Hi,

This is what my VPN log says, it's not obvious to me.

Cisco Systems VPN Client Version 4.6.00.0049

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 17:31:05.188 10/17/06 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

2 17:32:11.957 10/17/06 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

3 17:32:51.689 10/17/06 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

Thank you!

Please set all logging to high and post results. Thanks,

Hi,

I found out half of the problem; the problem is not at the pix I am trying to reach but at the pix in my house here. When pasting the VPN log in google I found 2 other people with the same problem, the answer was to fixup protocol ESP-IKE. I can't fixup this protocol because then it gives me the warning that ISAKMP is active and when ISAKMP is active ESP can't be active. I think ISAKMP is active due to my Site to Site tunnels. So I hooked up my laptop directly to the modem and had a perfect VPN tunnel with the other pix through the VPN client. Do you have any ideas how i could configure my pix to use the ISAKMP and the ESP? Here I attach the log file on high, this is behind the PIX.

Thankx

And here is the attachment

Hello Daniel,

can you post the configuration of the PIX to which you are trying to connect with your VPN client ?

Regards,

GNT

Here is the config of the pix I am conecting with. Again, if I don't connect through behind the PIX here the connection is fine.

Hello,

thanks for the config. I am not sure what addresses you are using for your local pool 'Mardan', but make sure these addresses are not part of the network configured on your inside interface. Let's assume your inside interface has IP address 10.10.10.1/24, and your local pool Mardan is giving out addresses in the range 192.168.1.1-192.168.1.254. The configuration needs to look like this:

nat (inside) 0 access-list inside_outbound_nat0_acl

ip address inside 10.10.10.1 255.255.255.0

ip local pool Mardan 192.168.1.1-192.168.1.254

access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

Since your IP addresses are not fully visible, can you check and see if your PIX is configured like the above ?

Regards,

GNT

Hi,

Yes for security reasons I cannot post my full IP address. But yes I configured them differently my normal pool starts with 192 and my VPN pool with 172. Again switching to PPTP with the same pool active I have no trouble entering the network.

Thank you!

Daniel

Try enabling NAT-T on the PIX.

isakmp nat-traversal [natkeepalive]

Still no luck. Behind a zywall there was no problem.

have you configured your nat 0 statements to disable translation to the IP pool being assigned to your VPN clients.

Something like this

ip local pool vpndhcp 172.16.1.15-172.16.1.20 mask 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any 172.16.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

I experienced a similar issue when I first configured my firewall to host client vpn connections.

Yes I have those. They also should be in the config file I posted. Again the problem is not in the firewall I am trying to reach, but in the PIX I am behind who for some reason cannot use ISAKMP and ESP at the same time.

Thanks

Hello Daniel,

try and configure split tunneling for your PIX as following:

access-list splitTunnelAcl_1 permit ip 10.10.10.0 255.255.255.0 any

vpngroup Mardan split-tunnel splitTunnelAcl_1

where 10.10.10.0 is the network your inside interface is configured on (you probably need to change this to reflect what you have actually configured on your inside interface)...

Regards,

GNT