Archive for February 2009

Cisco VPN – Warning   Leave a comment

A warning if you use Cisco IOS-based PPTP VPN’s.

I’ve got a 2651XM running 12.4(15)T5. I was having terrible trouble establishing a vpn from Visa SP1 – the tunnel would just not work, the "verifying username and password" prompt just timed out. I was using the config I posted in another blog entry which worked fine on a c837.

I tried everything – pulling MPPE and using PAP – to no avail.

Turns out the command "ppp lcp predictive" under the Virtual-Template was killing it – and no debug would clearly show what was going on.

So beware…

Advertisements

Posted February 17, 2009 by benryanau in Cisco

Tagged with ,

Free Groupware PM/Task Management Web Apps   Leave a comment

Having a need for a small-business groupware solution (specifically for project management, task management and possibly timesheeting, issue tracking) I started to poke around to see what’s around.
My preference is ASP, SQL based.
Here’s a shortlist:
*Stylite Egroupware
http://www.egroupware.org/Home
-New release Oct 2008
-PHP under IIS (XAMP recommended) http://www.egroupware.org/index.php?page_name=dependencies&lang=&wikipage=php
-MySQL5 (MSSQL "sort of works"
-Free – vendor sells managed, hosted services
-Windows Mobile vis Synthesis client via SyncML
-Features: http://www.stylite.de/EGroupware_functions
Good task management and tracking, calendaring, contacts (not sure about how well Outlook/Windows Mobile sync works), web-based file manager (not quite Document Management but is WebDAV enabled)
Knowledge management (articles etc), resource bookings (cars etc), timesheets linkable to anything on the server,

*Redmine
http://www.redmine.org/
-Under regular development
-Deployment tips here – http://fluxqubit.wordpress.com/2008/08/22/the-absolute-all-in-one-project-managment-tool-redmine-extensive-howto/
-Ruby 2.12, MySQL >4.1 (eg http://rubyinstaller.rubyforge.org/wiki/wiki.pl) http://mirrors.ntua.gr/MySQL/Downloads/MySQL-5.0/
-Not particularly Windows/IIS friendly
Gantt charts, Doc and file management, feeds and email notifications, Per-project wiki and forums, time tracking, custom fields for timetracking/issues/projects
Subprojects, Flexible issue tracking. HTML or text view.

*Sharpforge
https://sharpforge.org/p/SharpForge.aspx
-Targeted at software development but is applicable to other uses
-Still in beta, kind of active development but slow
-FOSS, C#, .Net 2.0, SQL2005Ex+, IIS,
-Aims to be a sourceforge replacement
-Not a particularly intuitive product for project management

*OpenGoo
http://www.opengoo.org/
-Seems to be more of a web based office package
Reasonable task management with time tracking

*Project.Net
http://www.project.net/
-LAMP/WiMP (PHP/MySQL)
-Moderate ongoing development – new release July 2008
-Used by deBortoli Wines
-Focused on Project Management
Email ticketing, Client/Company management, project listings, hierachical task lists, File repository, Calendar, Forums, ACLs

*ProjectCompanion
http://www.projectcompanion.com/products.asp
-IIS4+, .Net1.1+, SQL2000 or SQL2005Ex
-Free version, not fully featured but still very useful ($80 per user standard)
-Project management, Action management, Project diary, document management
-Licensed versions add project portfolio, time/expenses, workflow . Enterprise == nvoicing, sales/profitability reports, business trend analysis, other features
Very good, focused project management – great UI.
Enterprise Features are strong, could replace an accounting system? But price unknown. http://www.projectcompanion.com/enterprise/

Posted February 16, 2009 by benryanau in ICT

Tagged with ,

MS Terminal Services Client v6.1 Registry Log   2 comments

I’m trying to disable the warning message when connecting to a client – "The identity of the remote computer cannot be verified".
This is still WiP, I’m over it for today :)

Thought I’d record for reference the registry values the TS client (MSTSC v6.1 as with Vista) queries.
Lots of these aren’t present by default. Many of these queries are also duplicated in HKLM but I’ve omitted these – we all know HKLM regedits are naughty :)
HKCU\Software\Microsoft\Terminal Server Client\DisablePrinterRedirection NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DisableClipboardRedirection NAME NOT FOUND
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AuthenticationLevel NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\BitmapPersistCacheSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\BitmapPersistCache16Size NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\BitmapPersistCache24Size NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\BitmapPersistCache32Size NAME NOT FOUND
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AllowUnsignedFiles NAME NOT FOUND
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AllowSignedFiles NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\PinConnectionBar NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\Default\RemoteDesktopFolder NAME NOT FOUND
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\EnableSslWithUserAuth NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\Shadow Bitmap Enabled NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\UseShadowBitmapInFullScreen NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\MaxRdpCompressionLevel NAME NOT FOUND
RegOpenKey HKLM\SOFTWARE\Microsoft\Terminal Server Client\RedirectDevices NAME NOT FOUND
RegOpenKey HKLM\Software\Microsoft\Terminal Server Client\TransportExtensions SUCCESS
HKLM\SOFTWARE\Microsoft\Terminal Server Client\TransportExtensions\Gateway SUCCESS Type: REG_SZ, Length: 26, Data: aaclient.dll
HKCU\Software\Microsoft\Terminal Server Client\DisablePrinterRedirection NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DisableClipboardRedirection NAME NOT FOUND
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AuthenticationLevel NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride NAME NOT FOUND
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\PromptForCredsOnClient NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\RemoteDesktop_SuppressWhenMinimized NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\Min Send Interval NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\Allow Background Input NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\OffscreenSupportLevel NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\OffscreenCacheSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\OffscreenCacheEntries NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\BitmapPersistCacheLocation NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\MultiFragmentUpdateMaxSize NAME NOT FOUND
RegOpenKey HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\<<hostname>>NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\Default\AddIns\RDPDR\ThreadTimeOut NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\Default\AddIns\RDPDR\DisableDeviceRedirection NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\LicensingTimeout NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusEnabled NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusSupportLevel NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusCacheLevel NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusGraphicsCacheEntries NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusBrushCacheEntries NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusPenCacheEntries NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusImageCacheEntries NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusGraphicsCacheChunkSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusBrushCacheChunkSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusPenCacheChunkSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusImageAttributesCacheChunkSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusImageCacheChunkSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusImageCacheTotalSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusImageCacheMaxSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawGdiplusImageattributesCacheEntries NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawNineGridSupportLevel NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawNineGridEmulate NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawNineGridCacheSize NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\DrawNineGridCacheEntries NAME NOT FOUND
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AuthenticationLevel NAME NOT FOUND
HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride NAME NOT FOUND

Let me know if you find any of this useful and have further info on any entries.

Posted February 15, 2009 by benryanau in Microsoft

Tagged with ,

Windows Mobile 6.1 to Cisco IOS PPTP VPN   Leave a comment

CAVEAT: ppp lcp predictive doesn’t work on all IOS’s!

Like the rest of the world, I found Windows Mobile 6.1 would not connect to a Cisco VPDN server over PPTP.

I really needed this, so I struggled with it (for days). Finally I got it working! Sadly this means every customer I need to connect to must have this config.. grrr.

The issue seems to be the WM PPTP client is limited in its capabilities – it isn’t very flexible in what it negotiates with the server.

The main trouble was MPPE/MPPC negotiation – WM only supports stateful (or maybe only stateless but not both) MPPE.

PPP negotiation debugs showed a long back and forth CONFREQ CONFNAK sequence where WM just wouldn’t accept any offered types.

This behaviour was observed with 12.4(5b) on a c837.

Note you must use MS-CHAP-v2 only on the router. The easiest way is to use MS IAS on the server and configure that properly along with the router’s RADIUS config (another blog post later to describe how to get this working!)

In short, here’s the relevant Virtual Template config, along with some recommendations for PPTP:

vpdn-group <vpdn group>

accept-dialin
protocol pptp
virtual-template 10
pptp tunnel echo 30
ip tos reflect
ip tos 15
ip precedence critical
ip pmtu
ip mtu adjust

interface Virtual-Template10
mtu 1380
ip unnumbered Ethernet0
no ip proxy-arp
no ip route-cache same-interface
ip tcp header-compression
peer default ip address pool <your IP pool>
keepalive 20
compress mppc
ppp lcp predictive
ppp encrypt mppe 128 passive
ppp authentication ms-chap-v2 <your authentication list to RADIUS>

ppp authorization <your authorization list to RADIUS>
ppp ipcp mask 255.255.0.0
ppp ipcp predictive
ppp link reorders

Let me know how this works for you. And curse you MS and Cisco, so much for the ‘pledge to make products work together’.

Keywords: PPTP, VPN, VPDN, LCP, MPPC, MPPE, MS-CHAP-v2, IOS, CISCO, WM, WM6.1, Windows Mobile,, compression, encryption

Comments
Ben Ryan – 13/02/2009 1:15:39 PM

This is a snip of a successful negotiation:
1643181: Feb 9 08:11:07.122: Vi6 PPP: Phase is UP
1643182: Feb 9 08:11:07.122: Vi6 IPCP: O CONFREQ [Closed] id 1 len 16
1643183: Feb 9 08:11:07.122: Vi6 IPCP: CompressType VJ 15 slots CompressSlot ID (0x0206002D0F01)
1643184: Feb 9 08:11:07.122: Vi6 IPCP: Address 172.17.1.1 (0x0306AC110101)
1643185: Feb 9 08:11:07.122: Vi6 CCP: O CONFREQ [Closed] id 1 len 10
1643186: Feb 9 08:11:07.122: Vi6 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
1643187: Feb 9 08:11:07.126: Vi6 PPP: Process pending ncp packets
1643188: Feb 9 08:11:07.310: Vi6 CCP: I CONFREQ [REQsent] id 0 len 10
1643189: Feb 9 08:11:07.310: Vi6 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
1643190: Feb 9 08:11:07.314: Vi6 CCP: O CONFACK [REQsent] id 0 len 10
1643191: Feb 9 08:11:07.314: Vi6 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
1643192: Feb 9 08:11:07.330: Vi6 IPCP: I CONFREQ [REQsent] id 0 len 40
1643193: Feb 9 08:11:07.330: Vi6 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
1643194: Feb 9 08:11:07.330: Vi6 IPCP: Address 0.0.0.0 (0x030600000000)
1643195: Feb 9 08:11:07.334: Vi6 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
1643196: Feb 9 08:11:07.334: Vi6 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
1643197: Feb 9 08:11:07.334: Vi6 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
1643198: Feb 9 08:11:07.334: Vi6 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
1643199: Feb 9 08:11:07.334: Vi6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
1643200: Feb 9 08:11:07.334: Vi6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0
1643201: Feb 9 08:11:07.338: Vi6 IPCP: Pool returned 172.17.0.129
1643202: Feb 9 08:11:07.338: Vi6 IPCP: O CONFREJ [REQsent] id 0 len 10
1643203: Feb 9 08:11:07.338: Vi6 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
1643204: Feb 9 08:11:07.338: Vi6 IPCP: O CONFNAK [REQsent] id 1 len 28
1643205: Feb 9 08:11:07.338: Vi6 IPCP: Address 172.17.0.129 (0x0306AC110081)
1643206: Feb 9 08:11:07.342: Vi6 IPCP: PrimaryDNS 172.17.2.10 (0x8106AC11020A)
1643207: Feb 9 08:11:07.342: Vi6 IPCP: PrimaryWINS 172.17.2.10 (0x8206AC11020A)
1643208: Feb 9 08:11:07.342: Vi6 IPCP: SecondaryDNS 172.17.1.2 (0x8306AC110102)
1643209: Feb 9 08:11:07.342: Vi6 IPCP: O CONFACK [REQsent] id 2 len 34
1643210: Feb 9 08:11:07.342: Vi6 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
1643211: Feb 9 08:11:07.346: Vi6 IPCP: Address 172.17.0.129 (0x0306AC110081)
1643212: Feb 9 08:11:07.346: Vi6 IPCP: PrimaryDNS 172.17.2.10 (0x8106AC11020A)
1643213: Feb 9 08:11:07.346: Vi6 IPCP: PrimaryWINS 172.17.2.10 (0x8206AC11020A)
1643214: Feb 9 08:11:07.346: Vi6 IPCP: SecondaryDNS 172.17.1.2 (0x8306AC110102)
1643215: Feb 9 08:11:07.350: Vi6 IPV6CP: I CONFREQ [Not negotiated] id 0 len 14
1643216: Feb 9 08:11:07.350: Vi6 IPV6CP: Interface-Id 0218:41FF:FEAC:A676 (0x010A021841FFFEACA676)
1643217: Feb 9 08:11:07.354: Vi6 LCP: O PROTREJ [Open] id 3 len 20 protocol IPV6CP (0x80570100000E010A021841FFFEACA676)
1643218: Feb 9 08:11:07.354: Vi6 IPCP: I CONFACK [ACKsent] id 1 len 16
1643219: Feb 9 08:11:07.354: Vi6 IPCP: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
1643220: Feb 9 08:11:07.354: Vi6 IPCP: Address 172.17.1.1 (0x0306AC110101)
1643221: Feb 9 08:11:07.354: Vi6 IPCP: State is Open
1643222: Feb 9 08:11:07.362: Vi6 IPCP: Install route to 172.17.0.129
1643223: Feb 9 08:11:07.362: Vi6 IPCP: Add link info for cef entry 172.17.0.129
1643224: Feb 9 08:11:07.370: Vi6 CCP: I CONFACK [ACKsent] id 1 len 10
1643225: Feb 9 08:11:07.370: Vi6 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
1643226: Feb 9 08:11:07.370: Vi6 CCP: State is Open
1643227: Feb 9 08:11:07.490: Vi6 IPCP: I CONFREQ [Open] id 1 len 34
1643228: Feb 9 08:11:07.490: Vi6 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
1643229: Feb 9 08:11:07.490: Vi6 IPCP: Address 0.0.0.0 (0x030600000000)
1643230: Feb 9 08:11:07.494: Vi6 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
1643231: Feb 9 08:11:07.494: Vi6 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
1643232: Feb 9 08:11:07.494: Vi6 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
1643233: Feb 9 08:11:07.494: Vi6 IPCP: Ignoring predicted packet, state is Open
1643234: Feb 9 08:11:07.530: Vi6 IPCP: I CONFREQ [Open] id 2 len 34
1643235: Feb 9 08:11:07.530: Vi6 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
1643236: Feb 9 08:11:07.530: Vi6 IPCP: Address 172.17.0.129 (0x0306AC110081)
1643237: Feb 9 08:11:07.534: Vi6 IPCP: PrimaryDNS 172.17.2.10 (0x8106AC11020A)
1643238: Feb 9 08:11:07.534: Vi6 IPCP: PrimaryWINS 172.17.2.10 (0x8206AC11020A)
1643239: Feb 9 08:11:07.534: Vi6 IPCP: SecondaryDNS 172.17.1.2 (0x8306AC110102)
1643240: Feb 9 08:11:07.534: Vi6 IPCP: Ignoring predicted packet, state is Open
1643251: Feb 9 08:11:08.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to up

Posted February 9, 2009 by benryanau in Cisco, Microsoft

Tagged with , , ,

Windows Vista UAC delay (workaround)   Leave a comment

They joys of consent.exe – User Account Control – stealing your life, one dialog box at a time

A while ago I really started to get sick of the extended delay whenever Vista kicked up a UAC prompt. The delay was between 2 and 10 seconds depending on power management settings (eg throttled CPU on Power Saver profile took longer). So I poked around with ProcMon from Sysinternals to see what was going on.

All I could really see was a heap of registry access related to the audio subsystem, culminating in a "Beep" when the dialog box is finally presented.

So, I stopped the Windows Audio service. Lo and behold – INSTANT UAC PROMPT!

Now if you can explain this, I’m all ears. If you can reproduce this behaviour, I’m even more interested. Needless to say I’ve been running for a while now with no audio… when I get around to it I’ll try Norton’s beta UAC replacement tool – http://www.nortonlabs.com/inthelab/uac.php

BTW don’t turn off UAC. UAC isn’t just a dialog box and a beep – it has a whole shedload of stuff happening in behind the scenes (registry and folder virtualisation, process-sandboxing etc). If you turn it off, you will probably regret it at some point, as well as being less secure.

Posted February 3, 2009 by benryanau in Microsoft

Tagged with , ,