01-06-2007 02:27 PM
Hi,
I try to set up a vpn connection between a 1812 router and software vpn client but despite the ike atts are accepted the router disconnects the client.
"debug crypto isakmp" results:
...
002458: *Jan 6 22:04:55.751 UTC: ISAKMP:(0):Checking ISAKMP transform 13 against priority 3 policy
002459: *Jan 6 22:04:55.751 UTC: ISAKMP: encryption DES-CBC
002460: *Jan 6 22:04:55.751 UTC: ISAKMP: hash MD5
002461: *Jan 6 22:04:55.751 UTC: ISAKMP: default group 2
002462: *Jan 6 22:04:55.751 UTC: ISAKMP: auth XAUTHInitPreShared
002463: *Jan 6 22:04:55.751 UTC: ISAKMP: life type in seconds
002464: *Jan 6 22:04:55.751 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
002465: *Jan 6 22:04:55.751 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3
002466: *Jan 6 22:04:55.751 UTC: ISAKMP:(0): processing KE payload. message ID = 0
002467: *Jan 6 22:04:55.755 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
002468: *Jan 6 22:04:55.755 UTC: ISAKMP:(0): vendor ID is NAT-T v2
002469: *Jan 6 22:04:55.755 UTC: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
002470: *Jan 6 22:04:55.755 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
002471: *Jan 6 22:04:55.755 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
....
Client Logs:
...
Attempting to establish a connection with xx.xx.xx.xx
206 23:19:41.890 01/06/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xx
207 23:19:41.890 01/06/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 23:19:41.890 01/06/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
209 23:19:47.234 01/06/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
210 23:19:47.234 01/06/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xx.xx.xx.xx
215 23:20:02.234 01/06/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=9C90B0C5922BD327 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
217 23:20:02.734 01/06/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "xx.xx.xx.xx" because of "DEL_REASON_PEER_NOT_RESPONDING"
...
"sh crypto isakmp sa"
STATE=AG_NO_STATE status ACTIVE
ISR IOS = Version 12.4(6)T3
vpn client version= I tried with different versions of 4.8 and 4.0 clients
Any help would be appreciated.
Thanks,
Oszkar
01-07-2007 01:58 AM
The IKE is sone on UDP 500, you will try then NAT-T, that is UDP 4500. Make sure you have this port opened.
Please rate if this helped.
Regards,
Daniel
01-07-2007 06:13 AM
Hi Daniel,
No UDP ports are filtered neither in the router nor in the client side.
Any hint?
Regards,
Oszkar
01-07-2007 09:37 AM
Hi Oszkar,
Can you check http://cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bdf.pdf
Also some useful links on:
http://cisco.com/en/US/products/ps6659/products_ios_protocol_option_home.html
Studying the configuration there you might find what is wrong in your config.
Please rate if this helped.
Regards,
Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: