Connecting to a Cisco PIX Using PPTP and Windows Vista as the Client.

By George Davey and Matthew Vick

Background:

Windows XP was able to connect to Cisco PIX secure software version 6.3.5 by setting up a default VPN connection in Windows XP.  With Windows Vista version the default VPN connection no longer connects to the PIX.  The reason for this is the dropping of MSCHAP v1 support by Windows Vista.  Windows Vista only supports MSCHAP v2.

The Cisco PIX version 6.3.5 does not support MSCHAP v2 only MSCHAP v1.  So out of the box it won’t connect.  To solve this issue an L2TP VPN was created using the Windows Vista New Network connection wizard.  VPN connection attempts were then made to a Cisco PIX version 6.3.5 running in debug mode.  After observing what the Windows Vista VPN was using for the connection criteria, a matching set of criteria for the PIX was derived.

As a basic guide the following Cisco Document was used as a reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00801727f3.html#wp1009076 hereafter referred to as the “Cisco Guide”

This is from the Cisco PIX Firewall and VPN Configuration Guide, Version 6.3, from the Remote Access chapter.  The basic guide assumes Windows 2000 so we had to derive a couple extra steps to account for how Windows Vista was attempting to connect.

 

Solution Requirements:

To get Windows Vista native VPN client to connect to a Cisco PIX 6.3.5 using L2TP IPSEC with no certificates.  Authentication and transport encryption are required.

The solution outlined will allow for a seamless migration to Windows Vista VPN by creating a new L2TP IPSEC tunnel for Windows Vista, while keeping the PPTP VPDN intact for Windows 2000/XP users.  Both VPDN connection types will use a common authentication source.  In this case, Internal Authentication, using the VPDN usernames and Passwords stored in the PIX.

 

Solution:

The solution will be divided into 2 parts.  Preparing the Cisco PIX for a Windows Vista L2TP connection and Creating an L2TP VPN connection in Windows Vista for connecting to a PIX firewall version 6.3.5 

Solution Note: Also note that a bug in Windows Vista requires you to use the username in the DOMAIN\username format if you have ever used that account for NTLM authentication before, even if not joined to a domain.  So when setting up PIX usernames for Vista use the DOMAIN\username format always, even though you are not connecting to a domain.

e.g. vpdn username DOMAIN\username password YourPassword

You will also need to allow NAT transversal for IPSec traffic.

 

 

I) Preparing the Cisco PIX for a Windows Vista L2TP connection:

Lets go through he steps outlined in the Cisco Guide.  The step numbers are directly from the guide and that is why they are out of order at times.

Step 1 Specify IPSec to use transport mode rather than tunnel mode: 

crypto ipsec transform-set trans_name mode transport

 

It was found that this step is incomplete and incorrect and should be two lines:

crypto ipsec transform-set trans_name esp-3des esp-sha-hmac

crypto ipsec transform-set trans_name mode transport

 

Note that we are using 3DES for encryption with a SHA hash because this was the first PIX compatible combination attempted by windows, it was also the 3rd combination attempted.

 

Step 2 Allow L2TP traffic to bypass conduit/access list checking: 

sysopt connection permit-ipsec
sysopt connection permit-l2tp

 

Step 3 Instruct the PIX Firewall to accept L2TP dial-in requests: 

vpdn group group_name accept dial-in l2tp
 
The group_name can be any name or number

 

Step 4 Specify PPP protocol and authentication protocol (PAP, CHAP, or MS-CHAP): 

vpdn group group_name ppp authentication pap/chap/mschap

 

Step 4 was modified for PAP only

 

vpdn group group_name ppp authentication pap

 

Because the IPSEC has both authentication and transport encryption the L2TP authentication and transport encryption are not needed.  Remember this connection is L2TP over IPSEC.

 

Step 5 Specify the local address pool used to allocate the IP address to the client: 

vpdn group group_name client configuration address local address_pool_name

 

Step 5 is incomplete as it assumes you already have the address pool.  If you do not then replace Step 5 with these 2 steps:

ip local pool address_pool_name 172.17.1.1-172.17.1.254

vpdn group group_name client configuration address local address_pool_name
 
Most likely you can use group “2” for your group_name
 
Next setup DNS and WINS for this connection:

Step 6 (Optional) Instruct the PIX Firewall to send DNS server IP addresses to the client: 

vpdn group group_name client configuration dns dns_server_ip1 dns_server_ ip2
 

Step 7 (Optional) Instruct the PIX Firewall to send WINS server IP addresses to the client: 

vpdn group group_name client configuration wins wins_server_ip1 wins_server_ip2
 
 
Set up your authentication source:

Step 8 Specify authentication using the PIX Firewall local username/password database. If set to aaa, authenticate using the AAA server. 

vpdn group group_name client authentication aaa aaa_server_tag
or
vpdn group group_name client authentication local
 
In the example here we are using local authentication:
vpdn group group_name client authentication local
 
Set up at least one user:

Step 10 If local authentication is used, the following command specifies username/password entries: 

vpdn username username password password
 

Step 11 (Optional) Specify the L2TP keep-alive/hello timeout value: 

vpdn group_name l2tp tunnel hello hello timeout
 

The default timeout value is 60, and the lower and upper limits are 10 and 300, respectively.

Step 12 Enable vpdn function on a PIX Firewall interface: 

vpdn enable ifname
 
 
OK that is it, right?  No, all that has been done so far is to create the L2TP connection, now an IPSEC policy and ISAKMP transform set must be configured for this connection or it won’t work:
 
For the IPSEC a Shared-Key will be used and NOT a certificate to conform with our original solution constraints.
 

Step 11 Configure the IKE policy: 

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
 
 

Step 12 Configure ISAKMP identity: 

isakmp identity address
 

Step 13 Enable ISAKMP on the outside interface: 

isakmp enable outside
 

Step 14 Create an access list that defines the PIX Firewall network(s) requiring IPSec protection: 

access-list 90 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
 

Step 15 Bind the access list to NAT 0: 

nat (inside) 0 access-list 90
 
Steps 14 and 15 prevents the connection packets from being NAT translated.
 

Step 18 Add the dynamic crypto map into a static crypto map: 

crypto map partner-map 20 ipsec-isakmp dynamic cisco
 
Step 18 is incorrect and not very clear because it does not outline the user assigned variables like the first half of the document did.  Here is what was entered in the test PIX unit:
 
crypto dynamic-map l2tp 30 set transform-set trans_name
crypto map name 30 ipsec-isakmp dynamic l2tp
 
The trans_name was set in step 1.
 
If you want to use pre-shared keys as the authentication method, configure the following:
isakmp YourSecretKey address 0.0.0.0 netmask 0.0.0.0 
isakmp policy 1 authentication pre-share.
 
 

Step 19 Apply the crypto map to the outside interface: 

crypto map name interface outside
 
 
Final Step allow NAT transversal for IPSec
isakmp nat-traversal
 
 
 
 
Here are the commands that were actually entered to get it to work in our firewall:
 
access-list nonat permit ip 192.168.0.0 255.255.240.0 172.17.130.0 255.255.255.0
access-list nonat permit ip 192.168.10.0 255.255.255.0 172.17.130.0 255.255.255.0
access-list nonat permit ip 192.168.32.0 255.255.240.0 172.17.130.0 255.255.255.0
These are the access list statements that match our no NAT specification 
 
ip local pool l2tp-pool 172.17.130.1-172.17.130.254
This is our IP pool for our l2tp connection
 
sysopt connection permit-l2tp
sysopt connection permit-ipsec
This allows L2TP and IPSEC to ignore access-lists
 
crypto ipsec transform-set cisco-l2tp esp-3des esp-sha-hmac
crypto ipsec transform-set cisco-l2tp mode transport
This creates a transform set and sets the mode transport declaration
 
 
crypto dynamic-map l2tp 30 set transform-set cisco-l2tp
crypto map dmu 30 ipsec-isakmp dynamic l2tp
crypto map dmu interface outside
This makes a dynamic map to the transform and enables it on an interface
 
 
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
This policy matches the policy Vista uses automatically
 
isakmp key YourPre-SharedKeyGoesHere address 0.0.0.0 netmask 0.0.0.0
isakmp enable outside
This sets a pre-share wildcard key and enables it
 
vpdn group 2 accept dialin l2tp
vpdn group 2 ppp authentication pap
vpdn group 2 client configuration address local l2tp-pool
vpdn group 2 client configuration dns 192.168.16.3 192.168.16.14
vpdn group 2 client configuration wins 192.168.16.22
vpdn group 2 client authentication local
vpdn group 2 l2tp tunnel hello 60
vpdn username YourUsernameGoesHere password YourPasswordGoesHere
vpdn enable outside
This sets up the VPDN for L2TP and creates 1 local user in the PIX.
 
isakmp nat-traversal
This allows your L2TP connection to work from inside other firewalls at hotels etc.
 
 
 
By adding the L2TP we have not removed or taken away the original PPTP.  PPTP statements to allow for existing Windows 2000/XP users to continue to use PPTP:
 
access-list nonat permit ip 192.168.0.0 255.255.240.0 172.17.131.0 255.255.255.0
access-list nonat permit ip 192.168.10.0 255.255.255.0 172.17.131.0 255.255.255.0
access-list nonat permit ip 192.168.32.0 255.255.240.0 172.17.131.0 255.255.255.0
 
ip local pool pptp-pool 172.17.131.1-172.17.131.254
 
sysopt connection permit-pptp
 
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.16.3 192.168.16.14
vpdn group 1 client configuration wins 192.168.16.22
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username YourUsernameGoesHere password YourPasswordGoesHere
vpdn enable outside
 
Note the PPTP and L2TP now use the same VPDN local username and password list stored in the PIX firewall.
 
 

II) Creating an L2TP VPN connection in Windows Vista for connecting to a PIX firewall version 6.3.5 

 
Now that the PIX is ready to connect using L2TP over IPSEC use the Windows Vista “Setup a New Connection or Network” wizard located in the “Network and Sharing Center” window.




 
 
 
 
 
 
Select Setup a Connection or Network
 
 





 
 





 
 
Select the last option to connect to your workplace.




 
 





 
 





 
 





 
 
Create a New Connection




 
 





 
 





 
 
Connect over the Internet not direct dial.




 
 





 
 





 
 





 
 
 
Setup the Internet Connection Later, Mine was already set up I am not sure why it asks me again.





 
 





 
 
Input the Internet IP of your PIX or its DNS name.  Give it a Destination Name that you can easily remember.  Select “allow other people to use this connection” only if you need to connect to it before you log into windows.




 
 





 
 





 
 
Input your username and password remembering the password if it is a private PC and not a public PC such as in a library.  Showing the password charactors makes it easier to type if nobody is looking over your shoulder.  The username and password is entered exactly how it was in the PIX VPDN local users statement:
vpdn username username password password





 
 





 
 
Once the connection is created we need to edit it by selecting the “Manage network connections” option in the Network and sharing Center in the control panel.




 
 





 
 





 
 
You will need to right-click the connection and select properties to edit the connection that was just created.




 
 





 
 





 
 
Navigate to the security tab and select advanced, then click the settings button.




 
 





 
 





 
 
Select Optional Encryption and Unencrypted password.  Don’t worry IPSEC, using the shared key, encrypts everything, so L2TP password or transport encryption is not needed.




 
 





 
 





 
 
Next go to the Networking tab and select “IPSEC Settings.”




 
 





 
 





 
 





 
 
Put your Shared Key from you Cisco Pix firewall IPSEC wildcard e.g.:
isakmp YourSecretKey address 0.0.0.0 netmask 0.0.0.0
You will be entering YourSecretKey whatever it is.
 
 
After this you need to click OK, OK OK and the connection is ready to test.
 
If you need to debug the connection you can enter the following on the PIX:
 

Step 25 The following debug commands (some of which can only be used from the console) can be used for troubleshooting: 

debug cry isa
debug cry ipsec
debug cry ca
debug vpdn packet
debug vpdn event
debug vpdn error
debug ppp error
debug ppp negotiation
 
and to turn debugging off use the statement
 
undebug all