Hi Livio,

Are you using the Cisco VPN Client with a router??

I've never tried that, but I can't imagine it would work.

Maybe someone else on the list knows for sure?

If it's not a router, what is your VPN gateway?

Chris

> -----Original Message-----
> From: Livio Zanol Puppim [mailto:livio.zanol.puppim@gmail.com] =


> Sent: Tuesday, July 04, 2006 4:49 PM
> To: Meidinger Chris
> Subject: Re: [VPN] Cisco VPN Client
> =


> Hi cris, I've tried to use the following command in my cisco router:
> =


> Router1(config)#crypto isakmp nat keepalive 10
> =


> There's also a "crypto isakmp keepalive" command... What =


> command should I use? And what keepalive interval must I set? =


> I'll try to see if the configuration worked tonight... =


> =


> Thx,
> L=EDvio Zanol Puppim
> =


> =


> =


> =


> =


> 2006/7/4, Meidinger Chris :
> =


> Hi Livio,
> =


> the following:
> =


> RECEIVING <<< ISAKMP OAK INFO *(HASH, =


> NOTIFY:NO_PROPOSAL_CHOSEN) from
> X.X.X.X
> =


> seems to be the problem.
> =


> If this were a L2L-VPN you'd want to check your =


> settings to see if pfs =


> is missing on one side, or the dh-group is wrong. For a =


> Cisco-client
> it's less standard.
> =


> Is it possible that you don't have nat-traversal enabled on the
> gateway??
> =


> for pix: isakmp nat-traversal $policy_number =


> =


> for asa: isakmp nat-traversal $keepalive_interval
> =


> for vpn3000: it's somewhere in that evil web-interface. =


> look for the
> isakmp settings.
> =


> Give that a try,
> =


> Chris
> =


> > -----Original Message----- =


> > From: vpn-bounces+chris.meidinger=3Dbadenit.de@lists.shmoo.c om
> > =


> [mailto:vpn-bounces+chris.meidinger=3Dbadenit.de@lists.shmoo.c om =


> > ] On Behalf Of Livio Zanol Puppim
> > Sent: Tuesday, July 04, 2006 2:42 AM
> > To: vpn@lists.shmoo.com
> > Subject: [VPN] Cisco VPN Client
> >
> > Hey you all! =


> >
> > I'm new in VPN world, but I'm having problems to connect a
> > PC(behind a NAT), to my VPN server(valid IP adress) using
> > Cisco VPN Client. I've already forwarded the =


> following ports to my PC:
> >
> > 500 UDP
> > 4500 UDP (The server negotiate this port with me)
> > 5000 and 5001 TCP/UDP
> >
> > What else must I do? The VPN works normally for directed
> > connected PCs.
> >
> > I'll post the VPN client log here so you can see the problem, =


> > sorry for ANOTHER cisco VPN problem behind NAT:
> >
> > --------------------------------------------------------------
> > --------------------------------------------------------------
> > -------------------- =


> >
> > Cisco Systems VPN Client Version 4.7.00.0533
> >
> > Copyright (C) 1998-2005 Cisco Systems, Inc. All =


> Rights Reserved.
> >
> > Client Type(s): Windows, WinNT
> >
> > Running on: 5.1.2600 Service Pack 2
> >
> > Config file directory: C:\Arquivos de programas\Cisco
> > Systems\VPN Client\
> >
> > 1 21:27:26.703 07/03/06 Sev=3DInfo/4 CM/0x63100002
> >
> > Begin connection process
> >
> > 2 21:27:26.718 07/03/06 Sev=3DInfo/4 CM/0x63100004
> >
> > Establish secure connection using Ethernet
> >
> > 3 21:27:26.718 07/03/06 Sev=3DInfo/4 CM/0x63100024
> >
> > Attempt connection with server " X.X.X.X"
> >
> > 4 21:27:26.718 07/03/06 Sev=3DInfo/6 IKE/0x6300003B
> >
> > Attempting to establish a connection with X.X.X.X.
> >
> > 5 21:27:26.734 07/03/06 Sev=3DInfo/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth),
> > VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X
> >
> > 6 21:27:26.921 07/03/06 Sev=3DInfo/5 IKE/0x6300002F
> >
> > Received ISAKMP packet: peer =3D X.X.X.X
> >
> > 7 21:27:26.921 07/03/06 Sev=3DInfo/4 IKE/0x63000014
> >
> > RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd),
> > VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D,
> > NAT-D) from X.X.X.X
> >
> > 8 21:27:26.921 07/03/06 Sev=3DInfo/5 IKE/0x63000001
> >
> > Peer is a Cisco-Unity compliant peer
> >
> > 9 21:27:26.921 07/03/06 Sev=3DInfo/5 IKE/0x63000001
> >
> > Peer supports DPD
> >
> > 10 21:27:26.921 07/03/06 Sev=3DInfo/5 IKE/0x63000001
> >
> > Peer supports DWR Code and DWR Text
> >
> > 11 21:27:26.921 07/03/06 Sev=3DInfo/5 IKE/0x63000001
> >
> > Peer supports XAUTH =


> >
> > 12 21:27:26.921 07/03/06 Sev=3DInfo/5 IKE/0x63000001
> >
> > Peer supports NAT-T
> >
> > 13 21:27:26.937 07/03/06 Sev=3DInfo/6 IKE/0x63000001
> >
> > IOS Vendor ID Contruction successful =


> >
> > 14 21:27:26.937 07/03/06 Sev=3DInfo/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK AG *(HASH,
> > NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?),
> > VID(Unity)) to X.X.X.X
> >
> > 15 21:27:26.937 07/03/06 Sev=3DInfo/6 IKE/0x63000055
> >
> > Sent a keepalive on the IPSec SA
> >
> > 16 21:27:26.937 07/03/06 Sev=3DInfo/4 IKE/0x63000083
> >
> > IKE Port in use - Local Port =3D 0x1194, Remote Port =3D 0x1194 =


> >
> > 17 21:27:26.937 07/03/06 Sev=3DInfo/5 IKE/0x63000072
> >
> > Automatic NAT Detection Status:
> >
> > Remote end is NOT behind a NAT device
> >
> > This end IS behind a NAT device
> >
> > 18 21:27:26.937 07/03/06 Sev=3DInfo/4 CM/0x6310000E
> >
> > Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User
> > Authenticated IKE SA in the system
> >
> > 19 21:27:26.937 07/03/06 Sev=3DInfo/4 CM/0x6310000E =


> >
> > Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User
> > Authenticated IKE SA in the system
> >
> > 20 21:27:26.968 07/03/06 Sev=3DInfo/5 IKE/0x6300005E
> >
> > Client sending a firewall request to concentrator =


> >
> > 21 21:27:26.968 07/03/06 Sev=3DInfo/5 IKE/0x6300005D
> >
> > Firewall Policy: Product=3DCisco Systems Integrated Client
> > Firewall, Capability=3D (Centralized Protection Policy).
> >
> > 22 21:27: 26.968 07/03/06 Sev=3DInfo/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
> >
> > 23 21:27:26.968 07/03/06 Sev=3DInfo/4 IPSEC/0x63700008
> >
> > IPSec driver successfully started =


> >
> > 24 21:27:26.968 07/03/06 Sev=3DInfo/4 IPSEC/0x63700014
> >
> > Deleted all keys
> >
> > 25 21:27:27.046 07/03/06 Sev=3DInfo/5 IKE/0x6300002F
> >
> > Received ISAKMP packet: peer =3D X.X.X.X =


> >
> > 26 21:27:27.046 07/03/06 Sev=3DInfo/4 IKE/0x63000014
> >
> > RECEIVING <<< ISAKMP OAK INFO *(HASH,
> > NOTIFY:STATUS_RESP_LIFETIME) from X.X.X.X
> >
> > 27 21:27:27.046 07/03/06 Sev=3DInfo/5 IKE/0x63000045 =


> >
> > RESPONDER-LIFETIME notify has value of 86400 seconds
> >
> > 28 21:27:27.046 07/03/06 Sev=3DInfo/5 IKE/0x63000047
> >
> > This SA has already been alive for 1 seconds, setting expiry
> > to 86399 seconds from now =


> >
> > 29 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300002F
> >
> > Received ISAKMP packet: peer =3D X.X.X.X
> >
> > 30 21:27:27.109 07/03/06 Sev=3DInfo/4 IKE/0x63000014
> >
> > RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
> >
> > 31 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x63000010
> >
> > MODE_CFG_REPLY: Attribute =3D INTERNAL_IPV4_ADDRESS: , =


> value =3D X.X.X.X
> >
> > 32 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x63000010 =


> >
> > MODE_CFG_REPLY: Attribute =3D INTERNAL_IPV4_NETMASK: , value =3D
> > 255.255.255.0
> >
> > 33 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0xA3000017
> >
> > MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) =


> > attribute and value (-256) is not supported
> >
> > 34 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000D
> >
> > MODE_CFG_REPLY: Attribute =3D MODECFG_UNITY_SAVEPWD: , value =3D
> > 0x00000000
> > =


> > 35 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000D
> >
> > MODE_CFG_REPLY: Attribute =3D MODECFG_UNITY_SPLIT_INCLUDE (# of
> > split_nets), value =3D 0x00000007
> >
> > 36 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000F =


> >
> > SPLIT_NET #1
> >
> > subnet =3D X.X.X.X
> >
> > mask =3D 255.255.255.0
> >
> > protocol =3D 0
> >
> > src port =3D 0
> >
> > dest port=3D0
> >
> > 37 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000F
> >
> > SPLIT_NET #2
> >
> > subnet =3D X.X.X.X
> >
> > mask =3D 255.255.0.0
> >
> > protocol =3D 0 =


> >
> > src port =3D 0
> >
> > dest port=3D0
> >
> > 38 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000F
> >
> > SPLIT_NET #3
> >
> > subnet =3D X.X.X.X
> >
> > mask =3D 255.255.0.0 =


> >
> > protocol =3D 0
> >
> > src port =3D 0
> >
> > dest port=3D0
> >
> > 39 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000F
> >
> > SPLIT_NET #4
> >
> > subnet =3D X.X.X.X
> >
> > mask =3D 255.255.0.0
> >
> > protocol =3D 0
> >
> > src port =3D 0
> >
> > dest port=3D0
> >
> > 40 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000F =


> >
> > SPLIT_NET #5
> >
> > subnet =3D X.X.X.X
> >
> > mask =3D 255.255.0.0
> >
> > protocol =3D 0
> >
> > src port =3D 0
> >
> > dest port=3D0
> > =


> > 41 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000F
> >
> > SPLIT_NET #6
> >
> > subnet =3D X.X.X.X
> >
> > mask =3D 255.255.0.0
> >
> > protocol =3D 0
> >
> > src port =3D 0
> >
> > dest port=3D0
> >
> > 42 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000F
> >
> > SPLIT_NET #7
> >
> > subnet =3D X.X.X.X
> >
> > mask =3D 255.255.0.0 =


> >
> > protocol =3D 0
> >
> > src port =3D 0
> >
> > dest port=3D0
> >
> > 43 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0xA3000015
> >
> > MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME =


> > attribute with no data
> >
> > 44 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000E
> >
> > MODE_CFG_REPLY: Attribute =3D APPLICATION_VERSION, value =3D
> > Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), =


> > Version 12.4(7a), RELEASE SOFTWARE (fc3)
> >
> > Technical Support: http://www.cisco.com/techsupport
> >
> > Copyright (c) 1986-2006 by Cisco Systems, Inc. =


