<HTML>
<HEAD>
</HEAD>
<BODY>
<P>Hi Livio,</P>
<P>It seems you are connecting to a cisco router, the routers by default already have NAT-T enabled (after 12.3(13)T version). So I do not think this migth be the problem unless you have this command on your configuration:</P>
<P><BR></P>
<P>no crypto ipsec nat-t udp encapsulation</P>
<P><BR></P>
<P>which migth disable nat-t</P>
<P><BR></P>
<P>Have your tried rebooting the router you are connecting to? I have seen those errors many times, and if all the proper ports are opened and the config is fine, a simple reboot may take care of the problem.</P>
<P><BR></P>
<P>If the problem persist, can I get a copy of your configuration?</P>
<P><BR></P>
<P>Thanks!</P>
<P><BR></P>
<P>Aida Lumbreras</P>
<P><BR></P>
<P>---------------------------------------</P>
<BLOCKQUOTE>
<P>>Hey you all!</P>
<P>> </P>
<P>>I'm new in VPN world, but I'm having problems to connect a PC(behind</P>
<P>>a NAT), to my VPN server(valid IP adress) using Cisco VPN Client.
</P>
<P>>I've already forwarded the following ports to my PC:</P>
<P>> </P>
<P>>500 UDP</P>
<P>>4500 UDP (The server negotiate this port with me)</P>
<P>>5000 and 5001 TCP/UDP</P>
<P>> </P>
<P>>What else must I do? The VPN works normally for directed connected</P>
<P>>PCs.</P>
<P>> </P>
<P>>I'll post the VPN client log here so you can see the problem, sorry</P>
<P>>for ANOTHER cisco VPN problem behind NAT:</P>
<P>> </P>
<P>>---------------------------------------------------------------------</P>
<P>>---------------------------------------------------------------------</P>
<P>>------</P>
<P>> </P>
<P>>Cisco Systems VPN Client Version 4.7.00.0533</P>
<P>>Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.</P>
<P>>Client Type(s): Windows, WinNT</P>
<P>>Running on: 5.1.2600 Service Pack 2</P>
<P>>Config file directory: C:\Arquivos de programas\Cisco Systems\VPN</P>
<P>>Client\</P>
<P>>1 21:27:26.703 07/03/06 Sev=Info/4 CM/0x63100002</P>
<P>>Begin connection process</P>
<P>>2 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100004</P>
<P>>Establish secure connection using Ethernet</P>
<P>>3 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100024</P>
<P>>Attempt connection with server "X.X.X.X"</P>
<P>>4 21:27:26.718 07/03/06 Sev=Info/6 IKE/0x6300003B</P>
<P>>Attempting to establish a connection with X.X.X.X.</P>
<P>>5 21:27:26.734 07/03/06 Sev=Info/4 IKE/0x63000013
</P>
<P>>SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),</P>
<P>>VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X</P>
<P>>6 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x6300002F</P>
<P>>Received ISAKMP packet: peer = X.X.X.X
</P>
<P>>7 21:27:26.921 07/03/06 Sev=Info/4 IKE/0x63000014</P>
<P>>RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?),</P>
<P>>VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from X.X.X.X</P>
<P>>8 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001</P>
<P>>Peer is a Cisco-Unity compliant peer</P>
<P>>9 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001</P>
<P>>Peer supports DPD</P>
<P>>10 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001</P>
<P>>Peer supports DWR Code and DWR Text</P>
<P>>11 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001</P>
<P>>Peer supports XAUTH</P>
<P>>12 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001</P>
<P>>Peer supports NAT-T</P>
<P>>13 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000001</P>
<P>>IOS Vendor ID Contruction successful</P>
<P>>14 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000013</P>
<P>>SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT,</P>
<P>>NAT-D, NAT-D, VID(?), VID(Unity)) to X.X.X.X</P>
<P>>15 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000055</P>
<P>>Sent a keepalive on the IPSec SA</P>
<P>>16 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000083</P>
<P>>IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194</P>
<P>>17 21:27:26.937 07/03/06 Sev=Info/5 IKE/0x63000072</P>
<P>>Automatic NAT Detection Status:</P>
<P>>Remote end is NOT behind a NAT device</P>
<P>>This end IS behind a NAT device</P>
<P>>18 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E</P>
<P>>Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated</P>
<P>>IKE SA in the system</P>
<P>>19 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E</P>
<P>>Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated</P>
<P>>IKE SA in the system</P>
<P>>20 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005E</P>
<P>>Client sending a firewall request to concentrator</P>
<P>>21 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005D</P>
<P>
>Firewall Policy: Product=Cisco Systems Integrated Client Firewall,</P>
<P>>Capability= (Centralized Protection Policy).</P>
<P>>22 21:27:26.968 07/03/06 Sev=Info/4 IKE/0x63000013</P>
<P>>SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X</P>
<P>>23 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700008</P>
<P>>IPSec driver successfully started</P>
<P>>24 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700014</P>
<P>>Deleted all keys</P>
<P>>25 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x6300002F</P>
<P>>Received ISAKMP packet: peer = X.X.X.X</P>
<P>>26 21:27:27.046 07/03/06 Sev=Info/4 IKE/0x63000014</P>
<P>>RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME)</P>
<P>>from X.X.X.X</P>
<P>
>27 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000045</P>
<P>>RESPONDER-LIFETIME notify has value of 86400 seconds</P>
<P>>28 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000047</P>
<P>>This SA has already been alive for 1 seconds, setting expiry to</P>
<P>>86399 seconds from now</P>
<P>>29 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300002F</P>
<P>>Received ISAKMP packet: peer = X.X.X.X</P>
<P>>30 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000014</P>
<P>>RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X</P>
<P>>31 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010</P>
<P>>MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = X.X.X.X</P>
<P>>32 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010</P>
<P>
>MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value =</P>
<P>>255.255.255.0</P>
<P>>33 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000017</P>
<P>>MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and</P>
<P>>value (-256) is not supported</P>
<P>>34 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D</P>
<P>>MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value =</P>
<P>>0x00000000</P>
<P>>35 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D</P>
<P>>MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of</P>
<P>>split_nets), value = 0x00000007</P>
<P>>36 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F</P>
<P>>SPLIT_NET #1</P>
<P>>subnet = X.X.X.X </P>
<P>>mask = 255.255.255.0
</P>
<P>>protocol = 0</P>
<P>>src port = 0</P>
<P>>dest port=0</P>
<P>>37 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F</P>
<P>>SPLIT_NET #2</P>
<P>>subnet = X.X.X.X</P>
<P>>mask = 255.255.0.0</P>
<P>>protocol = 0
</P>
<P>>src port = 0</P>
<P>>dest port=0</P>
<P>>38 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F</P>
<P>>SPLIT_NET #3</P>
<P>>subnet = X.X.X.X</P>
<P>>mask = 255.255.0.0</P>
<P>>protocol = 0</P>
<P>>src port = 0</P>
<P>>dest port=0</P>
<P>>39 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F</P>
<P>>SPLIT_NET #4</P>
<P>>subnet = X.X.X.X </P>
<P>>mask = 255.255.0.0</P>
<P>>protocol = 0</P>
<P>>src port = 0</P>
<P>>dest port=0</P>
<P>>40 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F</P>
<P>>SPLIT_NET #5</P>
<P>>subnet = X.X.X.X</P>
<P>>mask = 255.255.0.0</P>
<P>>protocol = 0</P>
<P>>src port = 0</P>
<P>>dest port=0</P>
<P>>41 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F</P>
<P>>SPLIT_NET #6</P>
<P>>subnet = X.X.X.X </P>
<P>>mask = 255.255.0.0</P>
<P>>protocol = 0</P>
<P>>src port = 0</P>
<P>>dest port=0</P>
<P>>42 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F</P>
<P>>SPLIT_NET #7
</P>
<P>>subnet = X.X.X.X </P>
<P>>mask = 255.255.0.0</P>
<P>>protocol = 0</P>
<P>>src port = 0</P>
<P>>dest port=0</P>
<P>>43 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000015</P>
<P>>MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME attribute with</P>
<P>>no data</P>
<P>>44 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000E</P>
<P>>MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS</P>
<P>>Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(7a),</P>
<P>>RELEASE SOFTWARE (fc3)</P>
<P>>Technical Support: http://www.cisco.com/techsupport</P>
<P>>Copyright (c) 1986-2006 by Cisco Systems, Inc.</P>
<P>>Compiled Tue 25-Apr-06 02:54 by ssearch</P>
<P>>45 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D</P>
<P>>MODE_CFG_REPLY: Attribute = Received and using NAT-T port number ,</P>
<P>>value = 0x00001194</P>
<P>>46 21:27:27.109 07/03/06 Sev=Info/4 CM/0x63100019</P>
<P>>Mode Config data received</P>
<P>>47 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000056</P>
<P>>Received a key request from Driver: Local IP = Y.Y.Y.Y, GW IP =</P>
<P>>X.X.X.X, Remote IP = 0.0.0.0</P>
<P>>48 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000013</P>
<P>>SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to X.X.X.X</P>
<P>>49 21:27:27.312 07/03/06 Sev=Info/5 IKE/0x6300002F</P>
<P>>Received ISAKMP packet: peer = X.X.X.X</P>
<P>>50 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000014</P>
<P>>RECEIVING <
<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)</P>
<P>>from X.X.X.X</P>
<P>>51 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000013</P>
<P>>SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X</P>
<P>>52 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000049</P>
<P>>Discarding IPsec SA negotiation, MsgID=9C889DF0</P>
<P>>53 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000017</P>
<P>>Marking IKE SA for deletion (I_Cookie=4A3797BB0E9DACC7</P>
<P>>R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED</P>
<P>>54 21:27:27.484 07/03/06 Sev=Info/4 IPSEC/0x63700014</P>
<P>>Deleted all keys</P>
<P>>55 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x6300004B</P>
<P>>Discarding IKE SA negotiation (I_Cookie=4A3797BB0E9DACC7</P>
<P>>R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED</P>
<P>>56 21:27:30.453 07/03/06 Sev=Info/4 CM/0x63100012</P>
<P>>Phase 1 SA deleted before first Phase 2 SA is up cause by</P>
<P>>"DEL_REASON_IKE_NEG_FAILED
". 0 Crypto Active IKE SA, 0 User</P>
<P>>Authenticated IKE SA in the system</P>
<P>>57 21:27:30.453 07/03/06 Sev=Info/5 CM/0x63100025</P>
<P>>Initializing CVPNDrv</P>
<P>>58 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x63000001</P>
<P>
>IKE received signal to terminate VPN connection</P>
<P>>59 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014</P>
<P>>Deleted all keys</P>
<P>>60 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014</P>
<P>>Deleted all keys</P>
<P>>61 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014</P>
<P>>Deleted all keys</P>
<P>>62 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x6370000A</P>
<P>>IPSec driver successfully stopped</P>
<P>> </P>
<P>> </P>
<P>>---------------------------------------------------------------------</P>
<P>>-----------------------------------------------------------------</P>
<P>>Resumed log:</P>
<P>> </P>
<P>>2 21:20:47.953 07/03/06 Sev=Warning/3 IKE/0xA3000029<br>
No keys</P>
<P>>are available to decrypt the received ISAKMP payload</P>
<P>> </P>
<P>> </P>
<P>> </P>
<P>>Thank you all! :)</P>
<P>>[]'s</P>
</BLOCKQUOTE>
</BODY>
</HTML>