Reason 412: The remote peer is no longer responding.
James
getting error on client of:
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.
What areas should I be looking at please? I've set the VPN Easy Server
up and made it Initiate as well as Respond. I'm using a key phrase to
connect with. I've tested the VPN server in the SDM software and its
says its ok.
Short of an entire dump please let me know what more info you need?
Merv
Did you add the Cisco VPN client as an exception ?
Firewall must be configured to permit UDP ports 500 and 62515 whcih are
required for cisco vpn client.
James
client - I will check. As for the network there is no software
firewall on the server, just the Cisco box. I assume that the wizard
setup the correct rules to allow clients in but how do I check this
port config?
Thanks for responding - you are the first one in over a month and I was
going slowly mad!
Walter Roberson
Merv <merv....@rogers.com> wrote:
>Firewall must be configured to permit UDP ports 500 and 62515 whcih are
>required for cisco vpn client.
I'd never heard of 62515 being required before. I see it listed in
the VPN 3000 concentrator FAQ,
http://www.cisco.com/warp/public/471/vpn_3000_faq.shtml
along with 62514 thru 62524.
The description of the port use given in the FAQ does not suggest
to me that the firewall would need to be opened to permit any of those
ports: they appear to me to only to be talking from the local machine
to itself?
Merv
besides disabling your firewall, verify that you PC is actually
transmitting packets.
Start a cmd windows and run the command "netstat -s -p ip 60" to see IP
sned and receive packet counts
Merv
UDP port 62515 - Cisco Systems IPSec Driver to Cisco Systems, Inc. VPN
Service
Perhaps depends on where a firewall inserts itself in the dataflow
Phillip Remaker
"James" <jpi...@ntlworld.com> wrote in message
news:1139573586.3...@o13g2000cwo.googlegroups.com...
>I just can't get this to work out of the box/running wizard. I'm
> getting error on client of:
>
> Secure VPN Connection terminated locally by the Client.
> Reason 412: The remote peer is no longer responding.
>
Are you using IP/ESP, NAT-T, or TCP as your connect (Are you using NAT?)
Make sure you use a NAT-friendly VPN scheme. I think the default is IP/ESP
which fails with a lot of NAT devices.
Merv
Also try the following commands to see a summary of what is or is not
happening:
C:\Program Files\Cisco Systems \ VPN Client\vpnclient stat traffic
C:\Program Files\Cisco Systems \ VPN Client\vpnclient stat tunnel
James
James
Sorry for late reply - have been to France to try and chill from this
mess!!
I have NAT on the firewall. What am I using as my connect? Good
question!
Do I search for this on the firewall or is it configured on the client
end -
or both?
Thanks,
James
Merv
James
in the same building and "dial in". So progress is slow. However I
will add your command prompts tonight and let you know the outcome. I
am still very confused by the whole thing as the webhelp that comes
with the SDM package is quite frankly - bloody useless!
Phillip has suggested IP/ESP as something to explore - but I am
awaiting where I look for this. Also it makes me wonder what the
"wizard" is doing in setting up a complex system that basically then
fails to work.
Having had to reboot the box due to a total freeze I realise that I
have lost some previous settings - c'est la vie! In wandering round
the maze again I see I don't have any IPSec Rules (ACL). Do I need
some? should not the "wizard" have produced the ones it needs? Does
this "wizard" only work on Sundays!?
Thanks
James
James
leave and then come back to establish a link. I now get an error:
Secure VPN Connection terminated locally by the Client.
Reason 401: An unrecognized error occurred while establishing the VPN
connection.
This happens after I log in:
Negotiating security policies...
Securing communications channel...
Can I assume that my security policies are at least set up ok?
James
1 11:58:32.550 02/14/06 Sev=Warning/3 GUI/0xE3B00003
GI EnumPPP callback timed out.
2 12:00:43.688 02/14/06 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 80.177.223.54. Inbound connections
are not allowed.
3 12:08:04.452 02/14/06 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 80.177.223.54. Inbound connections
are not allowed.
Merv
Have you always been getting as far as getting the messages:
Negotiating security policies...
Securing communications channel...
post the firewall config and the contents of the client VPN profile for
the connection
post the contents of the PIX firewall log - use command "show log"
is the IP address 80.177.223.54. for your firewall ?
Merv
BTW is this a new VPN server setup or are there other users that are
able to connect to the VPN server sucessfully?
James
Building configuration...
Current configuration : 8568 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$LR.f$pB8.ZdKhW3GXtV8S4gj3J.
!
username James privilege 15 secret 5 $1$lURO$tewOxEtKEAqZxNz7Zdbd4.
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default if-authenticated local
aaa authorization network default local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name XXX
ip name-server 158.152.1.58
ip name-server 158.152.1.43
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
crypto isakmp key pwd address 82.0.98.178
!
crypto isakmp client configuration group groupname
key key
dns 158.152.1.58 158.152.1.43
wins xxx.xxx.xxx.200
domain XXX
pool SDM_POOL_1
include-local-lan
max-users 1
max-logins 3
!
!
crypto ipsec transform-set TransformSet1 esp-3des esp-sha-hmac
!
crypto ipsec profile IPSecProfile1
set transform-set TransformSet1
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set TransformSet1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list default
crypto map SDM_CMAP_1 isakmp authorization list default
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Dot11Radio0
no ip address
!
ssid SSIDname
authentication open
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0
channel 2462
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address 80.177.223.54 255.0.0.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname pigot...@lon1-aj1e.demonadsl.co.uk
ppp chap password 7 05082E1D2042405A0A
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address xxx.xxx.xxx.100 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 xxx.xxx.xxx.50 xxx.xxx.xxx.55
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
logging xxx.xxx.xxx.100
logging 80.177.223.54
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit xxx.xxx.xxx.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit xxx.xxx.xxx.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by Cisco SDM Express firewall
configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip host xxx.xxx.xxx.50 any
access-list 100 permit ip host xxx.xxx.xxx.51 any
access-list 100 permit ip host xxx.xxx.xxx.52 any
access-list 100 permit ip host xxx.xxx.xxx.53 any
access-list 100 permit ip host xxx.xxx.xxx.54 any
access-list 100 permit ip host xxx.xxx.xxx.55 any
access-list 100 permit udp any host xxx.xxx.xxx.100 eq non500-isakmp
access-list 100 permit udp any host xxx.xxx.xxx.100 eq isakmp
access-list 100 permit esp any host xxx.xxx.xxx.100
access-list 100 permit ahp any host xxx.xxx.xxx.100
access-list 100 deny ip 80.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall
configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host xxx.xxx.xxx.50 any
access-list 101 permit ip host xxx.xxx.xxx.51 any
access-list 101 permit ip host xxx.xxx.xxx.52 any
access-list 101 permit ip host xxx.xxx.xxx.53 any
access-list 101 permit ip host xxx.xxx.xxx.54 any
access-list 101 permit ip host xxx.xxx.xxx.55 any
access-list 101 permit udp any host 80.177.223.54 eq non500-isakmp
access-list 101 permit udp any host 80.177.223.54 eq isakmp
access-list 101 permit esp any host 80.177.223.54
access-list 101 permit ahp any host 80.177.223.54
access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
non500-isakmp
access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
isakmp
access-list 101 permit esp host 82.0.98.178 host 80.177.223.54
access-list 101 permit ahp host 82.0.98.178 host 80.177.223.54
access-list 101 permit udp host 158.152.1.43 eq domain host
80.177.223.54
access-list 101 permit udp host 158.152.1.58 eq domain host
80.177.223.54
access-list 101 deny ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 101 permit icmp any host 80.177.223.54 echo-reply
access-list 101 permit icmp any host 80.177.223.54 time-exceeded
access-list 101 permit icmp any host 80.177.223.54 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 101 remark IPSec Rule
access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 xxx.xxx.xxx.0
0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip any host xxx.xxx.xxx.50
access-list 103 deny ip any host xxx.xxx.xxx.51
access-list 103 deny ip any host xxx.xxx.xxx.52
access-list 103 deny ip any host xxx.xxx.xxx.53
access-list 103 deny ip any host xxx.xxx.xxx.54
access-list 103 deny ip any host xxx.xxx.xxx.55
access-list 103 permit ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 105 remark VTY Access-class list
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 105 deny ip any any
access-list 700 permit 0001.e694.aa0a 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport preferred all
transport output telnet
line aux 0
transport preferred all
transport output telnet
line vty 0 4
access-class 105 in
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 130.88.203.12 prefer
end
I'm a bit unclear about the PIX bit - the client has a log but it is
only populated on attempted connection. At the moment it only contains
this:
Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
I can increase the logging of such things like IPSec, IKE, PPP, GUI
etc.