> >
> > Compiled Tue 25-Apr-06 02:54 by ssearch
> >
> > 45 21:27:27.109 07/03/06 Sev=3DInfo/5 IKE/0x6300000D
> >
> > MODE_CFG_REPLY: Attribute =3D Received and using NAT-T port
> > number , value =3D 0x00001194 =


> >
> > 46 21:27:27.109 07/03/06 Sev=3DInfo/4 CM/0x63100019
> >
> > Mode Config data received
> >
> > 47 21:27:27.109 07/03/06 Sev=3DInfo/4 IKE/0x63000056
> >
> > Received a key request from Driver: Local IP =3D Y.Y.Y.Y, GW IP
> > =3D X.X.X.X, Remote IP =3D 0.0.0.0
> >
> > 48 21:27:27.109 07/03/06 Sev=3DInfo/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to X.X.X.X
> >
> > 49 21:27:27.312 07/03/06 Sev=3DInfo/5 IKE/0x6300002F
> >
> > Received ISAKMP packet: peer =3D X.X.X.X
> >
> > 50 21:27:27.312 07/03/06 Sev=3DInfo/4 IKE/0x63000014
> >
> > RECEIVING <<< ISAKMP OAK INFO *(HASH, =


> > NOTIFY:NO_PROPOSAL_CHOSEN) from X.X.X.X
> >
> > 51 21:27:27.312 07/03/06 Sev=3DInfo/4 IKE/0x63000013
> >
> > SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X
> >
> > 52 21:27:27.312 07/03/06 Sev=3DInfo/4 IKE/0x63000049
> >
> > Discarding IPsec SA negotiation, MsgID=3D9C889DF0
> >
> > 53 21:27:27.312 07/03/06 Sev=3DInfo/4 IKE/0x63000017
> >
> > Marking IKE SA for deletion (I_Cookie=3D4A3797BB0E9DACC7 =


> > R_Cookie=3D67C4C5E4CD6CD6AD) reason =3D DEL_REASON_IKE_NEG_FAILED
> >
> > 54 21:27:27.484 07/03/06 Sev=3DInfo/4 IPSEC/0x63700014
> >
> > Deleted all keys
> >
> > 55 21:27:30.453 07/03/06 Sev=3DInfo/4 IKE/0x6300004B =


> >
> > Discarding IKE SA negotiation (I_Cookie=3D4A3797BB0E9DACC7
> > R_Cookie=3D67C4C5E4CD6CD6AD) reason =3D DEL_REASON_IKE_NEG_FAILED
> >
> > 56 21:27:30.453 07/03/06 Sev=3DInfo/4 CM/0x63100012
> >
> > Phase 1 SA deleted before first Phase 2 SA is up cause by
> > "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User
> > Authenticated IKE SA in the system
> >
> > 57 21:27:30.453 07/03/06 Sev=3DInfo/5 CM/0x63100025 =


> >
> > Initializing CVPNDrv
> >
> > 58 21:27:30.453 07/03/06 Sev=3DInfo/4 IKE/0x63000001
> >
> > IKE received signal to terminate VPN connection
> >
> > 59 21:27:30.468 07/03/06 Sev=3DInfo/4 IPSEC/0x63700014 =


> >
> > Deleted all keys
> >
> > 60 21:27:30.468 07/03/06 Sev=3DInfo/4 IPSEC/0x63700014
> >
> > Deleted all keys
> >
> > 61 21:27:30.468 07/03/06 Sev=3DInfo/4 IPSEC/0x63700014
> >
> > Deleted all keys =


> >
> > 62 21:27:30.468 07/03/06 Sev=3DInfo/4 IPSEC/0x6370000A
> >
> > IPSec driver successfully stopped
> >
> >
> >
> > --------------------------------------------------------------
> > =


> -------------------------------------------------------------- =


> > ----------
> > Resumed log:
> >
> > 2 21:20:47.953 07/03/06 Sev=3DWarning/3 IKE/0xA3000029
> > No keys are available to decrypt the received ISAKMP payload
> >
> >
> >
> > Thank you all! =


> > []'s
> >
> =


> =


> =


> =


_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn