Trouble accessing VPN using vpn client 3.0.3

victor_cisco · ‎04-17-2003

Hello everyone,

I am using Windows XP professional,and modified local security policy using MMC,I forgot where I modified,and having trouble accessing VPN using CISCO system VPN client,below is the VPN client log when I try to access our VPN server,now I want to reset local security policy ,is it possible,if so,how to?

BTW,if anyone here is familiar with CISCO VPN client,could you tell me where can I modify local security policy to make client work?

Thanks

Victor

Here is the CISCO VPN client log:

1 20:27:14.479 04/17/03 Sev=Info/6 DIALER/0x63300002

Initiating connection.

2 20:27:14.479 04/17/03 Sev=Info/4 CM/0x63100002

Begin connection process

3 20:27:14.629 04/17/03 Sev=Info/4 CM/0x63100003

Establish secure connection using dialup services

4 20:27:14.829 04/17/03 Sev=Info/4 PPP/0x63200015

Establish connection with client application

5 20:27:14.869 04/17/03 Sev=Info/4 PPP/0x6320001B

Processing dial command. Dialing "DUN:95700"

6 20:27:14.979 04/17/03 Sev=Info/4 PPP/0x63200002

PPP session is already up

7 20:27:14.979 04/17/03 Sev=Info/4 PPP/0x63200017

Terminate connection with client application

8 20:27:14.999 04/17/03 Sev=Info/4 CM/0x6310000B

PPP session established

9 20:27:14.999 04/17/03 Sev=Info/4 CM/0x63100025

Attempt connection with server "210.176.234.186"

10 20:27:14.999 04/17/03 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 210.176.234.186.

11 20:27:15.060 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to 210.176.234.186

12 20:27:15.490 04/17/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

13 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

14 20:27:15.741 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, VID, VID, VID, VID) from 210.176.234.186

15 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100

16 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

17 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = 09002689DFD6B712

18 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100

19 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000001

Peer supports DPD

20 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000

21 20:27:15.741 04/17/03 Sev=Info/5 IKE/0x63000059

Vendor ID payload = 1F07F70EAA6514D3B0FA96542A500306

22 20:27:15.751 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) to 210.176.234.186

23 20:27:15.971 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

24 20:27:15.971 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.176.234.186

25 20:27:15.971 04/17/03 Sev=Info/4 CM/0x63100015

Launch xAuth application

26 20:27:20.608 04/17/03 Sev=Info/4 CM/0x63100016

xAuth application returned

27 20:27:20.608 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.176.234.186

28 20:27:21.038 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

29 20:27:21.038 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.176.234.186

30 20:27:21.038 04/17/03 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Phase 1 SA in the system

31 20:27:21.048 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.176.234.186

32 20:27:21.048 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.176.234.186

33 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

34 20:27:22.340 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.176.234.186

35 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 129.191.227.150

36 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK , value = 255.255.255.128

37 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 129.191.235.34

38 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 129.191.237.20

39 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 129.191.235.34

40 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = Authorized Users Only

Welcome to Storagetek Private Network

Connected via Hongkong

41 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

42 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = stortek.com

43 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710

44 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

45 20:27:22.340 04/17/03 Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000 Concentrator Version 3.6.1.Rel built by vmurphy on Aug 29 2002 18:34:44

46 20:27:22.340 04/17/03 Sev=Info/4 CM/0x63100018

Mode Config data received

47 20:27:22.360 04/17/03 Sev=Info/5 IKE/0x63000055

Received a key request from Driver for IP address 210.176.234.186, GW IP = 210.176.234.186

48 20:27:22.360 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 210.176.234.186

49 20:27:22.360 04/17/03 Sev=Info/5 IKE/0x63000055

Received a key request from Driver for IP address 10.10.10.255, GW IP = 210.176.234.186

50 20:27:22.360 04/17/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 210.176.234.186

51 20:27:22.500 04/17/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

52 20:27:23.051 04/17/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 210.176.234.186

53 20:27:23.051 04/17/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO (NOTIFY:INVALID_COOKIE) from 210.176.234.186

54 20:27:23.051 04/17/03 Sev=Warning/3 IKE/0xA300004A

Received a NOTIFY message with an invalid protocol id (0)

55 20:27:23.051 04/17/03 Sev=Info/5 IKE/0x63000049

Discarding IPsec SA negotiation, message id = C8AFE4

56 20:27:23.051 04/17/03 Sev=Info/5 IKE/0x63000017

Marking IKE SA for deletion (COOKIES = D06AC14DF515DC57 9FF65A8802F89BE6) reason = DEL_REASON_IKE_NEG_FAILED

57 20:27:23.502 04/17/03 Sev=Info/4 IPSEC/0x63700012

Delete all keys associated with peer 210.176.234.186

58 20:27:23.502 04/17/03 Sev=Info/4 IPSEC/0x63700012

Delete all keys associated with peer 210.176.234.186

59 20:27:26.506 04/17/03 Sev=Info/4 CM/0x63100012

Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Phase 1 SA currently in the system

60 20:27:26.506 04/17/03 Sev=Info/5 CM/0x63100028

Initializing CVPNDrv

61 20:27:26.516 04/17/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

62 20:27:26.556 04/17/03 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_IKE_ESTABLISH_FAIL" (3h).

afakhan · ‎04-20-2003

Hi,

Cisco's vpn client is pre-configured with all the valid proposals for IKE phase I and II, so you dont have to tweak anything.

Just make that you are vpn server supports IKE phase II atts, as u can see:

54 20:27:23.051 04/17/03 Sev=Warning/3 IKE/0xA300004A

Received a NOTIFY message with an invalid protocol id (0)

seems like that your IPSec SA failed to negotiate.

if its a router or pix, check transformset for ipsec.

thx

Afaq