Federico,

The client side gives the following error:

Secure VPN Connection terminated by Peer

Reason 427: Unknown Error Occurred at Peer.

The logs on the VPN concentrator show:

33508 06/07/2010 10:04:29.520 SEV=5 IKEDBG/64 RPT=6558 129.19.6.125
IKE Peer included IKE fragmentation capability flags:
Main Mode:        True
Aggressive Mode:  False

33510 06/07/2010 10:04:29.780 SEV=5 IKE/172 RPT=6438 129.19.6.125
Group [PRPA_W7]
Automatic NAT Detection Status:
   Remote end   IS   behind a NAT device
   This   end is NOT behind a NAT device

33514 06/07/2010 10:04:33.270 SEV=4 IKE/52 RPT=5695 129.19.6.125
Group [PRPA_W7] User [smiths]
User (smiths) authenticated.

33515 06/07/2010 10:04:33.290 SEV=4 IKE/131 RPT=2814 129.19.6.125
Group [PRPA_W7] User [smiths]
Received unknown transaction mode attribute: 28684

33516 06/07/2010 10:04:33.290 SEV=5 IKE/184 RPT=5674 129.19.6.125
Group [PRPA_W7] User [smiths]
Client Type: WinNT
Client Application Version: 5.0.07.0290

33518 06/07/2010 10:04:33.290 SEV=5 IKE/132 RPT=181 129.19.6.125
Group [PRPA_W7] User [smiths]
Cannot obtain an IP address for remote peer - FAILED

33520 06/07/2010 10:04:33.300 SEV=5 IKE/194 RPT=6171 129.19.6.125
Group [PRPA_W7] User [smiths]
Sending IKE Delete With Reason message: No Reason Provided.

Hi,

According to the logs, the user gets authenticated but cannot receive an IP address.

33518 06/07/2010 10:04:33.290 SEV=5 IKE/132 RPT=181 129.19.6.125
Group [PRPA_W7] User [smiths]
Cannot obtain an IP address for remote peer - FAILED

The concentrator should assign an IP to the client either via a local pool or a DHCP server or even an authentication server.

Normally, you create a local pool of addresses to assing to the client (this is what you're missing).

Federico.

Federico,

I thought that portion of the configuratin be inherited from the base group values? Where would I find in the GUI to set the DHCP/IPs?

~Steve

Steve,

Under

Make sure you have the correct option.

Also, create the pool under

Federico.

Federico,

Forgive my ignorance on the system configs - I've inherited this system and am not in it much....

Well I have only "User Address Pools" checked, but no pools configured yet we've been running this way for serveral years.

~Steve

Check the following:

When you select a group, on the right side you have ''Address Pools''

Check if each group has Address Pool assigned.

Federico.

Ah ha!

Thank you...I think that will solve the problem. If I need to change an IP range on another group does that disconnect users currently on the concentrator?

Many thanks,

~Steve

Federico,

My new Windows 7 group did not have an address pool as you suggested. I added one and was able to connect just fine. However, the adress range for our primary group spans the entire last octet X.X.1.1 through X.X.1.254 so I need to reduce this range and then add the left over range to my Windows 7 group. Or figure out how the routing works and simply add something like X.X.2.1 through X.X.2.254 for example.

Thank you for your help!

~Steve