Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
2
Helpful
3
Replies

ios vpn, vpn client IKE problem

oszkari
Level 1
Level 1

‎01-06-2007 02:27 PM

Hi,

I try to set up a vpn connection between a 1812 router and software vpn client but despite the ike atts are accepted the router disconnects the client.

"debug crypto isakmp" results:

...

002458: *Jan 6 22:04:55.751 UTC: ISAKMP:(0):Checking ISAKMP transform 13 against priority 3 policy

002459: *Jan 6 22:04:55.751 UTC: ISAKMP: encryption DES-CBC

002460: *Jan 6 22:04:55.751 UTC: ISAKMP: hash MD5

002461: *Jan 6 22:04:55.751 UTC: ISAKMP: default group 2

002462: *Jan 6 22:04:55.751 UTC: ISAKMP: auth XAUTHInitPreShared

002463: *Jan 6 22:04:55.751 UTC: ISAKMP: life type in seconds

002464: *Jan 6 22:04:55.751 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

002465: *Jan 6 22:04:55.751 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3

002466: *Jan 6 22:04:55.751 UTC: ISAKMP:(0): processing KE payload. message ID = 0

002467: *Jan 6 22:04:55.755 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0

002468: *Jan 6 22:04:55.755 UTC: ISAKMP:(0): vendor ID is NAT-T v2

002469: *Jan 6 22:04:55.755 UTC: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY

002470: *Jan 6 22:04:55.755 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

002471: *Jan 6 22:04:55.755 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY

....

Client Logs:

...

Attempting to establish a connection with xx.xx.xx.xx

206 23:19:41.890 01/06/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xx

207 23:19:41.890 01/06/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 23:19:41.890 01/06/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

209 23:19:47.234 01/06/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

210 23:19:47.234 01/06/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xx.xx.xx.xx

215 23:20:02.234 01/06/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=9C90B0C5922BD327 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

217 23:20:02.734 01/06/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "xx.xx.xx.xx" because of "DEL_REASON_PEER_NOT_RESPONDING"

...

"sh crypto isakmp sa"

STATE=AG_NO_STATE status ACTIVE

ISR IOS = Version 12.4(6)T3

vpn client version= I tried with different versions of 4.8 and 4.0 clients

Any help would be appreciated.

Thanks,

Oszkar

Labels:
0 Helpful
3 Replies 3

5220
Level 4
Level 4

‎01-07-2007 01:58 AM

The IKE is sone on UDP 500, you will try then NAT-T, that is UDP 4500. Make sure you have this port opened.

Please rate if this helped.

Regards,

Daniel

0 Helpful

oszkari
Level 1
Level 1
In response to 5220

‎01-07-2007 06:13 AM

Hi Daniel,

No UDP ports are filtered neither in the router nor in the client side.

Any hint?

Regards,

Oszkar

0 Helpful

5220
Level 4
Level 4
In response to oszkari

‎01-07-2007 09:37 AM

Hi Oszkar,

Can you check http://cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bdf.pdf

Also some useful links on:

http://cisco.com/en/US/products/ps6659/products_ios_protocol_option_home.html

Studying the configuration there you might find what is wrong in your config.

Please rate if this helped.

Regards,

Daniel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents