ISR 1941W VPN capability
Hi,
I am trying to setup a good network in our small company. Need a router that can give us both Gb performance, security and mobility. I then found there is ISR 1941W. Reading the specs and datasheet it is not clear whether the VPN capability comes free with it or I have to activate it with a license. Basically I want to know, if I just buy 1941W from a seller, whether I can just plug it between my ISP and internal switch (say, 3750G) and expect it (after some config commands, of course) to provide VPN access to some 20 remote employees?
Thanks,
raj
For vpn services you will need the security license.
Sent from Cisco Technical Support Android App
Similar Messages
-
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
Setting up 10.4.5 to use the built in VPN with Cisco
I see from the update that it now supports Cisco VPN servers. How do I go about enabling the VPN capability, I don't see anything in the network system preferences that show how to enable the VPN functionality.
In the Mac Help application, I found the following for a query on VPN.
To connect to a VPN:
Open Internet Connect, located in the Applications folder.
Click the VPN icon in the toolbar.
Choose the type of VPN connection, either "L2TP over IPSec" or PPTP.
Choose a configuration from the Connect pop-up menu, then click Connect.
To create a second VPN configuration, choose File > New VPN Connection.
Good luck, hope it helps. -
2008 R2 NPS wont connect to Cisco 1841 via Cisco VPN 5.0.03.0560
I am migrating our IAS server from 2003 R2 to 2008 R2 NPS that we use to authenticate VPN conenctions through AD. Currently works without issue on 2003 R2 server. Does not want to work on 2008 R2 NPS server.
We are using Cisco VPN client 5.0.03.0560 as the VPN client. Below is the log file when I try to connect. Can someone tell me what needs to be done on NPS to get this working? If more info is needed please ask and will supply.
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 10:55:10.906 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
2 10:55:10.921 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
3 10:55:10.921 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
4 10:55:10.921 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
5 10:55:10.937 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
6 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
7 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
8 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
9 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
10 10:55:11.203 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
11 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
12 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
13 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
14 10:55:11.140 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
15 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
16 10:55:11.140 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
17 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x078F, Remote Port = 0x1194
18 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
19 10:55:11.140 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
20 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
21 10:55:11.203 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
22 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
23 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
24 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
25 10:55:11.203 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
26 10:55:11.203 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 10:55:11.250 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
28 10:55:11.250 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
29 10:55:15.484 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
30 10:55:15.484 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
31 10:55:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 10:55:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 10:55:41.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 10:55:51.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
35 10:55:52.593 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
36 10:55:52.593 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
37 10:55:52.609 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
38 10:55:52.593 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
39 10:56:01.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
40 10:56:07.656 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
41 10:56:07.656 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
42 10:56:11.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
43 10:56:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
44 10:56:22.656 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
45 10:56:22.656 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
46 10:56:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
47 10:56:37.765 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
48 10:56:37.765 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
49 10:56:41.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
50 10:56:51.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 10:56:52.812 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
52 10:56:52.812 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
53 10:57:01.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
54 10:57:07.562 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
55 10:57:07.562 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
56 10:57:11.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
57 10:57:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
58 10:57:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
59 10:57:33.046 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
60 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
61 10:57:33.046 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
62 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
63 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A5D0259F68268513 R_Cookie=D90058DAEBC5310F) reason = DEL_REASON_RESET_SADB
64 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
65 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A5D0259F68268513 R_Cookie=D90058DAEBC5310F) reason = DEL_REASON_RESET_SADB
66 10:57:33.046 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
67 10:57:33.062 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
68 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
69 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
70 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
71 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
72 11:00:54.656 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
73 11:00:54.671 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
74 11:00:54.671 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
75 11:00:54.687 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
76 11:00:54.703 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
77 11:00:54.750 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
78 11:00:54.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
79 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
80 11:00:54.953 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
81 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
82 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
83 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
84 11:00:55.015 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
85 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
86 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
87 11:00:54.953 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
88 11:00:54.968 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
89 11:00:54.968 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
90 11:00:54.968 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0798, Remote Port = 0x1194
91 11:00:54.968 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
92 11:00:54.968 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
93 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
94 11:00:55.000 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
95 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
96 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
97 11:00:55.015 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
98 11:00:55.015 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
99 11:00:55.015 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
100 11:00:58.765 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
101 11:00:58.765 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
102 11:01:05.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
103 11:01:15.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
104 11:01:25.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
105 11:01:30.312 06/05/14 Sev=Info/6 GUI/0x63B0000D
Disconnecting VPN connection.
106 11:01:30.312 06/05/14 Sev=Info/4 CM/0x63100006
Abort connection attempt before Phase 1 SA up
107 11:01:30.312 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
108 11:01:30.312 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=B172E43640D94E73 R_Cookie=D90058DA499474F6) reason = DEL_REASON_RESET_SADB
109 11:01:30.328 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
110 11:01:30.328 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=B172E43640D94E73 R_Cookie=D90058DA499474F6) reason = DEL_REASON_RESET_SADB
111 11:01:30.328 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
112 11:01:30.328 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
113 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
114 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
115 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
116 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
117 11:01:44.875 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
118 11:01:44.890 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
119 11:01:44.890 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
120 11:01:44.906 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
121 11:01:44.921 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
122 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
123 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
124 11:01:45.296 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
125 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
126 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
127 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
128 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
129 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
130 11:01:45.234 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
131 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
132 11:01:45.234 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
133 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x079B, Remote Port = 0x1194
134 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
135 11:01:45.234 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
136 11:01:45.250 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
137 11:01:45.250 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
138 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
139 11:01:45.281 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
140 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
141 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
142 11:01:45.296 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
143 11:01:45.296 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
144 11:01:45.296 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
145 11:01:53.625 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
146 11:01:53.625 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
147 11:01:53.640 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
148 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
149 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=07A59EB947FF6880 R_Cookie=D90058DA7E39EE62) reason = DEL_REASON_RESET_SADB
150 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
151 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=07A59EB947FF6880 R_Cookie=D90058DA7E39EE62) reason = DEL_REASON_RESET_SADB
152 11:01:53.640 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
153 11:01:53.640 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
154 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
155 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
156 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
157 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
158 11:02:00.406 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
159 11:02:00.421 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
160 11:02:00.421 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server "com"
161 11:02:00.421 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
162 11:02:00.437 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
163 11:02:00.750 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
164 11:02:00.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
165 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
166 11:02:01.015 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
167 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
168 11:02:01.109 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
169 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
170 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
171 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
172 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
173 11:02:01.031 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
174 11:02:01.031 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
175 11:02:01.031 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
176 11:02:01.031 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x079E, Remote Port = 0x1194
177 11:02:01.031 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
178 11:02:01.031 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
179 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
180 11:02:01.078 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
181 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
182 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
183 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
184 11:02:01.078 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
185 11:02:01.078 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
186 11:02:06.406 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
187 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
188 11:02:06.406 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
189 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
190 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E9F0E2EDD6D85F48 R_Cookie=D90058DA2BBDFC93) reason = DEL_REASON_RESET_SADB
191 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
192 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E9F0E2EDD6D85F48 R_Cookie=D90058DA2BBDFC93) reason = DEL_REASON_RESET_SADB
193 11:02:06.406 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
194 11:02:06.421 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
195 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
196 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
197 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
198 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stoppedI am using 2008 R2 NPS as radius server. 1841 ISR as VPN device. Here are debug loghs from Cisco 1841
1430434: .Jun 9 2014 12:06:59.187 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430435: .Jun 9 2014 12:06:59.187 PDT: RADIUS: Retransmit to (10.1.x.x:1645,1646) for id 1645/140
1430436: .Jun 9 2014 12:06:59.191 PDT: RADIUS: Received from id 1645/140 10.1.4.7:1645, Access-Reject, len 20
1430437: .Jun 9 2014 12:06:59.191 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430438: .Jun 9 2014 12:06:59.191 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430439: .Jun 9 2014 12:06:59.191 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430440: .Jun 9 2014 12:06:59.191 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430441: .Jun 9 2014 12:06:59.191 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430442: .Jun 9 2014 12:06:59.191 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430443: .Jun 9 2014 12:06:59.191 PDT: RADIUS: Response (140) failed decrypt
1430444: .Jun 9 2014 12:07:05.246 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430445: .Jun 9 2014 12:07:05.246 PDT: RADIUS: Retransmit to (10.1.4.7:1645,1646) for id 1645/140
1430446: .Jun 9 2014 12:07:05.250 PDT: RADIUS: Received from id 1645/140 10.1.4.7:1645, Access-Reject, len 20
1430447: .Jun 9 2014 12:07:05.250 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430448: .Jun 9 2014 12:07:05.250 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430449: .Jun 9 2014 12:07:05.250 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430450: .Jun 9 2014 12:07:05.250 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430451: .Jun 9 2014 12:07:05.250 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430452: .Jun 9 2014 12:07:05.250 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430453: .Jun 9 2014 12:07:05.254 PDT: RADIUS: Response (140) failed decrypt
1430454: .Jun 9 2014 12:07:08.574 PDT: %SEC-6-IPACCESSLOGP: list 102 denied tcp x.x.9.47(21303) -> x.x.109.122(5038), 1 packet
1430455: .Jun 9 2014 12:07:09.826 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430456: .Jun 9 2014 12:07:09.826 PDT: RADIUS: Retransmit to (10.1.4.7:1645,1646) for id 1645/140
1430457: .Jun 9 2014 12:07:09.830 PDT: RADIUS: Received from id 1645/140 10.1.x.x:1645, Access-Reject, len 20
1430458: .Jun 9 2014 12:07:09.830 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430459: .Jun 9 2014 12:07:09.830 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430460: .Jun 9 2014 12:07:09.830 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430461: .Jun 9 2014 12:07:09.830 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430462: .Jun 9 2014 12:07:09.830 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430463: .Jun 9 2014 12:07:09.830 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430464: .Jun 9 2014 12:07:09.830 PDT: RADIUS: Response (140) failed decrypt
1430465: .Jun 9 2014 12:07:14.210 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430466: .Jun 9 2014 12:07:14.210 PDT: RADIUS: No response from (10.1.4.7:1645,1646) for id 1645/140
Log Buffer (4096 bytes):
6E7C
1430534: .Jun 9 2014 12:09:50.586 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430535: .Jun 9 2014 12:09:50.586 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430536: .Jun 9 2014 12:09:50.590 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430537: .Jun 9 2014 12:09:50.590 PDT: RADIUS: Response (141) failed decrypt
1430538: .Jun 9 2014 12:09:51.902 PDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 12 packets
1430539: .Jun 9 2014 12:09:55.638 PDT: %SEC-6-IPACCESSLOGP: list 112 denied tcp x.x.245.x(1602) -> x.32.x.x(445), 1 packet
1430540: .Jun 9 2014 12:09:55.974 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430541: .Jun 9 2014 12:09:55.974 PDT: RADIUS: Retransmit to (10.x.x.x:1645,1646) for id 1645/141
1430542: .Jun 9 2014 12:09:55.978 PDT: RADIUS: Received from id 1645/141 10.1.4.7:1645, Access-Reject, len 20
1430543: .Jun 9 2014 12:09:55.978 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430544: .Jun 9 2014 12:09:55.978 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430545: .Jun 9 2014 12:09:55.978 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430546: .Jun 9 2014 12:09:55.978 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430547: .Jun 9 2014 12:09:55.978 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430548: .Jun 9 2014 12:09:55.978 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430549: .Jun 9 2014 12:09:55.978 PDT: RADIUS: Response (141) failed decrypt
1430550: .Jun 9 2014 12:09:58.070 PDT: %SEC-6-IPACCESSLOGP: list 102 denied tcp 27.x.x.x(33281) -> 12.x.x.x(80), 1 packet
1430551: .Jun 9 2014 12:10:00.326 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430552: .Jun 9 2014 12:10:00.326 PDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.x.x:1645,1646 is not responding.
1430553: .Jun 9 2014 12:10:00.326 PDT: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.x.x:1645,1646 is being marked alive.
1430554: .Jun 9 2014 12:10:00.326 PDT: RADIUS: Retransmit to (10.1.x.x:1645,1646) for id 1645/141
1430555: .Jun 9 2014 12:10:00.330 PDT: RADIUS: Received from id 1645/141 10.1.x.x:1645, Access-Reject, len 20
1430556: .Jun 9 2014 12:10:00.330 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430557: .Jun 9 2014 12:10:00.330 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430558: .Jun 9 2014 12:10:00.330 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430559: .Jun 9 2014 12:10:00.330 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430560: .Jun 9 2014 12:10:00.330 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430561: .Jun 9 2014 12:10:00.330 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430562: .Jun 9 2014 12:10:00.334 PDT: RADIUS: Response (141) failed decrypt
1430563: .Jun 9 2014 12:10:01.713 PDT: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 175.x.x.x -> x.x.x.104 (3/3), 1 packet
1430564: .Jun 9 2014 12:10:05.841 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430565: .Jun 9 2014 12:10:05.841 PDT: RADIUS: Retransmit to (10.x.x.x:1645,1646) for id 1645/141
1430566: .Jun 9 2014 12:10:05.845 PDT: RADIUS: Received from id 1645/141 10.x.x.x:1645, Access-Reject, len 20
1430567: .Jun 9 2014 12:10:05.845 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430568: .Jun 9 2014 12:10:05.845 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430569: .Jun 9 2014 12:10:05.845 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430570: .Jun 9 2014 12:10:05.845 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430571: .Jun 9 2014 12:10:05.845 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430572: .Jun 9 2014 12:10:05.849 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430573: .Jun 9 2014 12:10:05.849 PDT: RADIUS: Response (141) failed decrypt -
How to setup WRTSL54GS VPN?
I'm fairly network literate but I need a walk through for setting up a VPN on WRTSL54GS router and how to confirm settings are working.
I talked with Support (in the Phillipines)and advised me to set my DSL modem to bridge mode, done that and Internet connectivity is OK. But the documentation on configuring the VPN is very weak. For testing I am dropping the wireless on this router and connecting to a neighbors open wireless router and unable to connect to the VPN I setup. My router does have the latest version of the firmware.
I plan on using the VPN to connect to the network storage connected to the router when offsite.
Thank you for your help.
Dave K.That was the point of buying this router. I really don't want to leave my workstation on 24/7 but, prefer to have a low cost storage online dedicated to the purpose.
Is there a home based router with firewall, wireless, wired capability, with attached storage accessable from both inside and outside securely that does not do pass-through VPN but instead can act as a termination for the VPN?
I have configured the FTP server and have connected that way but that leaves the password and username transmitted in clear text. Any sniffer could pick up on that. I want to make this a secure connection even better if I could restrict the MAC address to my laptop only connecting.
I'm open to ideas. What have others done low cost?
What if I purchased low cost network storage with its own IP and placed it inside my home network, of course it would have a NAT'd non public IP. I suspect since the router is pass through VPN the storage would have to have VPN capability?
And I think I read something in the forum that if the VPN is setup only the VPN is allowed through and I would not be able to surf the net? Not quite sure of the details how this works. Might be another road block to using this router.
Thanks in advance.
Dave K. -
Problems with Cisco VPN & UMTS
Hello!
Just got a new MacBook Pro 2,0 and am busy setting it up for mobile access to our corporate network.
I´m using Cisco VPN Client 4.9.00 (0050).
When I am using my wireless router at home (over a DSL line) everything works fine, but when I am connected over a SonyEricsson K608 UMTS/3G phone, the client does not seem to be able to connect:
Error log is as follows:
1 16:30:34.115 05/28/2006 Sev=Info/4 CM/0x43100002
Begin connection process
2 16:30:34.116 05/28/2006 Sev=Info/4 CM/0x43100004
Establish secure connection using Ethernet
3 16:30:34.116 05/28/2006 Sev=Info/4 CM/0x43100024
Attempt connection with server "xxx.xxx.xxx.xxx"
4 16:30:34.117 05/28/2006 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).
5 16:30:34.117 05/28/2006 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (4500).
6 16:30:34.117 05/28/2006 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.
7 16:30:34.618 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
8 16:30:35.219 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
9 16:30:35.820 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
10 16:30:36.422 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
11 16:30:37.023 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
12 16:30:37.624 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
13 16:30:37.624 05/28/2006 Sev=Info/4 IKE/0x43000075
Unable to acquire local IP address after 5 attempts (over 5 seconds), probably due to network socket failure.
14 16:30:37.624 05/28/2006 Sev=Warning/2 IKE/0xC300009A
Failed to set up connection data
Has anybody heard of something like that?
I tried the same on a G4 iBook with the same configuration, and everything works fine there.
Bye, Frido.If you have a data plan on your phone, make sure it is VPN capable. T-mobile has this option. There is something with the routing and proxies that they use.
Most cell providers will also block most ports other than say 80 and other ports they specifically use. -
Hi. I just bought a Mac Mini Server and want to use the VPN service to access files on the host. I am not sure how this works and so far have been unable to find a tutorial that walks through the steps to do so. If anyone here can help me out I would appreciate it. I have my VPN server turned on with a shared secret and everything, but other than that I am clueless. All help will be greatly appreciated
There are mid-grade firewalls that have built-in VPN servers that can download clients into your Mac OS X box, and you can either have a system that works like this firewall.
Or you can have a firewall with an L2TP or SSL or another end-point server built in; where you use the existing Mac client, or where you can work with (for instance) IPsecuritas or another client.
Or you can set up port forwarding as Camelot mentions and connect from your client (and its VPN client) through to Mac OS X Server and its VPN server capabilities. (One caveat here: there were some L2TP bugs around Airport and Time Capsule that have been discussed; where these devices were not correctly passing a VPN through. Check around for forums for previous discussions.)
Within the margin for error and variability among the VPN implementations, VPNs are roughly equivalent. Yes; there are some differences in the degree of security provided by PPTP and L2TP and SSL, but they're all better than running open ports or clear-text protocols. The key question being "does it work", as is usual.
My preference is for a VPN-capable firewall which uses one of the Mac OS X clients, and that doesn't require a specific VPN client from the vendor; with a "standard" VPN, Apple maintains the clients for you. -
Importing Cisco VPN information into Finder VPN
Hello,
I have recently upgraded to OSX Lion and the Cisco VPN Client used by my university no longer works. They suggest another client (Shrew Soft), which also doesn't work. What I'd like to be able to do is use the VPN configuration information provided by my institute with the Finder's own VPN capability, bypassing the need for a buggy client programm.
I've already read this thread, however it hasn't helped:
https://discussions.apple.com/thread/2274119?start=0&tstart=0
My problem seems to be that I need TWO files to configure Cisco correctly, a root certificate (which appears to be in .pem format) and a .pcf file. If I follow the "standard procedure" for importing the .pcf details -- that is, without using the root certificate somehow -- I get the message "The VPN server did not respond. Verify the server address and try reconnecting." Clearly I need somehow to be using BOTH files in order to establish a connection.
I have messed around with adding the root certificate to my System keychain, but the Finder doesn't display it when I go to "authentification settings". Instead I have only two certificates with "apple" in the name.
Even if I could add the root certificate successfully, this would surely be fruitless, as I would then no longer be using the shared secret.
SO, my query is: How can I combine both of these files into a single certificate that I can then add to my keychain and use for machine identification? Please bear in mind that I am not a computer specialist and am not au fait with Open SSL, and so forth. I'm prepared to grapple with it if it's the only way to get my VPN working again, but I will really need a very clear explanation of each step!
Many thanks in advance!No ideas?
-
At the moment the touch does not have VPN support like the iphone does. I searched throughout the device and the manual. I've seen around that apple said that they were going to have the VPN client. If anyone else knows more info on the subject it would be appreciated.
Advertised or not. VPN is yet another feature that is found on the iPhone, but not found on the iPod Touch.
It annoys me, but I can deal with not having notes or the ability to add/edit calendar events.
I can kind of understand why Google Maps isn't included (though if YouTube is, I imagine they can make Google Maps work also).
But not having VPN capability renders this device useless as a wi-fi device. A significant number of universities (not to mention virtually all corporations) now require some kind of VPN connection. Not having VPN on an iPod Touch means one can't use it to browse the web from those locations.
I just got my iPod Touch. I've tried calling Apple this morning. I got routed back and forth. No one seemed to have an answer.
Apple: better correct these problems soon. Otherwise you'd have lots of very unhappy customers on your hands... -
Hi all,
I was wondering if someone could provide me with some advice, I often work on the road and need to use public Wifi in all sorts of places in London and was considering the use of VPN to make things more secure,
can some one point me in the right direction of a " Basic How to Guide " in regards to VNP setups, using Virgin Media,
I understand that to use a VPN your require a Static ip address, which with virgin media does not use,
However there are online services which can provide one, I was wondering if anyone could help or recommend a existing service ?
thanks
yI disagree to a point; you can definitely connect a VPN over Wi-Fi, then route your traffic over the already encrypted VPN to protect your traffic.
It's not only used to access your employer's network.
I have VPN set up on a server at my house, and use it to connect to my home network for file access or if I'm using public Wi-Fi on occasion.
You'd either need a server to provide VPN services and address assignments, or a router at home that's capable of creating the VPN tunnel and authenticating users. Cisco has some small business routers that are VPN capable. I'd imagine you could get a Linux VPN server running at home for a small amount of money.
As far as the static IP goes, you don't need one, but it's nice to have. You can always use a service like dyndns.com (free!) to automatically keep your DNS records up-to-date, even as your ISP changes your IP at home. That's how I've got mine configured and it works wonderfully.
Just keep in mind it will probably be slooooow. -
Hi There
I have a 1841 Router running C1841-ADVIPSERVICESK9-M ver 12.4(12), is this IOS VPN capable, if not what IOS whould I need to run a VPN?
thanksThanks
Not sure yet, waiting to hear back from our partner to see what they support. -
I am looking to Cisco to pehaps add the following to the entire line of RV series VPN capable firewalls. (at least the RV110w)
Add EZ_VPN, with ability to store remote usename password for tunnel auth.
Add option 150 in the LAN DHCP config
Supporting multiple subnets across a site to site vlans
Voice vlan support?
It seems to me the RV series VPN capable devices would be great for teleworkers that use a Cisco UC phone system such as the UC500 series that support EZ_VPN, as the SSL vpn on the SPA525 is buggy and unusable in a lot of my installations. and installing the SA/SR endpoints (most of with are end of life) devices are costly. Also allows one to use lower cost SPA phones for remote users.
Since Cisco spent the time to add all the advanced IPSec options to allow one to connect to most any IPsec device, and are marketing this for teleworkers haveing the features listed above would really help.Hi mlemmo, you should call the small business support center to make a feature request.
Traditionally, the small business routers have not supported the Cisco VPN clients. The latest exceptions have been the SA500 and SRP500 series supporting the Cisco VPN client and the ISA supporting AnyConnect. Currently, the bigger brothers of the RV110 also do not support the Cisco VPN clients except for QVPN.
-Tom
Please mark answered for helpful posts -
OSX Server 10.4 + VPN Tracker
I am having problems setting up a vpn connection. I have VPN Tracker but the machine I want to get to on my LAN (behind the router - which is another set of problems!) is running OSX Server. Do I ignore the vpn settings since they are references to IPSec/L2TP, or do I have to switch off the server firewall? I find this very unclear. Also, is there an aternative to using Tracker? Can't I simply use the built-in vpn capability of OSX?
I am having problems setting up a vpn connection.
VPN is a screaming bag of cats. What one vendor calls VPN
may not be what another vendor calls it.
I have VPN Tracker but the machine I want to get to on
my LAN (behind the router - which is another set of
problems!) is running OSX Server.
If you are trying to connect from a Mac to OS X server,
VPN Tracker is not needed to establish a VPN tunnel. The
existing software that comes with the system can be used.
In the Finder's Help menu ("Mac Help"), open the Help Viewer
and search for VPN. Look at the entry entitled "Setting up
a connection to a Virtual Private Network".
The main reason to use VPN Tracker is if you have a
perimeter hardware firewall / VPN appliance. For example,
our users connect to our SonicWALL using VPN Tracker, and it
works great. We terminate the tunnel on the LAN side of the
SonicWALL so that the remote client computers sit through
the tunnel on the LAN The advantage that Equinux brings is
that they keep it up to date as Apple and SonicWALL (and
other VPN firewall vendors) make changes, and they provide
good setup guides. For the interoperability list, see
http://equinux.com/us/products/vpntracker/interoperability.html
Do I ignore the vpn settings since they are references
to IPSec/L2TP, or do I have to switch off the server
firewall?
Well, you will have to open up appropriate ports depending
on the flavor of VPN you choose. Again, it's a screaming
bag of cats. Of course, you will have to configure VPN
on the Xserve.
I find this very unclear.
Yep. It's a screaming bag of cats.
Also, is there an aternative to using Tracker? Can't I
simply use the built-in vpn capability of OSX?
To connect to an Xserve, yes. See the Help viewer article
above. You don't mention the router you are using or whether
it is using NAT. You may have NAT traversal issues.
Hope this helps,
Russ
Xserve G5 2.0 GHz 2 GB RAM Mac OS X (10.4.8) Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u -
Troubleshooting VPN drops between 871 client and 2811
My small company uses a 2811 ISR for VPN services (among other tasks such as internet access, p2p circuits to a second site, etc). I have a couple of remote users that have 871 routers that have occasional problems with their routers dropping their VPN tunnels to the 2811. I'm not really sure where to start with the troubleshooting. There are other clients (such as my own 871W) that seem to maintain a connection for weeks. These remote routers that do drop the connection usually reconnect at their next schedule attempt (180 seconds or so.)
Most of the previous questions I've seen similar to this involve software clients but these are hardware routers as the clients and as such I'm not sure how to enable or retrieve logs for the VPN sessions.As expected, the isakmp lifetime is 86400, but for ipsec it merely reports how much time is left in the current sa.
For example:
router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 3
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
router#show crypto ipsec sa
interface: Virtual-Access4
Crypto map tag: Virtual-Access4-head-0, local addr 209.XXX.XXX.82
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 75.XXX.XXX.179 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 681527, #pkts encrypt: 681527, #pkts digest: 681527
#pkts decaps: 670316, #pkts decrypt: 670316, #pkts verify: 670316
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 209.XXX.XXX.82, remote crypto endpt.: 75.XXX.XXX.179
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xF0C2D65C(4039300700)
inbound esp sas:
spi: 0x2A7171E4(712077796)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4093, flow_id: NETGX:2093, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4577435/1047)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF0C2D65C(4039300700)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4094, flow_id: NETGX:2094, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4572865/1027)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: -
C892FSP-K9 VPN? - SOLVED
Hello,
I bought a few weeks ago two C892FSP-K9.
When I bought it, I said it was to link 2 to 3 sites all together throught VPN site-to-Site. Those devices can have up to 50 VPN tunnel. I am not shure yet how to implement the ipsec tunnel vpn capability, but I am not sure that I have all the settings available.
Here is what I mean and the result of the "crypto ?" command:
(config)#crypto ?
key Long term key operations
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces
In this list of available commande, I do not have
isakmp
In all the exemple I found in Internet to make a tunnel, they use isakmp. So if it is not avalable, How can I do?
By the way, do I have to do, activate something somewhere to have access to isakmp?
Thanks?Hi,
I have found the solution. It seems that my devices were shiped with this IOS:
c800-universalk9_npe-mz.SPA.153-2.T.bin
I did not have the equivalent of advsecurity feature in it.
So Someone from Cisco send me this IOS:
c800-universalk9-mz.SPA.152-4.M6.bin
And all came back to normal... Now I have this:
(config)#crypto ?
batch Crypto Batch Processing
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ikev2 Configure IKEv2 Options
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
provisioning Secure Device Provisioning
vpn Configure crypto vpn commands
wui Crypto HTTP configuration interfaces
xauth X-Auth parameters
Thanks For those who tried to help me.
Vandman
Maybe you are looking for
-
POS-DM, BIW & R/3 posting issue after BIW patch updation
Landscape details: SAP IS-Retail (ECC 6.0), SAP POS (Triversity GM 9.5.10), PI 7.0, BIW/POS-DM 7.0 Issue Detail We have upgraded the patch level of Support package BI_CONT in BIW from 5 to 11 in production server and after that following issues have
-
Central 5.4 stops printing, a reboot of the server is the only way to fix the problem
Hi, We are running central 5.4 on windows 2000 SP4, this has worked for ages but has just started with an intermittent fault. When we send some output it suddenly stops printing, and no forms sent to central will be printed, the only way to get them
-
I am puzzled by a feature in InDesign CS2 version 4.0.5 that I have never seen before. I am using a Mac that is is another department at my workplace and when you are creating a new document in the File>New dialog box, this is what you get: Width, He
-
Reformatted Mac HD but it no longer has a Logical Volume Group
Hi Guys, I've reformatted my Mac Pro's main HD, prior to doing a completely new install of Yosemite. Having reformatted it, I noticed that in the Disk Utility, there is no longer a main hard drive at the top of the list called Macintosh HD, with a Lo
-
Ever since updating to Mountain Lion, I cannot watch live streams.
Hey, since updating to ML, something seems to be interrupting how Flash is working. I am unable to see live video streams in the browser. When I try to use VOKLE, for example, it seems to load fine and then I get an error from Vokle telling me to mak