Problem with VPN client on Cisco 1801

c.console · ‎04-08-2013

Hi,

I have configured a new router for a customer.

All works fine but i have a strange issue with the VPN client.

When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.

This is the log form the VPN client:

Cisco Systems VPN Client Version 5.0.07.0290

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1 14:37:59.133 04/08/13 Sev=Info/6 GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

2 14:38:01.321 04/08/13 Sev=Info/4 CM/0x63100002

Begin connection process

3 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100004

Establish secure connection

4 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100024

Attempt connection with server "asgardvpn.dyndns.info"

5 14:38:02.380 04/08/13 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 79.52.36.120.

6 14:38:02.384 04/08/13 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation

7 14:38:02.388 04/08/13 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120

8 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

9 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

10 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 79.52.36.120

11 14:38:02.460 04/08/13 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120

12 14:38:02.506 04/08/13 Sev=Info/6 GUI/0x63B00012

Authentication request attributes is 6h.

13 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

14 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001

Peer supports DPD

15 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001

Peer supports DWR Code and DWR Text

16 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

17 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001

Peer supports NAT-T

18 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

19 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120

20 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

21 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0xCEFD, Remote Port = 0x1194

22 14:38:02.465 04/08/13 Sev=Info/5 IKE/0x63000072

Automatic NAT Detection Status:

Remote end is NOT behind a NAT device

This end IS behind a NAT device

23 14:38:02.465 04/08/13 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

24 14:38:02.502 04/08/13 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 79.52.36.120

25 14:38:02.502 04/08/13 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120

26 14:38:02.502 04/08/13 Sev=Info/4 CM/0x63100015

Launch xAuth application

27 14:38:07.623 04/08/13 Sev=Info/4 CM/0x63100017

xAuth application returned

28 14:38:07.623 04/08/13 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120

29 14:38:12.656 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

30 14:38:22.808 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

31 14:38:32.949 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

32 14:38:43.089 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

33 14:38:53.230 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

34 14:39:03.371 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

35 14:39:13.514 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

36 14:39:23.652 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

37 14:39:33.807 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

38 14:39:43.948 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

39 14:39:54.088 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

40 14:40:04.233 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

41 14:40:14.384 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

42 14:40:24.510 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

43 14:40:34.666 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

44 14:40:44.807 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

45 14:40:54.947 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

46 14:41:05.090 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

47 14:41:15.230 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

48 14:41:25.370 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

49 14:41:35.524 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

50 14:41:45.665 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

51 14:41:55.805 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

52 14:42:05.951 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

53 14:42:16.089 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

54 14:42:26.228 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

55 14:42:36.383 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

56 14:42:46.523 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

57 14:42:56.664 04/08/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

58 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH

59 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120

60 14:43:03.248 04/08/13 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH

61 14:43:03.248 04/08/13 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"

62 14:43:03.248 04/08/13 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

63 14:43:03.262 04/08/13 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

64 14:43:03.262 04/08/13 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

65 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

66 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

67 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

68 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

And this is the conf from the 1801:

!

hostname xxx

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxx

!

aaa new-model

!

aaa authentication login xauthlist local

aaa authorization network groupauthor local

!

aaa session-id common

!

dot11 syslog

no ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.1.1 10.0.1.10

ip dhcp excluded-address 10.0.1.60 10.0.1.200

ip dhcp excluded-address 10.0.1.225

ip dhcp excluded-address 10.0.1.250

!

ip dhcp pool LAN

network 10.0.1.0 255.255.255.0

default-router 10.0.1.10

dns-server 10.0.1.200 8.8.8.8

domain-name xxx

lease infinite

!

ip name-server 10.0.1.200

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip inspect log drop-pkt

ip inspect name Firewall cuseeme

ip inspect name Firewall dns

ip inspect name Firewall ftp

ip inspect name Firewall h323

ip inspect name Firewall icmp

ip inspect name Firewall imap

ip inspect name Firewall pop3

ip inspect name Firewall rcmd

ip inspect name Firewall realaudio

ip inspect name Firewall rtsp

ip inspect name Firewall esmtp

ip inspect name Firewall sqlnet

ip inspect name Firewall streamworks

ip inspect name Firewall tftp

ip inspect name Firewall vdolive

ip inspect name Firewall udp

ip inspect name Firewall tcp

ip inspect name Firewall https

ip inspect name Firewall http

!

multilink bundle-name authenticated

!

username xxx password 0 xxxx

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group xxx

key xxx

dns 10.0.1.200

wins 10.0.1.200

domain xxx

pool ippool

acl 101

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!