Hi Afaq

Thanks for your reply, between the VPN client and the pix, there is only a pat router, which are sitting on the same segment with the pix. so, udp4500 should be open.

The other thing is, if i use client 3.6.3, it seems like i'm running into that AES bug, when i look at the log, it just keep saying "atts not acceptable". Anyway, i can still connect, but none of the traffic able to pass through it.

All i can see is encrypt packet at client side, no decrypt at all over PIX side.

any idea?

look forward for your reply.

NAT-T is disabled by default in 6.3 code. To enable it, use the command:

> isakmp nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm#1057446 for further details.

Thank you so much for your reply.

I just finished test it with my PIX, it runs perfectly, I really appreciate your help.

If you don't mind, can i just ask one more question, same issue, but on Router instead of PIX.

Does a router needs the same command inorder for this NAT-T to work? i have look for it, but can't find anything close. And this router is running IOS ver 12.2(13)T. Which should work according cisco documentation. I have already set this up and test, but not any luck with the connection. Any clue?

NAT-T was supposedly implemented in 12.2(13)T, can't say I've tested it specifically, but I haven't heard that it doesn't work either :-)

Here's the command reference, doesn't seem to be anything you need to do:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm

The NAT keepalive command is probably needed, since most other devices will send them by default I believe.

I am having the same problem. I have isakmp nat-traversal in the configuration and it still does not work for me.

Any help would be appreciated.

-Paul