ios vpn, vpn client IKE problem

Unanswered Question
Jan 6th, 2007
User Badges:

Hi,

I try to set up a vpn connection between a 1812 router and software vpn client but despite the ike atts are accepted the router disconnects the client.


"debug crypto isakmp" results:

...

002458: *Jan 6 22:04:55.751 UTC: ISAKMP:(0):Checking ISAKMP transform 13 against priority 3 policy

002459: *Jan 6 22:04:55.751 UTC: ISAKMP: encryption DES-CBC

002460: *Jan 6 22:04:55.751 UTC: ISAKMP: hash MD5

002461: *Jan 6 22:04:55.751 UTC: ISAKMP: default group 2

002462: *Jan 6 22:04:55.751 UTC: ISAKMP: auth XAUTHInitPreShared

002463: *Jan 6 22:04:55.751 UTC: ISAKMP: life type in seconds

002464: *Jan 6 22:04:55.751 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

002465: *Jan 6 22:04:55.751 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3

002466: *Jan 6 22:04:55.751 UTC: ISAKMP:(0): processing KE payload. message ID = 0

002467: *Jan 6 22:04:55.755 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0

002468: *Jan 6 22:04:55.755 UTC: ISAKMP:(0): vendor ID is NAT-T v2

002469: *Jan 6 22:04:55.755 UTC: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY

002470: *Jan 6 22:04:55.755 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

002471: *Jan 6 22:04:55.755 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY

....


Client Logs:

...

Attempting to establish a connection with xx.xx.xx.xx

206 23:19:41.890 01/06/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xx

207 23:19:41.890 01/06/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 23:19:41.890 01/06/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

209 23:19:47.234 01/06/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


210 23:19:47.234 01/06/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xx.xx.xx.xx


215 23:20:02.234 01/06/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=9C90B0C5922BD327 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING



217 23:20:02.734 01/06/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "xx.xx.xx.xx" because of "DEL_REASON_PEER_NOT_RESPONDING"

...


"sh crypto isakmp sa"

STATE=AG_NO_STATE status ACTIVE


ISR IOS = Version 12.4(6)T3

vpn client version= I tried with different versions of 4.8 and 4.0 clients


Any help would be appreciated.


Thanks,

Oszkar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Daniel Voicu Sun, 01/07/2007 - 01:58
User Badges:
  • Silver, 250 points or more

The IKE is sone on UDP 500, you will try then NAT-T, that is UDP 4500. Make sure you have this port opened.


Please rate if this helped.


Regards,

Daniel

oszkari Sun, 01/07/2007 - 06:13
User Badges:

Hi Daniel,


No UDP ports are filtered neither in the router nor in the client side.


Any hint?


Regards,

Oszkar

Daniel Voicu Sun, 01/07/2007 - 09:37
User Badges:
  • Silver, 250 points or more

Hi Oszkar,


Can you check http://cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bdf.pdf


Also some useful links on:


http://cisco.com/en/US/products/ps6659/products_ios_protocol_option_home.html


Studying the configuration there you might find what is wrong in your config.


Please rate if this helped.


Regards,

Daniel

Actions

This Discussion