Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ios vpn, vpn client IKE problem

Hi,

I try to set up a vpn connection between a 1812 router and software vpn client but despite the ike atts are accepted the router disconnects the client.

"debug crypto isakmp" results:

...

002458: *Jan 6 22:04:55.751 UTC: ISAKMP:(0):Checking ISAKMP transform 13 against priority 3 policy

002459: *Jan 6 22:04:55.751 UTC: ISAKMP: encryption DES-CBC

002460: *Jan 6 22:04:55.751 UTC: ISAKMP: hash MD5

002461: *Jan 6 22:04:55.751 UTC: ISAKMP: default group 2

002462: *Jan 6 22:04:55.751 UTC: ISAKMP: auth XAUTHInitPreShared

002463: *Jan 6 22:04:55.751 UTC: ISAKMP: life type in seconds

002464: *Jan 6 22:04:55.751 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

002465: *Jan 6 22:04:55.751 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3

002466: *Jan 6 22:04:55.751 UTC: ISAKMP:(0): processing KE payload. message ID = 0

002467: *Jan 6 22:04:55.755 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0

002468: *Jan 6 22:04:55.755 UTC: ISAKMP:(0): vendor ID is NAT-T v2

002469: *Jan 6 22:04:55.755 UTC: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY

002470: *Jan 6 22:04:55.755 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

002471: *Jan 6 22:04:55.755 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY

....

Client Logs:

...

Attempting to establish a connection with xx.xx.xx.xx

206 23:19:41.890 01/06/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xx

207 23:19:41.890 01/06/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 23:19:41.890 01/06/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

209 23:19:47.234 01/06/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

210 23:19:47.234 01/06/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xx.xx.xx.xx

215 23:20:02.234 01/06/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=9C90B0C5922BD327 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

217 23:20:02.734 01/06/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "xx.xx.xx.xx" because of "DEL_REASON_PEER_NOT_RESPONDING"

...

"sh crypto isakmp sa"

STATE=AG_NO_STATE status ACTIVE

ISR IOS = Version 12.4(6)T3

vpn client version= I tried with different versions of 4.8 and 4.0 clients

Any help would be appreciated.

Thanks,

Oszkar

3 REPLIES

Re: ios vpn, vpn client IKE problem

The IKE is sone on UDP 500, you will try then NAT-T, that is UDP 4500. Make sure you have this port opened.

Please rate if this helped.

Regards,

Daniel

Community Member

Re: ios vpn, vpn client IKE problem

Hi Daniel,

No UDP ports are filtered neither in the router nor in the client side.

Any hint?

Regards,

Oszkar

Re: ios vpn, vpn client IKE problem

Hi Oszkar,

Can you check http://cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bdf.pdf

Also some useful links on:

http://cisco.com/en/US/products/ps6659/products_ios_protocol_option_home.html

Studying the configuration there you might find what is wrong in your config.

Please rate if this helped.

Regards,

Daniel

162
Views
2
Helpful
3
Replies
CreatePlease to create content