I took this from http://ubuntuforums.org/showpost.php?p=8261958&postcount=6
There are so many variations on these VPN implementations that it is extremely difficult to generalize a known-good configuration for each.
Install from the various VPN components
Reboot
PPTP VPN Configuration - This setup works for connecting to ISA 2004/2006 PPTP VPNs. It should work for connecting to MS PPTP VPN implementations in general. I can't speak for other PPTP VPN implementations.
VPNC VPN Configuration - This setup works connecting to an ASA5510 - software version 8.2(1). I didn't have any other Cisco devices to test against.
There are so many variations on these VPN implementations that it is extremely difficult to generalize a known-good configuration for each.
- PPTP (Microsoft VPN)
- pptp-linux
- network-manager-pptp
- vpnc
- network-manager-vpnc
c. OpenConnect- openconnect
- network-manager-openconnect
- Create new PPTP connection
- VPN Tab Settings
- Set Connection name
- Set Gateway
- Set username (for domain-based user accounts, use domain\username)
- DO NOT SET PASSWORD
- DO NOT SET NT DOMAIN
- PPTP Advanced Options (Advanced button)
- uncheck all auth methods EXCEPT MSCHAPv2
- check "Use Point-to-Point encryption (MPPE)"
- leave Security set at "All Available (Default)"
- trying to force encryption level causes this option to become unset
- check "Allow stateful inspection"
- uncheck "Allow BSD Data Compression"
- uncheck "Allow Deflate Data Compression"
- uncheck "Use TCP Header Compression"
- uncheck "Send PPP Echo Packets" (although connection works either checked or unchecked)
- save configuration
- enter password in login box
- DO NOT check either password save box at this time
- once connection establishes, verify remote connectivity - ping, rdp, ssh, etc.
- disconnect VPN session
- enter password in login box
- check both password save option boxes
- once again verify remote connectivity
- disconnect VPN session
- VPN session should automatically connect using saved auth credentials
- Create new VPNC connection
- set connection name
- set Gateway
- set Group Name
- set User Password to "Saved" and enter password
- set Group Password to "Saved" and enter password
- set username
- set domain (if applicable)
- leave Encryption Method at "Secure (Default)"
- set NAT traversal to "NAT-T"
- save configuration
- open VPNC connection
- if prompted, select "Always Allow" if you want connection to be automatic
- verify remote connectivity - ping, rdp, ssh, etc.
- disconnect VPN session
- open VPNC connection - session should automatically connect
OpenConnect VPN Configuration - This setup works connecting to an ASA5510 - software version 8.2(1). I didn't have any other Cisco devices to test against.
Create new OpenConnect connection- set connection name
- set Gateway
- set Authentication type to "Password/SecurID"
no need to set username, OpenConnect won't store it yet- save configuration
- open VPN connection
- check "Automatically start connecting next time"
- click Close
- you will get the "No Valid VPN Secrets" VPN failure message
- open VPN connection
- accept certificate (if prompted)
- change Group (if necessary)
- enter username (may need to be domain\username)
- enter password
- click Login
- if VPN connection fails, see note below
- verify remote connectivity - ping, rdp, ssh, etc.
- disconnect session
- open VPN connection
- enter password
- session should connect
Note: If you get the "Login Failed" message, cancel and wait 15-30 minutes before attempting to connect again. Also, I ended up having to use the NT style domain\username pair for authentication, even though a Cisco AnyConnect client connecting to the same ASA only requires username.
More Detail: OpenConnect has been brutal to get connected. I got failed attempt after failed attempt. When I checked the NPS (IAS) log and the Security Event log on the W2K8 domain controller, I could see my user account authenticating properly via RADIUS from the ASA. Yet the OpenConnect client came back with a "Login Failed" message. I'm not an ASA expert, so I have no idea what to check in the ASA configuration to troubleshoot this problem, other than the basic AAA configuration. But I believe the problem lies in the ASA configuration because when I get the OpenConnect "Login Failed" message, the AnyConnect client from my Windows laptop fails as well. I think it may be a ridiculously short timeout or max failure setting. Whatever the issue is, I have to wait for some length of time (~15-30 minutes) for whatever the problem is to reset.
However, once I finally get the OpenConnect client to successfully connect, it worked from then on. (Just don't mess with the connection configuration, or you will get to go thru this whole process again.)
Comments
Cheers.