[VPN] Re: Cisco VPN Client
Meidinger Chris
chris.meidinger at badenIT.de
Tue Jul 4 10:51:01 EDT 2006
Hi Livio,
Are you using the Cisco VPN Client with a router??
I've never tried that, but I can't imagine it would work.
Maybe someone else on the list knows for sure?
If it's not a router, what is your VPN gateway?
Chris
> -----Original Message-----
> From: Livio Zanol Puppim [mailto:livio.zanol.puppim at gmail.com]
> Sent: Tuesday, July 04, 2006 4:49 PM
> To: Meidinger Chris
> Subject: Re: [VPN] Cisco VPN Client
>
> Hi cris, I've tried to use the following command in my cisco router:
>
> Router1(config)#crypto isakmp nat keepalive 10
>
> There's also a "crypto isakmp keepalive" command... What
> command should I use? And what keepalive interval must I set?
> I'll try to see if the configuration worked tonight...
>
> Thx,
> Lívio Zanol Puppim
>
>
>
>
>
> 2006/7/4, Meidinger Chris <chris.meidinger at badenit.de>:
>
> Hi Livio,
>
> the following:
>
> RECEIVING <<< ISAKMP OAK INFO *(HASH,
> NOTIFY:NO_PROPOSAL_CHOSEN) from
> X.X.X.X
>
> seems to be the problem.
>
> If this were a L2L-VPN you'd want to check your
> settings to see if pfs
> is missing on one side, or the dh-group is wrong. For a
> Cisco-client
> it's less standard.
>
> Is it possible that you don't have nat-traversal enabled on the
> gateway??
>
> for pix: isakmp nat-traversal $policy_number
>
> for asa: isakmp nat-traversal $keepalive_interval
>
> for vpn3000: it's somewhere in that evil web-interface.
> look for the
> isakmp settings.
>
> Give that a try,
>
> Chris
>
> > -----Original Message-----
> > From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com
> >
> [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com
> > ] On Behalf Of Livio Zanol Puppim
> > Sent: Tuesday, July 04, 2006 2:42 AM
> > To: vpn at lists.shmoo.com
> > Subject: [VPN] Cisco VPN Client
> >
> > Hey you all!
> >
> > I'm new in VPN world, but I'm having problems to connect a
> > PC(behind a NAT), to my VPN server(valid IP adress) using
> > Cisco VPN Client. I've already forwarded the
> following ports to my PC:
> >
> > 500 UDP
> > 4500 UDP (The server negotiate this port with me)
> > 5000 and 5001 TCP/UDP
> >
> > What else must I do? The VPN works normally for directed
> > connected PCs.
> >
> > I'll post the VPN client log here so you can see the problem,
> > sorry for ANOTHER cisco VPN problem behind NAT:
> >
> > --------------------------------------------------------------
> > --------------------------------------------------------------
> > --------------------
> >
> > Cisco Systems VPN Client Version 4.7.00.0533
> >
> > Copyright (C) 1998-2005 Cisco Systems, Inc. All
> Rights Reserved.
> >
> > Client Type(s): Windows, WinNT
> >
> > Running on: 5.1.2600 Service Pack 2
> >
> > Config file directory: C:\Arquivos de programas\Cisco
> > Systems\VPN Client\
> >
> > 1 21:27:26.703 07/03/06 Sev=Info/4 CM/0x63100002
> >
> > Begin connection process
> >
> > 2 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100004
> >
> > Establish secure connection using Ethernet
> >
> > 3 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100024
> >
> > Attempt connection with server " X.X.X.X"
> >
> > 4 21:27:26.718 07/03/06 Sev=Info/6 IKE/0x6300003B
> >
> > Attempting to establish a connection with X.X.X.X.
> >
> > 5 21:27:26.734 07/03/06 Sev=Info/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth),
> > VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X
> >
> > 6 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x6300002F
> >
> > Received ISAKMP packet: peer = X.X.X.X
> >
> > 7 21:27:26.921 07/03/06 Sev=Info/4 IKE/0x63000014
> >
> > RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd),
> > VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D,
> > NAT-D) from X.X.X.X
> >
> > 8 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> >
> > Peer is a Cisco-Unity compliant peer
> >
> > 9 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> >
> > Peer supports DPD
> >
> > 10 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> >
> > Peer supports DWR Code and DWR Text
> >
> > 11 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> >
> > Peer supports XAUTH
> >
> > 12 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> >
> > Peer supports NAT-T
> >
> > 13 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000001
> >
> > IOS Vendor ID Contruction successful
> >
> > 14 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK AG *(HASH,
> > NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?),
> > VID(Unity)) to X.X.X.X
> >
> > 15 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000055
> >
> > Sent a keepalive on the IPSec SA
> >
> > 16 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000083
> >
> > IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
> >
> > 17 21:27:26.937 07/03/06 Sev=Info/5 IKE/0x63000072
> >
> > Automatic NAT Detection Status:
> >
> > Remote end is NOT behind a NAT device
> >
> > This end IS behind a NAT device
> >
> > 18 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E
> >
> > Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User
> > Authenticated IKE SA in the system
> >
> > 19 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E
> >
> > Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User
> > Authenticated IKE SA in the system
> >
> > 20 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005E
> >
> > Client sending a firewall request to concentrator
> >
> > 21 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005D
> >
> > Firewall Policy: Product=Cisco Systems Integrated Client
> > Firewall, Capability= (Centralized Protection Policy).
> >
> > 22 21:27: 26.968 07/03/06 Sev=Info/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
> >
> > 23 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700008
> >
> > IPSec driver successfully started
> >
> > 24 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700014
> >
> > Deleted all keys
> >
> > 25 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x6300002F
> >
> > Received ISAKMP packet: peer = X.X.X.X
> >
> > 26 21:27:27.046 07/03/06 Sev=Info/4 IKE/0x63000014
> >
> > RECEIVING <<< ISAKMP OAK INFO *(HASH,
> > NOTIFY:STATUS_RESP_LIFETIME) from X.X.X.X
> >
> > 27 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000045
> >
> > RESPONDER-LIFETIME notify has value of 86400 seconds
> >
> > 28 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000047
> >
> > This SA has already been alive for 1 seconds, setting expiry
> > to 86399 seconds from now
> >
> > 29 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300002F
> >
> > Received ISAKMP packet: peer = X.X.X.X
> >
> > 30 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000014
> >
> > RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
> >
> > 31 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010
> >
> > MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: ,
> value = X.X.X.X
> >
> > 32 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010
> >
> > MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value =
> > 255.255.255.0
> >
> > 33 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000017
> >
> > MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY)
> > attribute and value (-256) is not supported
> >
> > 34 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
> >
> > MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value =
> > 0x00000000
> >
> > 35 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
> >
> > MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of
> > split_nets), value = 0x00000007
> >
> > 36 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> >
> > SPLIT_NET #1
> >
> > subnet = X.X.X.X
> >
> > mask = 255.255.255.0
> >
> > protocol = 0
> >
> > src port = 0
> >
> > dest port=0
> >
> > 37 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> >
> > SPLIT_NET #2
> >
> > subnet = X.X.X.X
> >
> > mask = 255.255.0.0
> >
> > protocol = 0
> >
> > src port = 0
> >
> > dest port=0
> >
> > 38 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> >
> > SPLIT_NET #3
> >
> > subnet = X.X.X.X
> >
> > mask = 255.255.0.0 <http://255.255.0.0>
> >
> > protocol = 0
> >
> > src port = 0
> >
> > dest port=0
> >
> > 39 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> >
> > SPLIT_NET #4
> >
> > subnet = X.X.X.X
> >
> > mask = 255.255.0.0
> >
> > protocol = 0
> >
> > src port = 0
> >
> > dest port=0
> >
> > 40 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> >
> > SPLIT_NET #5
> >
> > subnet = X.X.X.X
> >
> > mask = 255.255.0.0
> >
> > protocol = 0
> >
> > src port = 0
> >
> > dest port=0
> >
> > 41 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> >
> > SPLIT_NET #6
> >
> > subnet = X.X.X.X
> >
> > mask = 255.255.0.0
> >
> > protocol = 0
> >
> > src port = 0
> >
> > dest port=0
> >
> > 42 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> >
> > SPLIT_NET #7
> >
> > subnet = X.X.X.X
> >
> > mask = 255.255.0.0 <http://255.255.0.0>
> >
> > protocol = 0
> >
> > src port = 0
> >
> > dest port=0
> >
> > 43 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000015
> >
> > MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME
> > attribute with no data
> >
> > 44 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000E
> >
> > MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value =
> > Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M),
> > Version 12.4(7a), RELEASE SOFTWARE (fc3)
> >
> > Technical Support: http://www.cisco.com/techsupport
> >
> > Copyright (c) 1986-2006 by Cisco Systems, Inc.
> >
> > Compiled Tue 25-Apr-06 02:54 by ssearch
> >
> > 45 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
> >
> > MODE_CFG_REPLY: Attribute = Received and using NAT-T port
> > number , value = 0x00001194
> >
> > 46 21:27:27.109 07/03/06 Sev=Info/4 CM/0x63100019
> >
> > Mode Config data received
> >
> > 47 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000056
> >
> > Received a key request from Driver: Local IP = Y.Y.Y.Y, GW IP
> > = X.X.X.X, Remote IP = 0.0.0.0
> >
> > 48 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to X.X.X.X
> >
> > 49 21:27:27.312 07/03/06 Sev=Info/5 IKE/0x6300002F
> >
> > Received ISAKMP packet: peer = X.X.X.X
> >
> > 50 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000014
> >
> > RECEIVING <<< ISAKMP OAK INFO *(HASH,
> > NOTIFY:NO_PROPOSAL_CHOSEN) from X.X.X.X
> >
> > 51 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X
> >
> > 52 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000049
> >
> > Discarding IPsec SA negotiation, MsgID=9C889DF0
> >
> > 53 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000017
> >
> > Marking IKE SA for deletion (I_Cookie=4A3797BB0E9DACC7
> > R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED
> >
> > 54 21:27:27.484 07/03/06 Sev=Info/4 IPSEC/0x63700014
> >
> > Deleted all keys
> >
> > 55 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x6300004B
> >
> > Discarding IKE SA negotiation (I_Cookie=4A3797BB0E9DACC7
> > R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED
> >
> > 56 21:27:30.453 07/03/06 Sev=Info/4 CM/0x63100012
> >
> > Phase 1 SA deleted before first Phase 2 SA is up cause by
> > "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User
> > Authenticated IKE SA in the system
> >
> > 57 21:27:30.453 07/03/06 Sev=Info/5 CM/0x63100025
> >
> > Initializing CVPNDrv
> >
> > 58 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x63000001
> >
> > IKE received signal to terminate VPN connection
> >
> > 59 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
> >
> > Deleted all keys
> >
> > 60 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
> >
> > Deleted all keys
> >
> > 61 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
> >
> > Deleted all keys
> >
> > 62 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x6370000A
> >
> > IPSec driver successfully stopped
> >
> >
> >
> > --------------------------------------------------------------
> >
> --------------------------------------------------------------
> > ----------
> > Resumed log:
> >
> > 2 21:20:47.953 07/03/06 Sev=Warning/3 IKE/0xA3000029
> > No keys are available to decrypt the received ISAKMP payload
> >
> >
> >
> > Thank you all! :)
> > []'s
> >
>
>
>
>
More information about the VPN
mailing list