Hi Livio,

the following:

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from
X.X.X.X

seems to be the problem.

If this were a L2L-VPN you'd want to check your settings to see if pfs
is missing on one side, or the dh-group is wrong. For a Cisco-client
it's less standard.

Is it possible that you don't have nat-traversal enabled on the
gateway??

for pix: isakmp nat-traversal $policy_number

for asa: isakmp nat-traversal $keepalive_interval

for vpn3000: it's somewhere in that evil web-interface. look for the
isakmp settings.

Give that a try,

Chris

> -----Original Message-----
> From: vpn-bounces+chris.meidinger=badenit.de@lists.shmoo.com
> [mailto:vpn-bounces+chris.meidinger=badenit.de@lists.shmoo.com
> ] On Behalf Of Livio Zanol Puppim
> Sent: Tuesday, July 04, 2006 2:42 AM
> To: vpn@lists.shmoo.com
> Subject: [VPN] Cisco VPN Client
>
> Hey you all!
>
> I'm new in VPN world, but I'm having problems to connect a
> PC(behind a NAT), to my VPN server(valid IP adress) using
> Cisco VPN Client. I've already forwarded the following ports to my PC:
>
> 500 UDP
> 4500 UDP (The server negotiate this port with me)
> 5000 and 5001 TCP/UDP
>
> What else must I do? The VPN works normally for directed
> connected PCs.
>
> I'll post the VPN client log here so you can see the problem,
> sorry for ANOTHER cisco VPN problem behind NAT:
>
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------
>
> Cisco Systems VPN Client Version 4.7.00.0533
>
> Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
>
> Client Type(s): Windows, WinNT
>
> Running on: 5.1.2600 Service Pack 2
>
> Config file directory: C:\Arquivos de programas\Cisco
> Systems\VPN Client\
>
> 1 21:27:26.703 07/03/06 Sev=Info/4 CM/0x63100002
>
> Begin connection process
>
> 2 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100004
>
> Establish secure connection using Ethernet
>
> 3 21:27:26.718 07/03/06 Sev=Info/4 CM/0x63100024
>
> Attempt connection with server "X.X.X.X"
>
> 4 21:27:26.718 07/03/06 Sev=Info/6 IKE/0x6300003B
>
> Attempting to establish a connection with X.X.X.X.
>
> 5 21:27:26.734 07/03/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth),
> VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X
>
> 6 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x6300002F
>
> Received ISAKMP packet: peer = X.X.X.X
>
> 7 21:27:26.921 07/03/06 Sev=Info/4 IKE/0x63000014
>
> RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd),
> VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D,
> NAT-D) from X.X.X.X
>
> 8 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>
> Peer is a Cisco-Unity compliant peer
>
> 9 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>
> Peer supports DPD
>
> 10 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>
> Peer supports DWR Code and DWR Text
>
> 11 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>
> Peer supports XAUTH
>
> 12 21:27:26.921 07/03/06 Sev=Info/5 IKE/0x63000001
>
> Peer supports NAT-T
>
> 13 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000001
>
> IOS Vendor ID Contruction successful
>
> 14 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK AG *(HASH,
> NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?),
> VID(Unity)) to X.X.X.X
>
> 15 21:27:26.937 07/03/06 Sev=Info/6 IKE/0x63000055
>
> Sent a keepalive on the IPSec SA
>
> 16 21:27:26.937 07/03/06 Sev=Info/4 IKE/0x63000083
>
> IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
>
> 17 21:27:26.937 07/03/06 Sev=Info/5 IKE/0x63000072
>
> Automatic NAT Detection Status:
>
> Remote end is NOT behind a NAT device
>
> This end IS behind a NAT device
>
> 18 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E
>
> Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User
> Authenticated IKE SA in the system
>
> 19 21:27:26.937 07/03/06 Sev=Info/4 CM/0x6310000E
>
> Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User
> Authenticated IKE SA in the system
>
> 20 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005E
>
> Client sending a firewall request to concentrator
>
> 21 21:27:26.968 07/03/06 Sev=Info/5 IKE/0x6300005D
>
> Firewall Policy: Product=Cisco Systems Integrated Client
> Firewall, Capability= (Centralized Protection Policy).
>
> 22 21:27:26.968 07/03/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
>
> 23 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700008
>
> IPSec driver successfully started
>
> 24 21:27:26.968 07/03/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
> 25 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x6300002F
>
> Received ISAKMP packet: peer = X.X.X.X
>
> 26 21:27:27.046 07/03/06 Sev=Info/4 IKE/0x63000014
>
> RECEIVING <<< ISAKMP OAK INFO *(HASH,
> NOTIFY:STATUS_RESP_LIFETIME) from X.X.X.X
>
> 27 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000045
>
> RESPONDER-LIFETIME notify has value of 86400 seconds
>
> 28 21:27:27.046 07/03/06 Sev=Info/5 IKE/0x63000047
>
> This SA has already been alive for 1 seconds, setting expiry
> to 86399 seconds from now
>
> 29 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300002F
>
> Received ISAKMP packet: peer = X.X.X.X
>
> 30 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000014
>
> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
>
> 31 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010
>
> MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = X.X.X.X
>
> 32 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x63000010
>
> MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value =
> 255.255.255.0
>
> 33 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000017
>
> MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY)
> attribute and value (-256) is not supported
>
> 34 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
>
> MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value =
> 0x00000000
>
> 35 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
>
> MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of
> split_nets), value = 0x00000007
>
> 36 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>
> SPLIT_NET #1
>
> subnet = X.X.X.X
>
> mask = 255.255.255.0
>
> protocol = 0
>
> src port = 0
>
> dest port=0
>
> 37 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>
> SPLIT_NET #2
>
> subnet = X.X.X.X
>
> mask = 255.255.0.0
>
> protocol = 0
>
> src port = 0
>
> dest port=0
>
> 38 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>
> SPLIT_NET #3
>
> subnet = X.X.X.X
>
> mask = 255.255.0.0
>
> protocol = 0
>
> src port = 0
>
> dest port=0
>
> 39 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>
> SPLIT_NET #4
>
> subnet = X.X.X.X
>
> mask = 255.255.0.0
>
> protocol = 0
>
> src port = 0
>
> dest port=0
>
> 40 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>
> SPLIT_NET #5
>
> subnet = X.X.X.X
>
> mask = 255.255.0.0
>
> protocol = 0
>
> src port = 0
>
> dest port=0
>
> 41 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>
> SPLIT_NET #6
>
> subnet = X.X.X.X
>
> mask = 255.255.0.0
>
> protocol = 0
>
> src port = 0
>
> dest port=0
>
> 42 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000F
>
> SPLIT_NET #7
>
> subnet = X.X.X.X
>
> mask = 255.255.0.0
>
> protocol = 0
>
> src port = 0
>
> dest port=0
>
> 43 21:27:27.109 07/03/06 Sev=Info/5 IKE/0xA3000015
>
> MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME
> attribute with no data
>
> 44 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000E
>
> MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value =
> Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M),
> Version 12.4(7a), RELEASE SOFTWARE (fc3)
>
> Technical Support: http://www.cisco.com/techsupport
>
> Copyright (c) 1986-2006 by Cisco Systems, Inc.
>
> Compiled Tue 25-Apr-06 02:54 by ssearch
>
> 45 21:27:27.109 07/03/06 Sev=Info/5 IKE/0x6300000D
>
> MODE_CFG_REPLY: Attribute = Received and using NAT-T port
> number , value = 0x00001194
>
> 46 21:27:27.109 07/03/06 Sev=Info/4 CM/0x63100019
>
> Mode Config data received
>
> 47 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000056
>
> Received a key request from Driver: Local IP = Y.Y.Y.Y, GW IP
> = X.X.X.X, Remote IP = 0.0.0.0
>
> 48 21:27:27.109 07/03/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to X.X.X.X
>
> 49 21:27:27.312 07/03/06 Sev=Info/5 IKE/0x6300002F
>
> Received ISAKMP packet: peer = X.X.X.X
>
> 50 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000014
>
> RECEIVING <<< ISAKMP OAK INFO *(HASH,
> NOTIFY:NO_PROPOSAL_CHOSEN) from X.X.X.X
>
> 51 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X
>
> 52 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000049
>
> Discarding IPsec SA negotiation, MsgID=9C889DF0
>
> 53 21:27:27.312 07/03/06 Sev=Info/4 IKE/0x63000017
>
> Marking IKE SA for deletion (I_Cookie=4A3797BB0E9DACC7
> R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED
>
> 54 21:27:27.484 07/03/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
> 55 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x6300004B
>
> Discarding IKE SA negotiation (I_Cookie=4A3797BB0E9DACC7
> R_Cookie=67C4C5E4CD6CD6AD) reason = DEL_REASON_IKE_NEG_FAILED
>
> 56 21:27:30.453 07/03/06 Sev=Info/4 CM/0x63100012
>
> Phase 1 SA deleted before first Phase 2 SA is up cause by
> "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User
> Authenticated IKE SA in the system
>
> 57 21:27:30.453 07/03/06 Sev=Info/5 CM/0x63100025
>
> Initializing CVPNDrv
>
> 58 21:27:30.453 07/03/06 Sev=Info/4 IKE/0x63000001
>
> IKE received signal to terminate VPN connection
>
> 59 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
> 60 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
> 61 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
> 62 21:27:30.468 07/03/06 Sev=Info/4 IPSEC/0x6370000A
>
> IPSec driver successfully stopped
>
>
>
> --------------------------------------------------------------
> --------------------------------------------------------------
> ----------
> Resumed log:
>
> 2 21:20:47.953 07/03/06 Sev=Warning/3 IKE/0xA3000029
> No keys are available to decrypt the received ISAKMP payload
>
>
>
> Thank you all!
> []'s
>

_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn