[VPN] Re: Cisco VPN Client

Meidinger Chris chris.meidinger at badenIT.de
Tue Jul 4 10:51:01 EDT 2006


Hi Livio,

Are you using the Cisco VPN Client with a router??

I've never tried that, but I can't imagine it would work.

Maybe someone else on the list knows for sure?

If it's not a router, what is your VPN gateway?

Chris

> -----Original Message-----
> From: Livio Zanol Puppim [mailto:livio.zanol.puppim at gmail.com] 
> Sent: Tuesday, July 04, 2006 4:49 PM
> To: Meidinger Chris
> Subject: Re: [VPN] Cisco VPN Client
> 
> Hi cris, I've tried to use the following command in my cisco router:
> 
> Router1(config)#crypto isakmp nat keepalive 10
> 
> There's also a "crypto isakmp keepalive" command... What 
> command should I use? And what keepalive interval must I set? 
> I'll try to see if the configuration worked tonight... 
> 
> Thx,
> Lívio Zanol Puppim
> 
> 
> 
> 
> 
> 2006/7/4, Meidinger Chris <chris.meidinger at badenit.de>:
> 
> 	Hi Livio,
> 	
> 	the following:
> 	
> 	RECEIVING <<< ISAKMP OAK INFO *(HASH, 
> NOTIFY:NO_PROPOSAL_CHOSEN) from
> 	X.X.X.X
> 	
> 	seems to be the problem.
> 	
> 	If this were a L2L-VPN you'd want to check your 
> settings to see if pfs 
> 	is missing on one side, or the dh-group is wrong. For a 
> Cisco-client
> 	it's less standard.
> 	
> 	Is it possible that you don't have nat-traversal enabled on the
> 	gateway??
> 	
> 	for pix: isakmp nat-traversal $policy_number 
> 	
> 	for asa: isakmp nat-traversal $keepalive_interval
> 	
> 	for vpn3000: it's somewhere in that evil web-interface. 
> look for the
> 	isakmp settings.
> 	
> 	Give that a try,
> 	
> 	Chris
> 	
> 	> -----Original Message----- 
> 	> From: vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com
> 	> 
> [mailto:vpn-bounces+chris.meidinger=badenit.de at lists.shmoo.com 
> 	> ] On Behalf Of Livio Zanol Puppim
> 	> Sent: Tuesday, July 04, 2006 2:42 AM
> 	> To: vpn at lists.shmoo.com
> 	> Subject: [VPN] Cisco VPN Client
> 	>
> 	> Hey you all! 
> 	>
> 	> I'm new in VPN world, but I'm having problems to connect a
> 	> PC(behind a NAT), to my VPN server(valid IP adress) using
> 	> Cisco VPN Client. I've already forwarded the 
> following ports to my PC:
> 	>
> 	> 500 UDP
> 	> 4500 UDP (The server negotiate this port with me)
> 	> 5000 and 5001 TCP/UDP
> 	>
> 	> What else must I do? The VPN works normally for directed
> 	> connected PCs.
> 	>
> 	> I'll post the VPN client log here so you can see the problem, 
> 	> sorry for ANOTHER cisco VPN problem behind NAT:
> 	>
> 	> --------------------------------------------------------------
> 	> --------------------------------------------------------------
> 	> -------------------- 
> 	>
> 	> Cisco Systems VPN Client Version 4.7.00.0533
> 	>
> 	> Copyright (C) 1998-2005 Cisco Systems, Inc. All 
> Rights Reserved.
> 	>
> 	> Client Type(s): Windows, WinNT
> 	>
> 	> Running on: 5.1.2600 Service Pack 2
> 	>
> 	> Config file directory: C:\Arquivos de programas\Cisco
> 	> Systems\VPN Client\
> 	>
> 	> 1 21:27:26.703 07/03/06 Sev=Info/4 CM/0x63100002
> 	>
> 	> Begin connection process
> 	>
> 	> 2 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100004
> 	>
> 	> Establish secure connection using Ethernet
> 	>
> 	> 3 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100024
> 	>
> 	> Attempt connection with server " X.X.X.X"
> 	>
> 	> 4 21:27:26.718 07/03/06 Sev=Info/6 IKE/0x6300003B
> 	>
> 	> Attempting to establish a connection with X.X.X.X.
> 	>
> 	> 5 21:27:26.734 07/03/06 Sev=Info/4 IKE/0x63000013
> 	>
> 	> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth),
> 	> VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X
> 	>
> 	> 6 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x6300002F
> 	>
> 	> Received ISAKMP packet: peer = X.X.X.X
> 	>
> 	> 7 21:27:26.921 07/03/06 Sev=Info/4 IKE/0x63000014
> 	>
> 	> RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd),
> 	> VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D,
> 	> NAT-D) from X.X.X.X
> 	>
> 	> 8 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> 	>
> 	> Peer is a Cisco-Unity compliant peer
> 	>
> 	> 9 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> 	>
> 	> Peer supports DPD
> 	>
> 	> 10 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> 	>
> 	> Peer supports DWR Code and DWR Text
> 	>
> 	> 11 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> 	>
> 	> Peer supports XAUTH 
> 	>
> 	> 12 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
> 	>
> 	> Peer supports NAT-T
> 	>
> 	> 13 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000001
> 	>
> 	> IOS Vendor ID Contruction successful 
> 	>
> 	> 14 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000013
> 	>
> 	> SENDING >>> ISAKMP OAK AG *(HASH,
> 	> NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?),
> 	> VID(Unity)) to X.X.X.X
> 	>
> 	> 15 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000055
> 	>
> 	> Sent a keepalive on the IPSec SA
> 	>
> 	> 16 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000083
> 	>
> 	> IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194 
> 	>
> 	> 17 21:27:26.937 07/03/06 Sev=Info/5 IKE/0x63000072
> 	>
> 	> Automatic NAT Detection Status:
> 	>
> 	> Remote end is NOT behind a NAT device
> 	>
> 	> This end IS behind a NAT device
> 	>
> 	> 18 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E
> 	>
> 	> Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User
> 	> Authenticated IKE SA in the system
> 	>
> 	> 19 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E 
> 	>
> 	> Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User
> 	> Authenticated IKE SA in the system
> 	>
> 	> 20 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005E
> 	>
> 	> Client sending a firewall request to concentrator 
> 	>
> 	> 21 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005D
> 	>
> 	> Firewall Policy: Product=Cisco Systems Integrated Client
> 	> Firewall, Capability= (Centralized Protection Policy).
> 	>
> 	> 22 21:27: 26.968 07/03/06 Sev=Info/4 IKE/0x63000013
> 	>
> 	> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
> 	>
> 	> 23 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700008
> 	>
> 	> IPSec driver successfully started 
> 	>
> 	> 24 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700014
> 	>
> 	> Deleted all keys
> 	>
> 	> 25 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x6300002F
> 	>
> 	> Received ISAKMP packet: peer = X.X.X.X 
> 	>
> 	> 26 21:27:27.046 07/03/06 Sev=Info/4 IKE/0x63000014
> 	>
> 	> RECEIVING <<< ISAKMP OAK INFO *(HASH,
> 	> NOTIFY:STATUS_RESP_LIFETIME) from X.X.X.X
> 	>
> 	> 27 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000045 
> 	>
> 	> RESPONDER-LIFETIME notify has value of 86400 seconds
> 	>
> 	> 28 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000047
> 	>
> 	> This SA has already been alive for 1 seconds, setting expiry
> 	> to 86399 seconds from now 
> 	>
> 	> 29 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300002F
> 	>
> 	> Received ISAKMP packet: peer = X.X.X.X
> 	>
> 	> 30 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000014
> 	>
> 	> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
> 	>
> 	> 31 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010
> 	>
> 	> MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , 
> value = X.X.X.X
> 	>
> 	> 32 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010 
> 	>
> 	> MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value =
> 	> 255.255.255.0
> 	>
> 	> 33 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000017
> 	>
> 	> MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) 
> 	> attribute and value (-256) is not supported
> 	>
> 	> 34 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
> 	>
> 	> MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value =
> 	> 0x00000000
> 	> 
> 	> 35 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
> 	>
> 	> MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of
> 	> split_nets), value = 0x00000007
> 	>
> 	> 36 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F 
> 	>
> 	> SPLIT_NET #1
> 	>
> 	> subnet = X.X.X.X
> 	>
> 	> mask = 255.255.255.0
> 	>
> 	> protocol = 0
> 	>
> 	> src port = 0
> 	>
> 	> dest port=0
> 	>
> 	> 37 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> 	>
> 	> SPLIT_NET #2
> 	>
> 	> subnet = X.X.X.X
> 	>
> 	> mask = 255.255.0.0
> 	>
> 	> protocol = 0 
> 	>
> 	> src port = 0
> 	>
> 	> dest port=0
> 	>
> 	> 38 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> 	>
> 	> SPLIT_NET #3
> 	>
> 	> subnet = X.X.X.X
> 	>
> 	> mask = 255.255.0.0 <http://255.255.0.0> 
> 	>
> 	> protocol = 0
> 	>
> 	> src port = 0
> 	>
> 	> dest port=0
> 	>
> 	> 39 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> 	>
> 	> SPLIT_NET #4
> 	>
> 	> subnet = X.X.X.X
> 	>
> 	> mask = 255.255.0.0
> 	>
> 	> protocol = 0
> 	>
> 	> src port = 0
> 	>
> 	> dest port=0
> 	>
> 	> 40 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F 
> 	>
> 	> SPLIT_NET #5
> 	>
> 	> subnet = X.X.X.X
> 	>
> 	> mask = 255.255.0.0
> 	>
> 	> protocol = 0
> 	>
> 	> src port = 0
> 	>
> 	> dest port=0
> 	> 
> 	> 41 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> 	>
> 	> SPLIT_NET #6
> 	>
> 	> subnet = X.X.X.X
> 	>
> 	> mask = 255.255.0.0
> 	>
> 	> protocol = 0
> 	>
> 	> src port = 0
> 	>
> 	> dest port=0
> 	>
> 	> 42 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
> 	>
> 	> SPLIT_NET #7
> 	>
> 	> subnet = X.X.X.X
> 	>
> 	> mask = 255.255.0.0 <http://255.255.0.0> 
> 	>
> 	> protocol = 0
> 	>
> 	> src port = 0
> 	>
> 	> dest port=0
> 	>
> 	> 43 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000015
> 	>
> 	> MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME 
> 	> attribute with no data
> 	>
> 	> 44 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000E
> 	>
> 	> MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value =
> 	> Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), 
> 	> Version 12.4(7a), RELEASE SOFTWARE (fc3)
> 	>
> 	> Technical Support: http://www.cisco.com/techsupport
> 	>
> 	> Copyright (c) 1986-2006 by Cisco Systems, Inc. 
> 	>
> 	> Compiled Tue 25-Apr-06 02:54 by ssearch
> 	>
> 	> 45 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
> 	>
> 	> MODE_CFG_REPLY: Attribute = Received and using NAT-T port
> 	> number , value = 0x00001194 
> 	>
> 	> 46 21:27:27.109 07/03/06 Sev=Info/4 CM/0x63100019
> 	>
> 	> Mode Config data received
> 	>
> 	> 47 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000056
> 	>
> 	> Received a key request from Driver: Local IP = Y.Y.Y.Y, GW IP
> 	> = X.X.X.X, Remote IP = 0.0.0.0
> 	>
> 	> 48 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000013
> 	>
> 	> SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to X.X.X.X
> 	>
> 	> 49 21:27:27.312 07/03/06 Sev=Info/5 IKE/0x6300002F
> 	>
> 	> Received ISAKMP packet: peer = X.X.X.X
> 	>
> 	> 50 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000014
> 	>
> 	> RECEIVING <<< ISAKMP OAK INFO *(HASH, 
> 	> NOTIFY:NO_PROPOSAL_CHOSEN) from X.X.X.X
> 	>
> 	> 51 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000013
> 	>
> 	> SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X
> 	>
> 	> 52 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000049
> 	>
> 	> Discarding IPsec SA negotiation, MsgID=9C889DF0
> 	>
> 	> 53 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000017
> 	>
> 	> Marking IKE SA for deletion (I_Cookie=4A3797BB0E9DACC7 
> 	> R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED
> 	>
> 	> 54 21:27:27.484 07/03/06 Sev=Info/4 IPSEC/0x63700014
> 	>
> 	> Deleted all keys
> 	>
> 	> 55 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x6300004B 
> 	>
> 	> Discarding IKE SA negotiation (I_Cookie=4A3797BB0E9DACC7
> 	> R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED
> 	>
> 	> 56 21:27:30.453 07/03/06 Sev=Info/4 CM/0x63100012
> 	>
> 	> Phase 1 SA deleted before first Phase 2 SA is up cause by
> 	> "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User
> 	> Authenticated IKE SA in the system
> 	>
> 	> 57 21:27:30.453 07/03/06 Sev=Info/5 CM/0x63100025 
> 	>
> 	> Initializing CVPNDrv
> 	>
> 	> 58 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x63000001
> 	>
> 	> IKE received signal to terminate VPN connection
> 	>
> 	> 59 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014 
> 	>
> 	> Deleted all keys
> 	>
> 	> 60 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
> 	>
> 	> Deleted all keys
> 	>
> 	> 61 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
> 	>
> 	> Deleted all keys 
> 	>
> 	> 62 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x6370000A
> 	>
> 	> IPSec driver successfully stopped
> 	>
> 	>
> 	>
> 	> --------------------------------------------------------------
> 	> 
> -------------------------------------------------------------- 
> 	> ----------
> 	> Resumed log:
> 	>
> 	> 2      21:20:47.953  07/03/06  Sev=Warning/3 IKE/0xA3000029
> 	> No keys are available to decrypt the received ISAKMP payload
> 	>
> 	>
> 	>
> 	> Thank you all! :) 
> 	> []'s
> 	>
> 	
> 
> 
> 



More information about the VPN mailing list