[VPN] Cisco VPN Client

Livio Zanol Puppim livio.zanol.puppim at gmail.com
Mon Jul 3 20:41:53 EDT 2006 

Hey you all!

I'm new in VPN world, but I'm having problems to connect a PC(behind a NAT),
to my VPN server(valid IP adress) using Cisco VPN Client. I've already
forwarded the following ports to my PC:

500 UDP
4500 UDP (The server negotiate this port with me)
5000 and 5001 TCP/UDP

What else must I do? The VPN works normally for directed connected PCs.

I'll post the VPN client log here so you can see the problem, sorry for
ANOTHER cisco VPN problem behind NAT:

------------------------------------------------------------------------------------------------------------------------------------------------


Cisco Systems VPN Client Version 4.7.00.0533

Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Arquivos de programas\Cisco Systems\VPN Client\

1 21:27:26.703 07/03/06 Sev=Info/4 CM/0x63100002

Begin connection process

2 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

3 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100024

Attempt connection with server "*X.X.X.X*"

4 21:27:26.718 07/03/06 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with* X.X.X.X*.

5 21:27:26.734 07/03/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag), VID(Unity)) to *X.X.X.X

*

6 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = *X.X.X.X

*

7 21:27:26.921 07/03/06 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth),
VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from *X.X.X.X

*

8 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

9 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001

Peer supports DPD

10 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001

Peer supports DWR Code and DWR Text

11 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

12 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001

Peer supports NAT-T

13 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

14 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D,
NAT-D, VID(?), VID(Unity)) to *X.X.X.X

*

15 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

16 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

17 21:27:26.937 07/03/06 Sev=Info/5 IKE/0x63000072

Automatic NAT Detection Status:

Remote end is NOT behind a NAT device

This end IS behind a NAT device

18 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA
in the system

19 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA
in the system

20 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005E

Client sending a firewall request to concentrator

21 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005D

Firewall Policy: Product=Cisco Systems Integrated Client Firewall,
Capability= (Centralized Protection Policy).

22 21:27:26.968 07/03/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to *X.X.X.X

*

23 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

24 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

25 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = *X.X.X.X

*

26 21:27:27.046 07/03/06 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from *
X.X.X.X

*

27 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

28 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000047

This SA has already been alive for 1 seconds, setting expiry to 86399
seconds from now

29 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = *X.X.X.X

*

30 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from *X.X.X.X

*

31 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = *X.X.X.X

*

32 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

33 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000017

MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value
(-256) is not supported

34 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

35 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets),
value = 0x00000007

36 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F

SPLIT_NET #1

subnet = *X.X.X.X*

mask = 255.255.255.0

protocol = 0

src port = 0

dest port=0

37 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F

SPLIT_NET #2

subnet = *X.X.X.X

*

mask = 255.255.0.0

protocol = 0

src port = 0

dest port=0

38 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F

SPLIT_NET #3

subnet = *X.X.X.X

*

mask = 255.255.0.0

protocol = 0

src port = 0

dest port=0

39 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F

SPLIT_NET #4

subnet = *X.X.X.X*

mask = 255.255.0.0

protocol = 0

src port = 0

dest port=0

40 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F

SPLIT_NET #5

subnet = *X.X.X.X

*

mask = 255.255.0.0

protocol = 0

src port = 0

dest port=0

41 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F

SPLIT_NET #6

subnet = *X.X.X.X*

mask = 255.255.0.0

protocol = 0

src port = 0

dest port=0

42 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F

SPLIT_NET #7

subnet = *X.X.X.X*

mask = 255.255.0.0

protocol = 0

src port = 0

dest port=0

43 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000015

MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME attribute with no data

44 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS Software,
3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(7a), RELEASE SOFTWARE
(fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Tue 25-Apr-06 02:54 by ssearch

45 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value =
0x00001194

46 21:27:27.109 07/03/06 Sev=Info/4 CM/0x63100019

Mode Config data received

47 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000056

Received a key request from Driver: Local IP = *Y.Y.Y.Y*, GW IP = *X.X.X.X*,
Remote IP = *0.0.0.0

*

48 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to *X.X.X.X

*

49 21:27:27.312 07/03/06 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = *X.X.X.X

*

50 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from *
X.X.X.X

*

51 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to *X.X.X.X

*

52 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000049

Discarding IPsec SA negotiation, MsgID=9C889DF0

53 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=4A3797BB0E9DACC7
R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED

54 21:27:27.484 07/03/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

55 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=4A3797BB0E9DACC7
R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED

56 21:27:30.453 07/03/06 Sev=Info/4 CM/0x63100012

Phase 1 SA deleted before first Phase 2 SA is up cause by
"DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated
IKE SA in the system

57 21:27:30.453 07/03/06 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

58 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

59 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

60 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

61 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

62 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped



--------------------------------------------------------------------------------------------------------------------------------------
Resumed log:

2      21:20:47.953  07/03/06  Sev=Warning/3 IKE/0xA3000029
No keys are available to decrypt the received ISAKMP payload



Thank you all! :)
[]'s
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060703/2c4a5810/attachment.htm

More information about the VPN mailing list