06-07-2007 05:39 AM
Hi there,
I am having some difficulties configuring two things:
1. After a couple of hours struggling to create a tunnel (lan to lan) I finally got it to work. When I try to do the same for remote users using the Cisco vpn client I only get an error 412: the remote peer is no longer responding.
Client log:
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 15:30:11.745 06/07/07 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 15:30:14.116 06/07/07 Sev=Info/4 CM/0x63100002
Begin connection process
3 15:30:14.120 06/07/07 Sev=Info/4 CM/0x63100004
Establish secure connection
4 15:30:14.122 06/07/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "82.94.31.134"
5 15:30:14.128 06/07/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 82.94.31.134.
6 15:30:14.144 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 82.94.31.134
7 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
11 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
12 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
13 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
14 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134
15 15:30:34.565 06/07/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
16 15:30:35.077 06/07/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 15:30:35.078 06/07/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"
18 15:30:35.078 06/07/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
19 15:30:35.120 06/07/07 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
20 15:30:35.121 06/07/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
21 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
22 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Attachted is the config file from the Pix 515e
2. I need to access RDP with port redirection. So when i access 82.x.x.x:4000 it would translate to 192.168.1.50:3389. So far I'm not able to get this to work.
Any help would be greatly appreciated.
Regards,
Jeroen
Solved! Go to Solution.
06-07-2007 09:10 AM
The group should be "VPNclient"
06-07-2007 09:19 AM
I noticed, i recreated the profile to check if that had any effect. It only gives me that output when I typed in a wrong group name. When i use the correct group name there is just no output.
At least the software is comunicating with the pix :) but still nothing.
06-07-2007 09:24 AM
Try "debug crypto isakmp 7"
06-07-2007 09:30 AM
That gives me some information:
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing SA payload
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing ke payload
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing ISA_KE
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing nonce payload
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Processing ID
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received xauth V6 VID
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received DPD VID
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received Fragmentation VID
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, IKE Peer included IKE fragmenta
tion capability flags: Main Mode: True Aggressive Mode: False
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received NAT-Traversal ver 02 V
ID
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload
Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received Cisco Unity client VID
Jun 07 17:28:55 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val
id tunnel group, aborting...!
Jun 07 17:28:55 [IKEv1 DEBUG]: Group = 86.82.7.191, IP = 86.82.7.191, IKE AM Res
ponder FSM error history (struct &0x1bd62b8)
OR-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, E
V_CREATE_TMR
Jun 07 17:28:55 [IKEv1 DEBUG]: Group = 86.82.7.191, IP = 86.82.7.191, IKE SA AM:
7c720620 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Jun 07 17:28:55 [IKEv1 DEBUG]: sending delete/delete with reason message
06-07-2007 09:39 AM
Your client is set up with the correct group name? Add this to the pix...
isakmp nat-traversal
06-07-2007 09:45 AM
I think where getting somewhere. Now i get another responce:
Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, Connection landed on tunnel_group VPN
client
Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, processing I
KE SA
Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, IKE DECODE SENDING Message (msgid=0)
with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, All SA propo
sals found unacceptable
Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, All IKE SA proposals found unacceptab
le!
Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, IKE AM Respo
nder FSM error history (struct &0x183af38)
-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_P
ROCESS_MSG
Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, IKE SA AM:b3
981b4d terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Jun 07 17:43:35 [IKEv1 DEBUG]: sending delete/delete with reason message
Something in the security proposal
06-07-2007 10:01 AM
Mine looks like this...
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp policy 10
isakmp authentication pre-share
isakmp encryption 3des
isakmp hash md5
isakmp group 2
isakmp lifetime 86400
isakmp policy 30
isakmp authentication pre-share
isakmp encryption 3des
isakmp hash sha
isakmp group 2
isakmp lifetime 86400
06-07-2007 10:30 AM
But i dont have the 3DES license, it will only do DES encryption. Could i just replace 3DES with DES ?
06-07-2007 10:45 AM
Does this do the trick?
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
06-07-2007 11:17 PM
It did, thanks! But only after updating my license to 3des/eas.
after inserting:
isakmp policy 65535 encryption 3des
The cpn client prompted me for a username and password and connected. Now the only thing is i'm not recieving anything. I cannot ping a local address on the other side of the pix? Do I have to add something to permit the traffic to the local lan?
After this thing im enrolling myself for some kind of cisco training :)
Thanks again for your help.
06-08-2007 01:03 AM
I could not eddit my previous post, but i found the answer in another discussion you had about some vpn troubles (acl).
Everything is working like a charm now! thanks so much for taking the time to help me out here.
Jeroen
06-08-2007 04:53 AM
Good deal, glad it worked out....thought I lost you there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide