

[Highlander]

Sounds Like someone needs to look into
Open VPN and www.ipcop.org as a firewall....

Cisco!!!! Sheee... To big and not customer responsive
and is very Draconia on what is in and out of warnity!!!

[sandcraft]

Originally posted here by Blunted One
Thanks for the help and I was now wondering what is the best/easiest way to upgrade the firmware on our cisco router? I am willing to do this, but I am not the most confident when it comes to messing around with the router. Also where can I see if there is an update for my Cisco 2600 router?

Log into the router and run the show version command (sh ver). Note the version and download the most compatible version from CISCO . The included doc will help you with the install. If this is your first upgrade do it after hours.

[Blunted One]

I now have run into the minor issue of not being able to download the software from the Cisco site. Is there another website I can easily download this software from for our 2600 router?

Also is there anything else I should check to see if the connection from the other company is even reaching our network. So I might be able to tell if the problem is on my side or theirs. Even though I am pretty sure it isn't on my side since I have multiple people using the VPN with there PPTP user account. Once again you guys have been quite helpful. I just wish I could get this one all figured out better.

[Morvai]

To answer a question you asked earlier...
Since you were able to setup the VPN from different wireless networks I don't think that NAT would be the problem. I wouldn't expect every open wireless network to have a routed subnet, so you had it working from a NAT environment.

I don't think you'll be able to download Cisco IOS upgrades from anywhere but Cisco (legally anyway). I'm sure I'll be told if I'm wrong about this

To upgrade the IOS on the router setup up a TFTP server on a pc you can reach from the router (you can download one from anywhere). Make sure you set up an ethernet connection to the router.
Log on to the router and go into enable mode. Type: copy TFTP Flash <enter>
The router will ask you some questions like filename and IP adres to copy from and will start copying the software from your TFTP server to the router. Reload en see it boot with the new version

Make sure the IOS version you use is supported by the router and obviosly backup the old IOS version and config before upgrading.

GL.

Morvai.

[Highlander]

Here is a real Dumb Question....
Did you try www.ipcop.org ???

I use it and it has everything in it you need....
and VPN is one of them.....

I use the OpenVPN client myself....

It also has Snort and several other utilities I like....
And best of all it is Open Source and no M$ fingers in the pie...

[Blunted One]

This is the current message our firewall is giving out when the company that cannot connect tries to connect. Not exactly sure what it means, but I seem to see their address, but on their end it hangs for about 30 seconds and then they get the 721 error message. Does anyone have any new ideas what is going on? I am still on the hunt for a solution to our VPN problem.

04/19/06 13:00 pptpd[29069]: Watchguard pptpd 2.2.0 started
04/19/06 13:00 pptpd[29069]: Using interface pptp1
04/19/06 13:00 kernel: pptp1: daemon attached.
04/19/06 13:00 pptpd[29069]: Connect: pptp1 [1] <--> **.**.**.**

04/19/06 13:04 pptpd[29311]: Terminating on signal 2.
04/19/06 13:04 pptpd[29311]: Connection terminated.
04/19/06 13:04 pptpd[29311]: Persist flag not set, so we are exiting.
04/19/06 13:04 kernel: pptp1: pptp_sock_close

Every other message on the traffic monitor is a deny this is the only one that seems to show that our firewall recieves a message for PPTP connection and then after a few minutes just closes it off. Any help is greatly appreciated.

[sandcraft]

You didn't post the whole log. So everyone will be guessing. Check here:

http://seclists.org/lists/bugtraq/2001/Feb/0123.html

If your log looks the same download the patch. If not my next educated guess is an IP address conflict.

Are you at least getting the user loged in message in the log? That would be the first thing to look for. Can you be more clear on what the denies are?

[cryptocrack]

Download Netcat or Use Telnet or Nmap

nc -v -n xx.xx.xx.xx 1723
is it open?

Telnet
open
to xx.xx.xx.xx. 1723

Use pptpping to test and see if the GRE packets are goign through the firewall.
WHat kind of firewall do you use? Does it support pptp passthrough? some dont


Do you want to use L2TP / IPSEC?

did you tes to see if

UDP port 1701, 4500, 500 are open?

Are you going to use RRAS for you VPN server?
DId you enable pptp or l2tp ports?
You using DHCP or going to create a STATIC pool?

[Blunted One]

Port 1723 is open and I have other people using the PPTP and are able to get through just fine. Only this one other company (which is much bigger and has a lot more security policies) cannot get through the VPN. I have been told it simply sits there and hangs and then after it tries to verify username/password it returns the error of 721. PPTP is enabled we have a pool of address for those who log in. Only one company out of three is having problems, but I am still unsure as to why they cannot make it through and always get the error 721 even thought I can see a connection attempt being made in the firewall's traffic monitor. Strange.