VPN Client not connected error

Unanswered Question

I setup Cisco PIX 515 in my lab to test IPSec VPN. The PIX is behind a Linksys WRTP54G router and UDP port 500 is open. I can establish the VPN in the LAN, but I get not connected error if I test it from a remote office that is behind another PIX 515E. I am not sure the problem is the Linksys router or PIX in the office. Any suggestions?


The lab PIX configuration can be found here, http://www.howtonetworking.com/cisco/pixvpnsample.htm





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vikas Saxena Sun, 05/28/2006 - 23:13
User Badges:
  • Cisco Employee,

Hello,


I hope you will not mind if I tell you someting about the Client logs.


From line 1 to 5 this is initial connection to find the peer and establish a connection for further phase 1 negotiations.


from line 6 to 8 is internal processing of VPN Client.


Line 9 is confirmation from the peer (gateway) that it received the packet and ready for further negotiations (Since we are the initiator the peer will never propose, we have to propose the policies)


From 10 to ... negotiation of the packets (Phase 1 policies)

Somethings of interest.

DPD = Dead peer detection. To find out if the peer (any) is alive or not (something like keepalives).

xauth=extended authentication (the peer is telling that it can support xauth like radius or ad or ldap)

Line 14 is telling you that it also has something which it did not understand and will ignore. (The IPSEC RFC permits that the peer can send what they are capable of and the other peer can accept or reject)


Line 15 is very important as it tells you that the peer supports NAT Traversal (encapsulation of IPSEC packet in UDP on port 4500)


Line 16: Now I know with whom I am talking to.

Line 17: Confirmation that initial contact was succeded


Line 19 is Very Important because this is the problem

19 09:58:40.997 05/26/06 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194


convert 0x1194to decimal. It is 4500 (not 500) why?

Line 20 tells you the reason

Automatic NAT Detection Status:

Remote end IS behind a NAT device

This end IS behind a NAT device

It says that the peers are behind a NAT device. Somewhere in between a NAT-D packet was sent automatically by the peers (because you have isa nat-trav 20 command in the PIX). The NAT-D packet is nothing but the hashed ip address of the peer in the packet. If the peer is behind a NAT device the hash will break which means the device is behind a NAT otherwise not.


So, in short, the problem is that you need to open up UDP/500 as well as UDP 4500 in the device infront of the PIX so that phase 2 can complete.


As soon as the peers find out that they are behind a NAT device they start encapsulating the IPSEC packet both nego and traffic in UDP (the source port is random higher numbered port and destination will be 4500, the nego phase will use source and desti as 4500)


Let me know if you are interested in other highlighted elements in the logs.


Vikas



Actions

This Discussion