Re: [m0n0wall] VPN client trouble behind m0n0wall

From:	"Gregory Abbott" <blondguyg at seezar dot com>
To:	"Peter Allgeyer" <p dot allgeyer at protec dash t dot de>
Cc:	"Gregory Abbott" <blondguyg at seezar dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] VPN client trouble behind m0n0wall
Date:	Thu, 24 Nov 2005 19:19:14 -0500 (EST)
>
> No Port numbers? Give us:
> a) raw log from m0n0wall (both, accepted and denied packets)
> b) an output of tcpdump from your client
>


Here are the logs of a failed connection from my Cisco VPN client (I'll
work on getting raw log from my m0n0wall):

Cisco Systems VPN Client Version 4.7.00.0533
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1      19:17:14.218  11/24/05  Sev=Info/4	CM/0x63100002
Begin connection process

2      19:17:14.234  11/24/05  Sev=Info/4	CM/0x63100004
Establish secure connection using Ethernet

3      19:17:14.234  11/24/05  Sev=Info/4	CM/0x63100024
Attempt connection with server "66.133.170.14"

4      19:17:14.234  11/24/05  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with 66.133.170.14.

5      19:17:14.234  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag),

VID(Unity)) to 66.133.170.14

6      19:17:14.718  11/24/05  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started

7      19:17:14.718  11/24/05  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

8      19:17:14.718  11/24/05  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 66.133.170.14

9      19:17:14.718  11/24/05  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity),
VID(Xauth), VID(dpd),

VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 66.133.170.14

10     19:17:14.718  11/24/05  Sev=Info/5	IKE/0x63000001
Peer is a Cisco-Unity compliant peer

11     19:17:14.718  11/24/05  Sev=Info/5	IKE/0x63000001
Peer supports XAUTH

12     19:17:14.718  11/24/05  Sev=Info/5	IKE/0x63000001
Peer supports DPD

13     19:17:14.718  11/24/05  Sev=Info/5	IKE/0x63000001
Peer supports NAT-T

14     19:17:14.718  11/24/05  Sev=Info/5	IKE/0x63000001
Peer supports IKE fragmentation payloads

15     19:17:14.718  11/24/05  Sev=Info/5	IKE/0x63000001
Peer supports DWR Code and DWR Text

16     19:17:14.734  11/24/05  Sev=Info/6	IKE/0x63000001
IOS Vendor ID Contruction successful

17     19:17:14.734  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D,
NAT-D, VID(?),

VID(Unity)) to 66.133.170.14

18     19:17:14.734  11/24/05  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA

19     19:17:14.734  11/24/05  Sev=Info/4	IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

20     19:17:14.734  11/24/05  Sev=Info/5	IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

21     19:17:14.734  11/24/05  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE
SA in the system

22     19:17:14.796  11/24/05  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 66.133.170.14

23     19:17:14.796  11/24/05  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 66.133.170.14

24     19:17:14.796  11/24/05  Sev=Info/4	CM/0x63100015
Launch xAuth application

25     19:17:20.421  11/24/05  Sev=Info/4	CM/0x63100017
xAuth application returned

26     19:17:20.421  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 66.133.170.14

27     19:17:20.796  11/24/05  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 66.133.170.14

28     19:17:20.796  11/24/05  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 66.133.170.14

29     19:17:20.796  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 66.133.170.14

30     19:17:20.796  11/24/05  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE
SA in the system

31     19:17:20.796  11/24/05  Sev=Info/5	IKE/0x6300005E
Client sending a firewall request to concentrator

32     19:17:20.796  11/24/05  Sev=Info/5	IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall,
Capability= (Centralized

Protection Policy).

33     19:17:20.812  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 66.133.170.14

34     19:17:21.218  11/24/05  Sev=Info/4	IPSEC/0x6370001A
Receive: Purging stale cached fragment(s). (Peer=66.133.170.14 FragId=58819)

35     19:17:25.218  11/24/05  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA

36     19:17:26.218  11/24/05  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

37     19:17:26.218  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 66.133.170.14

38     19:17:29.218  11/24/05  Sev=Info/4	IPSEC/0x6370001A
Receive: Purging stale cached fragment(s). (Peer=66.133.170.14 FragId=60355)

39     19:17:31.218  11/24/05  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

40     19:17:31.218  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 66.133.170.14

41     19:17:31.718  11/24/05  Sev=Info/4	IPSEC/0x6370001A
Receive: Purging stale cached fragment(s). (Peer=66.133.170.14 FragId=61379)

42     19:17:35.218  11/24/05  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA

43     19:17:36.218  11/24/05  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

44     19:17:36.218  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 66.133.170.14

45     19:17:36.718  11/24/05  Sev=Info/4	IPSEC/0x6370001A
Receive: Purging stale cached fragment(s). (Peer=66.133.170.14 FragId=196)

46     19:17:41.218  11/24/05  Sev=Info/4	IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=B3DD6E5F

47     19:17:41.218  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 66.133.170.14

48     19:17:41.218  11/24/05  Sev=Info/6	IKE/0x6300003D
Sending DPD request to 66.133.170.14, our seq# = 1863967986

49     19:17:41.218  11/24/05  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=6F82E41DA7028363
R_Cookie=C185E67D211699FA) reason =

DEL_REASON_IKE_NEG_FAILED

50     19:17:41.218  11/24/05  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 66.133.170.14

51     19:17:44.218  11/24/05  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=6F82E41DA7028363
R_Cookie=C185E67D211699FA) reason =

DEL_REASON_IKE_NEG_FAILED

52     19:17:44.218  11/24/05  Sev=Info/4	CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by
"DEL_REASON_IKE_NEG_FAILED".  0

Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

53     19:17:44.218  11/24/05  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv

54     19:17:44.218  11/24/05  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection

55     19:17:44.718  11/24/05  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

56     19:17:44.718  11/24/05  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

57     19:17:44.718  11/24/05  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

58     19:17:44.718  11/24/05  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped