I have a lot of editing to do before I post my PIX config here - I will post an edited version when I get a chance - but I wanted to post the debug as quick as I could. I did take the configuration from the article, which I listed in the original post. I'm using group 2 on the isakmp. It makes a connection but I can't transfer any data between my laptop and the network via VPN. My PIX already does PIX to PIX VPN with a vendor that had a consultant help set it up so I am working around that one. That one is using group 1isakmp policy.

The article shows in bold "atts are acceptable" at one point. I never see that in the following debug.

My debug listing is as follows:

pixfirewall(config)#

crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACT

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 66.42.71.241. message ID = 0

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute APPLICATION_VERSION (7)

Unsupported Attr: 7

ISAKMP: attribute UNKNOWN (28672)

Unsupported Attr: 28672

ISAKMP: attribute UNKNOWN (28673)

Unsupported Attr: 28673

ISAKMP: attribute UNKNOWN (28674)

ISAKMP: attribute UNKNOWN (28676)

ISAKMP: attribute UNKNOWN (28675)

Unsupported Attr: 28675

ISAKMP: attribute UNKNOWN (28679)

Unsupported Attr: 28679

ISAKMP: attribute UNKNOWN (28680)

Unsupported Attr: 28680

ISAKMP: attribute UNKNOWN (28681)

Unsupported Attr: 28681

ISAKMP: attribute UNKNOWN (28682)

Unsupported Attr: 28682

ISAKMP: attribute UNKNOWN (28677)

Unsupported Attr: 28677

ISAKMP: attribute UNKNOWN (28678)

Unsupported Attr: 28678

ISAKMP (0:0): responding to peer config from 66.42.71.241. ID = 1141969392

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1251100752

ISAKMP : Checking IPSec proposal 1

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: key length is 256

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (1)

ISAKMP : Checking IPSec proposal 2

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: key length is 256

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (2)

ISAKMP : Checking IPSec proposal 3

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: key length is 128

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (3)

ISAKMP : Checking IPSec proposal 4

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: key length is 128

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (4)

ISAKMP : Checking IPSec proposal 5

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: key length is 256

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 6

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: key length is 256

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 7

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: key length is 128

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 8

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: key length is 128

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 9

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (9)

ISAKMP : Checking IPSec proposal 10

crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3388384967

ISAKMP : Checking IPSec proposal 1

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: key length is 256

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (1)

ISAKMP : Checking IPSec proposal 2

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: key length is 256

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (2)

ISAKMP : Checking IPSec proposal 3

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: key length is 128

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (3)

ISAKMP : Checking IPSec proposal 4

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: key length is 128

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (4)

ISAKMP : Checking IPSec proposal 5

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: key length is 256

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 6

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: key length is 256

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 7

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: key length is 128

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 8

ISAKMP: unknown ESP transform!

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: key length is 128

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 9

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (9)

ISAKMP : Checking IPSec proposal 10

crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 66.42.71.241 to 206.155.96.34 (proxy 10.1.2.

1 to 206.155.96.34)

has spi 97776760 and conn_id 15 and flags 4

lifetime of 2147483 seconds

outbound SA from 206.155.96.34 to 66.42.71.241 (proxy 204.155.47.

34 to 10.1.2.1)

has spi 4086616109 and conn_id 16 and flags 4

lifetime of 2147483 seconds

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 66.42.71.241 to 206.155.96.34 (proxy 10.1.2.

1 to 0.0.0.0)

has spi 1792043488 and conn_id 13 and flags 4

lifetime of 2147483 seconds

outbound SA from 206.155.96.34 to 66.42.71.241 (proxy 0.0.0

.0 to 10.1.2.1)

has spi 559308994 and conn_id 14 and flags 4

lifetime of 2147483 seconds

return status is IKMP_NO_ERROR

pixfirewall(config)#

pixfirewall(config)#

Hi,

I did see you mentioning that you are able to connect but not able to pass traffic.

1. How is the client connected to the internet. If the client is sitting behind a PAT device, then you wont be able to send any data eventhough you make a connection.

2. VPN Client to Pix uses UDP Port 500 and Protocol 50 (ESP). Since ESP is a protocol, this will not work if the client is sitting behind a PAT device and this is true only if you terminate the VPN connection on a Pix.

3. If you were to terminate the tunnel on a VPN3000, then you can use the feature IPSec Over UDP or TCP, which will overcome the PAT and ESP Issue.

4. What is the ip address that you are trying to ping, make sure that you are not pinging the inside ip address of the Pix through the tunnel.

5. Once your tunnel is up and you try sending some traffic through the tunnel , what do you see under the client session, does the counter under the packets encrypted increases or not.

6. If it increases, then what do you see on the Pix, do you see decrypts.

7. If you see decrypts, do you also see encrypts for that SA.

8. If you were behind a PAT device while doing the testing, is it possible to use a dial up connection and do the testing.

Regards,

Arul

Thanks for your reply.

I did have UDP port 500 blocked and opened it up on the PIX. I am now getting "atts are acceptable" message. I have not been able to pass any information between the client and the network though.

When I PING from the PIX, the packets decrypted on the client increase by 3.

When I PING from the client, the packets encrypted increase by 4 and the following is displayed on the PIX:

crypto_isakmp_process_block: src 66.42.71.21, dest xxx.155.xxx.xxx

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 528152713

ISAMKP (0): received DPD_R_U_THERE from peer 66.42.71.21

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 66.42.71.21, dest xxx.155.xxx.xxx

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 1700279068

ISAMKP (0): received DPD_R_U_THERE from peer 66.42.71.21

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

Neither PING get a response. I have enabled ICMP on the PIX temporarily to test. I am trying to PING a server on the inside of the PIX and I get no response.

We do not have a DNS Server so that statement on the PIX for the VPNGROUP has been left out.

The Client is a laptop with Cisco VPN Client loaded. I am connected to my personnal ISP with no communications restricted on that side. On my work side I have a Cisco 2600 router followed by a PIX 520 running ver6.0(1) IOS.

The client connects to the PIX, but I am unable to connect to servers on the inside.

I have added the following statements to the PIX (looking at number 2 item you address above).

conduit permit udp any range 500 500 any

conduit permit esp any any

I'm new to the VPN world and am thankful for your help and time.

Thank you.

Brian

Hi Brian,

Thanks for the update!!

1. If you are connecting using your ISP and not going through a PAT device, then you client should be good.

2. Once the client is connected, try to ping an ip address on the internal network other than the inside ip address of the Pix. If you see encrypts on the client, do a sh crypto ipsec sa and look for decrypts on the Pix.

3. If you see decryts and no encrypts, then looks like the Pix is not sending the packets back to the Client.

4. Make sure that you have NAT 0 command to bypass NAT for the ipsec traffic.

5. And make sure that the ip address that you are trying to ping knows that it has to send the traffic back to the Pix for the remote clients.

Let me know how the testing goes.

Regards,

Arul

I did a ping from the client to an inside address and this is the results of the sh crypto ipsec sa command - no encrypts.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)

current_peer: 66.42.71.254

dynamic allocated peer ip: 10.1.2.1

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 20, #pkts decrypt: 20, #pkts verify 20

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 204.155.47.34, remote crypto endpt.: 66.42.71.254

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: b8fd9273

inbound esp sas:

spi: 0x2049d1c9(541708745)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: customer

sa timing: remaining key lifetime (k/sec): (4607998/28070)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xb8fd9273(3103625843)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: customer

sa timing: remaining key lifetime (k/sec): (4608000/28061)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Here is the nats I have on the PIX:

nat (inside) 0 access-list bypass_nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (wwwdmz) 0 0.0.0.0 0.0.0.0 0 0

nat (otherdmz) 0 0.0.0.0 0.0.0.0 0 0

Here are the pertinent route statements:

route outside 0.0.0.0 0.0.0.0 xxx.155.xx.xx 1 (PIX outside address)

route inside xxx.155.xx.0 255.255.255.0 xxx.155.xx.xxx 1 (one of the valid C class networks to router in PIX network)

I am using 10.1.2.0 network for my vpn pool of addresses.

It appears then that the client is talking correctly with the PIX but the inside network can't get back to the client?

Brian

Hi Brian,

You are right, looks like the Pix is not sending the packets back to the client.

1. Try to ping the ip address from the pix and make sure that it is alive.

2. And also your access-list bypass_nat should be something like:

access-list bypass_nat permit ip xxx.155.xx.0 255.255.255.0 10.1.2.0 255.255.255.0

3. Like I mentioned to you earlier, make sure that your internal routes know that it has send the packets back to the Pix for the clients 10.1.2.0

4. Make sure that you do not have any other lan to lan tunnels that includes that 10.1.2.0 subnet.

5. And also do a clear xlate and then do the testing.

Regards,

Arul

Hi Arul,

Our network has 16 valid Class "C" networks. We also have our cisco hardware on a private network (192...). I created an arbitrary pool (10.1.2.0) and my network knows nothing of it - only the pix. From my MSFC i did a trace ip on 10.1.2.1 (my laptop vpn connected) and I finally get encrypts (see below) but no replys.

The network has the following statement in it that I thought would send all ip's unknown to the network out to my PIX:

ip route 0.0.0.0 0.0.0.0 xxx.155.xx.xx (my inside ip to the PIX)

Having been a while since I have configured the Cisco network, do I need to create a static route for the 10.1.2.0 network to my inside IP of the PIX? What would the statements be?

I will probably not be working on this until after the new year. I appreciate your help to this point. If you want details of my configs, please contact me @ bkootstra@ci.visalia.ca.us - Don't want to post it out on the web.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)

current_peer: 66.42.71.27

dynamic allocated peer ip: 10.1.2.1

PERMIT, flags={}

#pkts encaps: 45, #pkts encrypt: 45, #pkts digest 45

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xxx.155.xx.xx, remote crypto endpt.: 66.42.71.27

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 54660594

inbound esp sas:

spi: 0x84abe32e(2225857326)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 15, crypto map: customer

sa timing: remaining key lifetime (k/sec): (4607999/28022)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x54660594(1415972244)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 16, crypto map: customer

sa timing: remaining key lifetime (k/sec): (4607998/28022)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Hi,

just wondering whether you have the outcome...i am encountering this problem ?? should I use VPN Client 3.0 I am using VP Client 3.6

thanks

I never got it to work. Had some big projects that took precedence and gave up on it. I will get back to VPN, but we will be using different equipment to allow VPN at that time.

Sorry.

Brian

ok

thanks

-santo-