Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble accessing VPN using vpn client 3.0.3

Hello everyone,

I am using Windows XP professional,and modified local security policy using MMC,I forgot where I modified,and having trouble accessing VPN using CISCO system VPN client,below is the VPN client log when I try to access our VPN server,now I want to reset local security policy ,is it possible,if so,how to?

BTW,if anyone here is familiar with CISCO VPN client,could you tell me where can I modify local security policy to make client work?

Thanks

Victor

Here is the CISCO VPN client log:

1 20:27:14.479 04/17/03 Sev=Info/6 DIALER/0x63300002

Initiating connection.

2 20:27:14.479 04/17/03 Sev=Info/4 CM/0x63100002

Begin connection process

3 20:27:14.629 04/17/03 Sev=Info/4 CM/0x63100003

Establish secure connection using dialup services

4 20:27:14.829 04/17/03 Sev=Info/4 PPP/0x63200015

Establish connection with client application

5 20:27:14.869 04/17/03 Sev=Info/4 PPP/0x6320001B

Processing dial command. Dialing "DUN:95700"

6 20:27:14.979 04/17/03 Sev=Info/4 PPP/0x63200002

PPP session is already up

7 20:27:14.979 04/17/03 Sev=Info/4 PPP/0x63200017

Terminate connection with client application

8 20:27:14.999 04/17/03 Sev=Info/4 CM/0x6310000B

PPP session established

9 20:27:14.999 04/17/03 Sev=Info/4 CM/0x63100025

Attempt connection with server "210.176.234.186"

10 20:27:14.999 04/17/03 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 210.176.234.186.

11 20:27:15.060 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to 210.176.234.186

12 20:27:15.490 04/17/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

13 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

14 20:27:15.741 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, VID, VID, VID, VID) from 210.176.234.186

15 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100

16 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

17 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = 09002689DFD6B712

18 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100

19 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000001

Peer supports DPD

20 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000

21 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = 1F07F70EAA6514D3B0FA96542A500306

22 20:27:15.751 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) to 210.176.234.186

23 20:27:15.971 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

24 20:27:15.971 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.176.234.186

25 20:27:15.971 04/17/03 Sev=Info/4 CM/0x63100015

Launch xAuth application

26 20:27:20.608 04/17/03 Sev=Info/4 CM/0x63100016

xAuth application returned

27 20:27:20.608 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.176.234.186

28 20:27:21.038 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

29 20:27:21.038 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.176.234.186

30 20:27:21.038 04/17/03 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Phase 1 SA in the system

31 20:27:21.048 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.176.234.186

32 20:27:21.048 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.176.234.186

33 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

34 20:27:22.340 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.176.234.186

35 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 129.191.227.150

36 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK , value = 255.255.255.128

37 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 129.191.235.34

38 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 129.191.237.20

39 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 129.191.235.34

40 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = Authorized Users Only

Welcome to Storagetek Private Network

Connected via Hongkong

41 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

42 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = stortek.com

43 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710

44 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

45 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000 Concentrator Version 3.6.1.Rel built by vmurphy on Aug 29 2002 18:34:44

46 20:27:22.340 04/17/03 Sev=Info/4 CM/0x63100018

Mode Config data received

47 20:27:22.360 04/17/03 Sev=Info/5 IKE/0x63000055

Received a key request from Driver for IP address 210.176.234.186, GW IP = 210.176.234.186

48 20:27:22.360 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 210.176.234.186

49 20:27:22.360 04/17/03 Sev=Info/5 IKE/0x63000055

Received a key request from Driver for IP address 10.10.10.255, GW IP = 210.176.234.186

50 20:27:22.360 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 210.176.234.186

51 20:27:22.500 04/17/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

52 20:27:23.051 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

53 20:27:23.051 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO (NOTIFY:INVALID_COOKIE) from 210.176.234.186

54 20:27:23.051 04/17/03 Sev=Warning/3 IKE/0xA300004A

Received a NOTIFY message with an invalid protocol id (0)

55 20:27:23.051 04/17/03 Sev=Info/5 IKE/0x63000049

Discarding IPsec SA negotiation, message id = C8AFE4

56 20:27:23.051 04/17/03 Sev=Info/5 IKE/0x63000017

Marking IKE SA for deletion (COOKIES = D06AC14DF515DC57 9FF65A8802F89BE6) reason = DEL_REASON_IKE_NEG_FAILED

57 20:27:23.502 04/17/03 Sev=Info/4 IPSEC/0x63700012

Delete all keys associated with peer 210.176.234.186

58 20:27:23.502 04/17/03 Sev=Info/4 IPSEC/0x63700012

Delete all keys associated with peer 210.176.234.186

59 20:27:26.506 04/17/03 Sev=Info/4 CM/0x63100012

Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Phase 1 SA currently in the system

60 20:27:26.506 04/17/03 Sev=Info/5 CM/0x63100028

Initializing CVPNDrv

61 20:27:26.516 04/17/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

62 20:27:26.556 04/17/03 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_IKE_ESTABLISH_FAIL" (3h).

1 REPLY
Bronze

Re: Trouble accessing VPN using vpn client 3.0.3

Hi,

Cisco's vpn client is pre-configured with all the valid proposals for IKE phase I and II, so you dont have to tweak anything.

Just make that you are vpn server supports IKE phase II atts, as u can see:

54 20:27:23.051 04/17/03 Sev=Warning/3 IKE/0xA300004A

Received a NOTIFY message with an invalid protocol id (0)

seems like that your IPSec SA failed to negotiate.

if its a router or pix, check transformset for ipsec.

thx

Afaq

133
Views
0
Helpful
1
Replies
CreatePlease login to create content