[VPN] Help with VPN Client 4.0.3 to PIX through A vigor internet link

Onsite DeTeWe Onsite.DeTeWe at firstgroup.com
Thu Apr 29 12:18:11 EDT 2004


Hi,

I was wondering if anyone can help with this one.

Client PC running windows XP SP 1 and Cisco VPN client 4.0.3 connected to 
the internet using ADSL with NAT  IP address 192.168.1.1, NAT address 
xxx.xxx.xxx.xxx

Pix is behind an ADSL router (Vigor 2600 v2.5) public address 
yyy.yyy.yyy.yyy with the pix's 'outside' interface 192.168.0.249. Open 
ports and firewall open for UDP 500 to the pix from the vigor.

After running appropriate debug I have got this resulting.  It does this 
with NAT traversal on or off, this is with it on.  Any ideas would really 
be greatful, as I am rapidly comming to to the end of things to try.

crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.0.249 
spt:500 dpt:
500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): ID payload
        next-payload : 10
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.0.249 
spt:500 dpt:
500
VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500 not found - peers:0

ISAKMP: larval sa found
crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.0.249 
spt:500 dpt:
500
VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.0.249 
spt:500 dpt:
500
VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500 not found - peers:0

ISAKMP: larval sa found

**********************************************************************
This message is confidential. It may not be disclosed to, or used by, 
anyone other than the addressee. If you receive this message in 
error, please advise us immediately.

Internet email is not necessarily secure. First does not accept
responsibility for changes to any email which occur after the email
has been sent. Attachments to this email could contain software
viruses which could damage your system. First have checked the
attachments for viruses before sending, but you should virus-check
them before opening.

http://www.firstgroup.com
**********************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040429/cab58db8/attachment.htm 


More information about the VPN mailing list