Thanks for all your help.
And yes 80.177.223.54 is the external NAT'd address of the firewall
(Cisco 857W).
James
Also forgot to say that the Negotiating security etc is new to me!!
Must be getting somewhere, right. Trouble is that was from within the
site and all previous tests have been from outside. Not sure what diff
that makes...
Merv
On your VPN client profile setup, please confirm that the groupname is
set to"groupname" and the password is set to "key"
BTW I would suggest for clarity during testing that you change these
settings on both the 837W and your PC.
For example use a captilized groupname and password
clear the logging buffer ("clear log") , attempt a connection, and then
post the contents of the 857's logging buffer (" show log')
James
I can only see the 857 log, I have no text equivalent to copy and
paste. It only has 5 info records the last being:
Processing of Quick mode failed with peer at "my pc's ip"
But here is the log of the client with IKE set to medium. I changed
the group key on both.
Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1 16:12:21.348 02/14/06 Sev=Warning/3 GUI/0xE3B00003
GI EnumPPP callback timed out.
Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
1 16:14:50.652 02/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag), VID(Unity)) to 80.177.223.54
2 16:14:50.732 02/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?),
VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from
80.177.223.54
3 16:14:50.742 02/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D,
NAT-D, VID(?), VID(Unity)) to 80.177.223.54
4 16:14:50.742 02/14/06 Sev=Info/4 IKE/0x63000082
IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4
5 16:14:50.752 02/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from
80.177.223.54
6 16:14:50.752 02/14/06 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 80.177.223.54. Inbound connections
are not allowed.
7 16:14:50.762 02/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54
8 16:14:55.750 02/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 80.177.223.54
9 16:14:57.172 02/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54
10 16:14:57.182 02/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54
11 16:14:57.192 02/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54
12 16:14:57.212 02/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54
13 16:14:57.222 02/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54
14 16:14:57.532 02/14/06 Sev=Info/4 IKE/0x63000055
Received a key request from Driver: Local IP = 192.168.36.55, GW IP =
80.177.223.54, Remote IP = 0.0.0.0
15 16:14:57.532 02/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 80.177.223.54
16 16:14:57.542 02/14/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from
80.177.223.54
17 16:14:57.552 02/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 80.177.223.54
18 16:14:57.552 02/14/06 Sev=Info/4 IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=CABD5A7C
19 16:14:57.552 02/14/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=5ED0E3343207D013
R_Cookie=E82601E7412816C6) reason = DEL_REASON_IKE_NEG_FAILED
20 16:15:00.957 02/14/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=5ED0E3343207D013
R_Cookie=E82601E7412816C6) reason = DEL_REASON_IKE_NEG_FAILED
21 16:15:01.037 02/14/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
Merv
Try deleting crypto policy 1 and changing the hash on policy 2 from MD5
to sha so that it matches with the transform set.
Do this with the command line interface from the console not any Cisco
GUI.
James
If you could point to the prog that would be great.
To save time I did use the GUI and it seems that DES3 will work because
if using DES I get Peer not reponding - don't even get log on option.
Changing 2 to sha and DES3 has not changed the error which I think is
related to one of the log entries:
NOTIFY:NO_PROPOSAL_CHOSEN
whatever that means! Thanks for perservering.
James
to take place that fails? It seems that we have established the
security policy as we then move on to establishing the "Securing
communications channel" bit - or is this like coding where to fix an
error it can often be in the line above?!
Will let you know how I get on tonight... thanks again.
James
& pwd...
