Windows Mobile 6.1 to Cisco IOS PPTP VPN   Leave a comment

CAVEAT: ppp lcp predictive doesn’t work on all IOS’s!

Like the rest of the world, I found Windows Mobile 6.1 would not connect to a Cisco VPDN server over PPTP.

I really needed this, so I struggled with it (for days). Finally I got it working! Sadly this means every customer I need to connect to must have this config.. grrr.

The issue seems to be the WM PPTP client is limited in its capabilities – it isn’t very flexible in what it negotiates with the server.

The main trouble was MPPE/MPPC negotiation – WM only supports stateful (or maybe only stateless but not both) MPPE.

PPP negotiation debugs showed a long back and forth CONFREQ CONFNAK sequence where WM just wouldn’t accept any offered types.

This behaviour was observed with 12.4(5b) on a c837.

Note you must use MS-CHAP-v2 only on the router. The easiest way is to use MS IAS on the server and configure that properly along with the router’s RADIUS config (another blog post later to describe how to get this working!)

In short, here’s the relevant Virtual Template config, along with some recommendations for PPTP:

vpdn-group <vpdn group>

accept-dialin
protocol pptp
virtual-template 10
pptp tunnel echo 30
ip tos reflect
ip tos 15
ip precedence critical
ip pmtu
ip mtu adjust

interface Virtual-Template10
mtu 1380
ip unnumbered Ethernet0
no ip proxy-arp
no ip route-cache same-interface
ip tcp header-compression
peer default ip address pool <your IP pool>
keepalive 20
compress mppc
ppp lcp predictive
ppp encrypt mppe 128 passive
ppp authentication ms-chap-v2 <your authentication list to RADIUS>

ppp authorization <your authorization list to RADIUS>
ppp ipcp mask 255.255.0.0
ppp ipcp predictive
ppp link reorders

Let me know how this works for you. And curse you MS and Cisco, so much for the ‘pledge to make products work together’.

Keywords: PPTP, VPN, VPDN, LCP, MPPC, MPPE, MS-CHAP-v2, IOS, CISCO, WM, WM6.1, Windows Mobile,, compression, encryption

Comments
Ben Ryan – 13/02/2009 1:15:39 PM

This is a snip of a successful negotiation:
1643181: Feb 9 08:11:07.122: Vi6 PPP: Phase is UP
1643182: Feb 9 08:11:07.122: Vi6 IPCP: O CONFREQ [Closed] id 1 len 16
1643183: Feb 9 08:11:07.122: Vi6 IPCP: CompressType VJ 15 slots CompressSlot ID (0x0206002D0F01)
1643184: Feb 9 08:11:07.122: Vi6 IPCP: Address 172.17.1.1 (0x0306AC110101)
1643185: Feb 9 08:11:07.122: Vi6 CCP: O CONFREQ [Closed] id 1 len 10
1643186: Feb 9 08:11:07.122: Vi6 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
1643187: Feb 9 08:11:07.126: Vi6 PPP: Process pending ncp packets
1643188: Feb 9 08:11:07.310: Vi6 CCP: I CONFREQ [REQsent] id 0 len 10
1643189: Feb 9 08:11:07.310: Vi6 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
1643190: Feb 9 08:11:07.314: Vi6 CCP: O CONFACK [REQsent] id 0 len 10
1643191: Feb 9 08:11:07.314: Vi6 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
1643192: Feb 9 08:11:07.330: Vi6 IPCP: I CONFREQ [REQsent] id 0 len 40
1643193: Feb 9 08:11:07.330: Vi6 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
1643194: Feb 9 08:11:07.330: Vi6 IPCP: Address 0.0.0.0 (0x030600000000)
1643195: Feb 9 08:11:07.334: Vi6 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
1643196: Feb 9 08:11:07.334: Vi6 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
1643197: Feb 9 08:11:07.334: Vi6 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
1643198: Feb 9 08:11:07.334: Vi6 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
1643199: Feb 9 08:11:07.334: Vi6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
1643200: Feb 9 08:11:07.334: Vi6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0
1643201: Feb 9 08:11:07.338: Vi6 IPCP: Pool returned 172.17.0.129
1643202: Feb 9 08:11:07.338: Vi6 IPCP: O CONFREJ [REQsent] id 0 len 10
1643203: Feb 9 08:11:07.338: Vi6 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
1643204: Feb 9 08:11:07.338: Vi6 IPCP: O CONFNAK [REQsent] id 1 len 28
1643205: Feb 9 08:11:07.338: Vi6 IPCP: Address 172.17.0.129 (0x0306AC110081)
1643206: Feb 9 08:11:07.342: Vi6 IPCP: PrimaryDNS 172.17.2.10 (0x8106AC11020A)
1643207: Feb 9 08:11:07.342: Vi6 IPCP: PrimaryWINS 172.17.2.10 (0x8206AC11020A)
1643208: Feb 9 08:11:07.342: Vi6 IPCP: SecondaryDNS 172.17.1.2 (0x8306AC110102)
1643209: Feb 9 08:11:07.342: Vi6 IPCP: O CONFACK [REQsent] id 2 len 34
1643210: Feb 9 08:11:07.342: Vi6 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
1643211: Feb 9 08:11:07.346: Vi6 IPCP: Address 172.17.0.129 (0x0306AC110081)
1643212: Feb 9 08:11:07.346: Vi6 IPCP: PrimaryDNS 172.17.2.10 (0x8106AC11020A)
1643213: Feb 9 08:11:07.346: Vi6 IPCP: PrimaryWINS 172.17.2.10 (0x8206AC11020A)
1643214: Feb 9 08:11:07.346: Vi6 IPCP: SecondaryDNS 172.17.1.2 (0x8306AC110102)
1643215: Feb 9 08:11:07.350: Vi6 IPV6CP: I CONFREQ [Not negotiated] id 0 len 14
1643216: Feb 9 08:11:07.350: Vi6 IPV6CP: Interface-Id 0218:41FF:FEAC:A676 (0x010A021841FFFEACA676)
1643217: Feb 9 08:11:07.354: Vi6 LCP: O PROTREJ [Open] id 3 len 20 protocol IPV6CP (0x80570100000E010A021841FFFEACA676)
1643218: Feb 9 08:11:07.354: Vi6 IPCP: I CONFACK [ACKsent] id 1 len 16
1643219: Feb 9 08:11:07.354: Vi6 IPCP: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
1643220: Feb 9 08:11:07.354: Vi6 IPCP: Address 172.17.1.1 (0x0306AC110101)
1643221: Feb 9 08:11:07.354: Vi6 IPCP: State is Open
1643222: Feb 9 08:11:07.362: Vi6 IPCP: Install route to 172.17.0.129
1643223: Feb 9 08:11:07.362: Vi6 IPCP: Add link info for cef entry 172.17.0.129
1643224: Feb 9 08:11:07.370: Vi6 CCP: I CONFACK [ACKsent] id 1 len 10
1643225: Feb 9 08:11:07.370: Vi6 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
1643226: Feb 9 08:11:07.370: Vi6 CCP: State is Open
1643227: Feb 9 08:11:07.490: Vi6 IPCP: I CONFREQ [Open] id 1 len 34
1643228: Feb 9 08:11:07.490: Vi6 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
1643229: Feb 9 08:11:07.490: Vi6 IPCP: Address 0.0.0.0 (0x030600000000)
1643230: Feb 9 08:11:07.494: Vi6 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
1643231: Feb 9 08:11:07.494: Vi6 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
1643232: Feb 9 08:11:07.494: Vi6 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
1643233: Feb 9 08:11:07.494: Vi6 IPCP: Ignoring predicted packet, state is Open
1643234: Feb 9 08:11:07.530: Vi6 IPCP: I CONFREQ [Open] id 2 len 34
1643235: Feb 9 08:11:07.530: Vi6 IPCP: CompressType VJ 15 slots (0x0206002D0F00)
1643236: Feb 9 08:11:07.530: Vi6 IPCP: Address 172.17.0.129 (0x0306AC110081)
1643237: Feb 9 08:11:07.534: Vi6 IPCP: PrimaryDNS 172.17.2.10 (0x8106AC11020A)
1643238: Feb 9 08:11:07.534: Vi6 IPCP: PrimaryWINS 172.17.2.10 (0x8206AC11020A)
1643239: Feb 9 08:11:07.534: Vi6 IPCP: SecondaryDNS 172.17.1.2 (0x8306AC110102)
1643240: Feb 9 08:11:07.534: Vi6 IPCP: Ignoring predicted packet, state is Open
1643251: Feb 9 08:11:08.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to up

Advertisements

Posted February 9, 2009 by benryanau in Cisco, Microsoft

Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: