[VPN] Re: Cisco VPN Client

Aida Lumbreras aidamx at gmx.net
Tue Jul 4 20:52:27 EDT 2006


Hi Livio,
It seems you are connecting to a cisco router, the routers by default
already have NAT-T enabled (after 12.3(13)T version). So I do not
think this migth be the problem unless you have this command on your
configuration:

no crypto ipsec nat-t udp encapsulation

which migth disable nat-t

Have your tried rebooting the router you are connecting to?  I have
seen those errors many times, and if all the proper ports are opened
and the config is fine, a simple reboot may take care of the problem.

If the problem persist, can I get a copy of your configuration?

Thanks!

Aida Lumbreras

---------------------------------------
>Hey you all!
> 
>I'm new in VPN world, but I'm having problems to connect a PC(behind
>a NAT), to my VPN server(valid IP adress) using Cisco VPN Client.
>I've already forwarded the following ports to my PC:
> 
>500 UDP
>4500 UDP (The server negotiate this port with me)
>5000 and 5001 TCP/UDP
> 
>What else must I do? The VPN works normally for directed connected
>PCs.
> 
>I'll post the VPN client log here so you can see the problem, sorry
>for ANOTHER cisco VPN problem behind NAT:
> 
>---------------------------------------------------------------------
>---------------------------------------------------------------------
>------
> 
>Cisco Systems VPN Client Version 4.7.00.0533
>Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
>Client Type(s): Windows, WinNT
>Running on: 5.1.2600 Service Pack 2
>Config file directory: C:\Arquivos de programas\Cisco Systems\VPN
>Client\
>1 21:27:26.703 07/03/06 Sev=Info/4 CM/0x63100002
>Begin connection process
>2 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100004
>Establish secure connection using Ethernet
>3 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100024
>Attempt connection with server "X.X.X.X"
>4 21:27:26.718 07/03/06 Sev=Info/6 IKE/0x6300003B
>Attempting to establish a connection with X.X.X.X.
>5 21:27:26.734 07/03/06 Sev=Info/4 IKE/0x63000013
>SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
>VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X
>6 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x6300002F
>Received ISAKMP packet: peer = X.X.X.X
>7 21:27:26.921 07/03/06 Sev=Info/4 IKE/0x63000014
>RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?),
>VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from X.X.X.X
>8 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>Peer is a Cisco-Unity compliant peer
>9 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>Peer supports DPD
>10 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>Peer supports DWR Code and DWR Text
>11 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>Peer supports XAUTH
>12 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>Peer supports NAT-T
>13 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000001
>IOS Vendor ID Contruction successful
>14 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000013
>SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT,
>NAT-D, NAT-D, VID(?), VID(Unity)) to X.X.X.X
>15 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000055
>Sent a keepalive on the IPSec SA
>16 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000083
>IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
>17 21:27:26.937 07/03/06 Sev=Info/5 IKE/0x63000072
>Automatic NAT Detection Status:
>Remote end is NOT behind a NAT device
>This end IS behind a NAT device
>18 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E
>Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated
>IKE SA in the system
>19 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E
>Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated
>IKE SA in the system
>20 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005E
>Client sending a firewall request to concentrator
>21 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005D
>Firewall Policy: Product=Cisco Systems Integrated Client Firewall,
>Capability= (Centralized Protection Policy).
>22 21:27:26.968 07/03/06 Sev=Info/4 IKE/0x63000013
>SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
>23 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700008
>IPSec driver successfully started
>24 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>25 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x6300002F
>Received ISAKMP packet: peer = X.X.X.X
>26 21:27:27.046 07/03/06 Sev=Info/4 IKE/0x63000014
>RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME)
>from X.X.X.X
>27 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000045
>RESPONDER-LIFETIME notify has value of 86400 seconds
>28 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000047
>This SA has already been alive for 1 seconds, setting expiry to
>86399 seconds from now
>29 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300002F
>Received ISAKMP packet: peer = X.X.X.X
>30 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000014
>RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
>31 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010
>MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = X.X.X.X
>32 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010
>MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value =
>255.255.255.0
>33 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000017
>MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and
>value (-256) is not supported
>34 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
>MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value =
>0x00000000
>35 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
>MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of
>split_nets), value = 0x00000007
>36 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>SPLIT_NET #1
>subnet = X.X.X.X 
>mask = 255.255.255.0
>protocol = 0
>src port = 0
>dest port=0
>37 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>SPLIT_NET #2
>subnet = X.X.X.X
>mask = 255.255.0.0
>protocol = 0
>src port = 0
>dest port=0
>38 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>SPLIT_NET #3
>subnet = X.X.X.X
>mask = 255.255.0.0
>protocol = 0
>src port = 0
>dest port=0
>39 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>SPLIT_NET #4
>subnet = X.X.X.X 
>mask = 255.255.0.0
>protocol = 0
>src port = 0
>dest port=0
>40 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>SPLIT_NET #5
>subnet = X.X.X.X
>mask = 255.255.0.0
>protocol = 0
>src port = 0
>dest port=0
>41 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>SPLIT_NET #6
>subnet = X.X.X.X 
>mask = 255.255.0.0
>protocol = 0
>src port = 0
>dest port=0
>42 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>SPLIT_NET #7
>subnet = X.X.X.X 
>mask = 255.255.0.0
>protocol = 0
>src port = 0
>dest port=0
>43 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000015
>MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME attribute with
>no data
>44 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000E
>MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS
>Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(7a),
>RELEASE SOFTWARE (fc3)
>Technical Support: http://www.cisco.com/techsupport
>Copyright (c) 1986-2006 by Cisco Systems, Inc.
>Compiled Tue 25-Apr-06 02:54 by ssearch
>45 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
>MODE_CFG_REPLY: Attribute = Received and using NAT-T port number ,
>value = 0x00001194
>46 21:27:27.109 07/03/06 Sev=Info/4 CM/0x63100019
>Mode Config data received
>47 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000056
>Received a key request from Driver: Local IP = Y.Y.Y.Y, GW IP =
>X.X.X.X, Remote IP = 0.0.0.0
>48 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000013
>SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to X.X.X.X
>49 21:27:27.312 07/03/06 Sev=Info/5 IKE/0x6300002F
>Received ISAKMP packet: peer = X.X.X.X
>50 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000014
>RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
>from X.X.X.X
>51 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000013
>SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X
>52 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000049
>Discarding IPsec SA negotiation, MsgID=9C889DF0
>53 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000017
>Marking IKE SA for deletion (I_Cookie=4A3797BB0E9DACC7
>R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED
>54 21:27:27.484 07/03/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>55 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x6300004B
>Discarding IKE SA negotiation (I_Cookie=4A3797BB0E9DACC7
>R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED
>56 21:27:30.453 07/03/06 Sev=Info/4 CM/0x63100012
>Phase 1 SA deleted before first Phase 2 SA is up cause by
>"DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User
>Authenticated IKE SA in the system
>57 21:27:30.453 07/03/06 Sev=Info/5 CM/0x63100025
>Initializing CVPNDrv
>58 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x63000001
>IKE received signal to terminate VPN connection
>59 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>60 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>61 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>62 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x6370000A
>IPSec driver successfully stopped
> 
>  
>---------------------------------------------------------------------
>-----------------------------------------------------------------
>Resumed log:
> 
>2      21:20:47.953  07/03/06  Sev=Warning/3 IKE/0xA3000029No keys
>are available to decrypt the received ISAKMP payload
> 
> 
> 
>Thank you all! :)
>[]'s
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20060704/3a7b44f8/attachment.htm 


More information about the VPN mailing list