06-07-2007 05:39 AM
Hi there,
I am having some difficulties configuring two things:
1. After a couple of hours struggling to create a tunnel (lan to lan) I finally got it to work. When I try to do the same for remote users using the Cisco vpn client I only get an error 412: the remote peer is no longer responding.
Client log:
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 15:30:11.745 06/07/07 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 15:30:14.116 06/07/07 Sev=Info/4 CM/0x63100002
Begin connection process
3 15:30:14.120 06/07/07 Sev=Info/4 CM/0x63100004
Establish secure connection
4 15:30:14.122 06/07/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "82.94.31.134"
5 15:30:14.128 06/07/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 82.94.31.134.
6 15:30:14.144 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 82.94.31.134
7 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
11 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
12 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
13 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
14 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
15 15:30:34.565 06/07/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
16 15:30:35.077 06/07/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 15:30:35.078 06/07/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"
18 15:30:35.078 06/07/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
19 15:30:35.120 06/07/07 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
20 15:30:35.121 06/07/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
21 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
22 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Attachted is the config file from the Pix 515e
2. I need to access RDP with port redirection. So when i access 82.x.x.x:4000 it would translate to 192.168.1.50:3389. So far I'm not able to get this to work.
Any help would be greatly appreciated.
Regards,
Jeroen
Solved! Go to Solution.
06-07-2007 10:45 AM
Does this do the trick?
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
06-07-2007 06:23 AM
#1. Start by changing your vpn client pool to a different subnet, it should not be the same as your inside subnet.
ip local pool vpnclient 192.168.5.150-192.168.5.200
access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
#2. If 82.x.x.x is your outside interface address then...
static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 82.x.x.x eq 4000
If it is another address then...
static (inside,outside) tcp 82.x.x.x 4000 192.168.1.50 3389 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 82.x.x.x eq 4000
06-07-2007 06:36 AM
Thank you for the reply, I gave the commands as you told me but still i can not reach the terminal server on the other side. I know the terminal server is responding cause I can access it accross the working vpn tunnel.
Do you know why I have to enter a pre-shared key when i run the VPN wizzard (client access) from ASDM when i cannot setup one in the cisco client?
My config file:
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
access-list Internet_nat0_inbound extended permit ip any 192.168.0.0 255.255.255.0
access-list Internet_cryptomap_20 extended permit ip any 192.168.0.0 255.255.255.0
access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.39.5.0 255.255.255.0
access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 222 extended permit ip any 192.168.1.128 255.255.255.128
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.128 255.255.255.128
access-list outside_access_in extended permit tcp any host 82.94.31.134 eq 4000
pager lines 24
logging trap emergencies
logging asdm informational
logging class auth trap emergencies
mtu outside 1500
mtu inside 1500
ip local pool VPNclientpool 192.168.1.175-192.168.1.225 mask 255.255.255.0
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 2 192.168.1.50
nat (outside) 0 access-list Internet_nat0_inbound outside
nat (inside) 0 access-list 222
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.50 4000 netmask 255.255.255.255
static (inside,outside) tcp 82.94.31.134 4000 192.168.1.50 3389 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 82.94.31.129 1
06-07-2007 06:51 AM
"Do you know why I have to enter a pre-shared key when i run the VPN wizzard (client access) from ASDM when i cannot setup one in the cisco client?"
-Sure you can, under group authentication, you need the group name and password (password = pre-shared key)
"I gave the commands as you told me but still i can not reach the terminal server on the other side"
no static (inside,outside) tcp interface 3389 192.168.1.50 4000 netmask 255.255.255.255
no static (inside,outside) tcp 82.94.31.134 4000 192.168.1.50 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255
06-07-2007 07:12 AM
1: Oeps, thats a dumb mistake. I keep getting the same error connecting though even after changing the VPNclient pool to 192.168.5.x
I have done a reset to factory defaults so i could not get errors after making previous mistakes. Still I cannot access the terminal server on port 4000 from another location.
My config file as for now:
asdm image flash:/asdm-501.bin
asdm history enable
: Saved
:
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 82.94.x.x.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
enable password xxx
passwd xxx
hostname sabrapix
domain-name asp.local
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
access-list VPNclient_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 82.94.31.134 eq 4000
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool clientpool 192.168.5.10-192.168.5.200 mask 255.255.255.0
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 82.94.31.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPNclient internal
group-policy VPNclient attributes
dns-server value 194.109.6.66 194.109.9.99
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNclient_splitTunnelAcl
username sabra password 9zpQIMMxEQ2QXgFd encrypted privilege 15
username jeroen password Q.HHDJ8rYk7zK0/K encrypted privilege 0
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host outside 192.168.1.50 community public
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.50-192.168.1.250 inside
dhcpd dns 194.109.6.66 194.109.9.99
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
tunnel-group VPNclient type ipsec-ra
tunnel-group VPNclient general-attributes
address-pool clientpool
default-group-policy VPNclient
tunnel-group VPNclient ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
06-07-2007 07:19 AM
"Still I cannot access the terminal server on port 4000 from another location."
-You acl is not applied.
access-group outside_access_in in interface outside
06-07-2007 07:25 AM
Great that solved my redirect problem! great!
VPN client software is still not responding though.
Client log is different:
16 17:23:17.952 06/07/07 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
17 17:23:17.952 06/07/07 Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
18 17:23:17.952 06/07/07 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
19 17:23:23.017 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
20 17:23:23.017 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
21 17:23:23.043 06/07/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 82.94.31.134
22 17:23:23.043 06/07/07 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
23 17:23:23.046 06/07/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 82.94.31.134
24 17:23:23.046 06/07/07 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
25 17:23:28.018 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
26 17:23:28.018 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
27 17:23:28.043 06/07/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 82.94.31.134
28 17:23:28.043 06/07/07 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
29 17:23:28.046 06/07/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 82.94.31.134
30 17:23:28.046 06/07/07 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
31 17:23:33.024 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
32 17:23:33.024 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
33 17:23:33.072 06/07/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 82.94.31.134
34 17:23:33.072 06/07/07 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
35 17:23:33.075 06/07/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 82.94.31.134
36 17:23:33.075 06/07/07 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
37 17:23:38.038 06/07/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=D862884C20A335FF R_Cookie=55083D7233A62738) reason = DEL_REASON_PEER_NOT_RESPONDING
38 17:23:39.035 06/07/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=D862884C20A335FF R_Cookie=55083D7233A62738) reason = DEL_REASON_PEER_NOT_RESPONDING
39 17:23:39.035 06/07/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"
40 17:23:39.035 06/07/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
41 17:23:39.040 06/07/07 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
42 17:23:39.040 06/07/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
43 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
44 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
45 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
46 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
06-07-2007 07:28 AM
Can you log on the pix? Are you getting prompted for username/password?
06-07-2007 07:35 AM
I dont have an ASA, I have a Pix 515E. I thought i did not need a asa to use the vpn client?
I dont get a message prompting me for a username and password. Just get the message: Reason 412: the remote peer is no longer responding.
(edit: you changed it already...i was getting worried there :))
06-07-2007 07:43 AM
Ya, my mistake. So can you log on pix?
debug crypto isakmp
06-07-2007 07:49 AM
I can exec the command but it gave no output, just the promt again.
06-07-2007 07:54 AM
Are you on console or telnet/ssh? Try this then try the client, you should receive isakmp debugging info.
logging monitor debugging
or
logging console debugging
06-07-2007 08:05 AM
Thanks for you patience.
I entered the commands succesfully, but de debugging command still gives no output.
Not in hyperterm and not trough telnet.
Does this mean there is no communication going from here to the pix? I'll try again at home in a couple of minutes.
Thanks again.
06-07-2007 08:07 AM
"Does this mean there is no communication going from here to the pix?"
That's what it sounds like. You are coming from the outside of pix right?
06-07-2007 09:04 AM
Yes i'm connecting from another place, and using the same ip adress to connect to. Now i tried it from another connection with different hardware but still i get no debuging information.
I should mension that i am using Vista to connect, but I am using version 5 to connect witch should be compatible. Also i disabled the firewall. Everything else seems to be working just fine.
When i tried again it gave me this:
sabrapix(config)# Jun 07 17:04:48 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191
, Can't find a valid tunnel group, aborting...!
Jun 07 17:04:54 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val
id tunnel group, aborting...!
Jun 07 17:04:59 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val
id tunnel group, aborting...!
Jun 07 17:05:04 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val
id tunnel group, aborting...!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide