[SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Hi,
Have just started with Archlinux and trying to set up a VPN tunnel using pptp.
I have been following the guide at:
https://wiki.archlinux.org/index.php/Mi … pptpclient
I want to connect to a service from www.ipredator.se
Info from them when connection to Windows XP are:
Enter company name "Ipredator". Click Next.
Enter "vpn.ipredator.se" as "Host name or IP address".
I have been given a <USERNAME> and <PASSWORD> from them.
I got the VPN tunnel up and running in Ubuntu with the settings.
Only enabled MSCHAPv2
use MPPE 128 bit
and allow data compression, BSD, Deflate and TCP header.
My configuration files:
options.pptp
# $Id: options.pptp,v 1.3 2006/03/26 23:11:05 quozl Exp $
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection. See "man pppd".
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 or later from [url]http://ppp.samba.org[/url]/
# and the kernel MPPE module available from the CVS repository also on
# [url]http://ppp.samba.org[/url]/, which is packaged for DKMS as kernel_ppp_mppe.
# Lock the port
lock
# Authentication
# We don't need the tunnel server to authenticate itself
noauth
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use. Note that MPPE
# requires the use of MSCHAP-V2 during authentication)
# [url]http://ppp.samba.org[/url]/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# Require MPPE 128-bit encryption
# require-mppe-128
# [url]http://polbox.com/h/hs001/[/url] fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# Require MPPE 128-bit encryption
# mppe required,stateless
chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
<USERNAME> pptpd <PASSWORD> *
I named my tunnel "ipredator"
/etc/ppp/peers/ipredator
pty "pptp vpn.ipredator.se --nolaunchpppd"
name <USERNAME>
remotename Ipredator
require-mppe-128
file /etc/ppp/options.pptp
ipparam ipredator
When I try to connect I get following:
[root@archlinux ppp]# pon $TUNNEL ipredator dump logfd 2 nodetach
pppd options in effect:
nodetach # (from command line)
logfd 2 # (from command line)
dump # (from command line)
noauth # (from /etc/ppp/options.pptp)
refuse-pap # (from /etc/ppp/options.pptp)
refuse-chap # (from /etc/ppp/options.pptp)
refuse-mschap # (from /etc/ppp/options.pptp)
refuse-eap # (from /etc/ppp/options.pptp)
name <USERNAME> # (from /etc/ppp/peers/ipredator)
remotename Ipredator # (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options.pptp)
pty pptp vpn.ipredator.se --nolaunchpppd # (from /etc/ppp/peers/ipredator)
crtscts # (from /etc/ppp/options)
# (from /etc/ppp/options)
asyncmap 0 # (from /etc/ppp/options)
lcp-echo-failure 4 # (from /etc/ppp/options)
lcp-echo-interval 30 # (from /etc/ppp/options)
hide-password # (from /etc/ppp/options)
ipparam ipredator # (from /etc/ppp/peers/ipredator)
proxyarp # (from /etc/ppp/options)
nobsdcomp # (from /etc/ppp/options.pptp)
nodeflate # (from /etc/ppp/options.pptp)
require-mppe-128 # (from /etc/ppp/peers/ipredator)
noipx # (from /etc/ppp/options)
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
MPPE required, but MS-CHAP[v2] auth not performed.
Connection terminated.
[root@archlinux ppp]#
I have not managed to understand way MS-CHAP[v2] auth is not performed.
Any ideas on what I have missed during my configuration would be most appreciated!
use code tags instead of quote since they provide scrollers and keep the thread from becoming a mile long -- Inxsible
Thank you!
Regards,
/Christer
Last edited by agkbill (2011-06-14 15:23:15)
The problem was that <PASSWORD> was never found.
What is written after "remotename" in peers file in the guide "PPTP" is used to find the password in chap-secreds.
But in the guide chap-secrets look like "<USERNAME> pptpd <PASSWORD> *".
Consecuently <PASSWORD> will never be found. It should have been "<USERNAME> PPTP <PASSWORD> *" then it would have worked OK.
The solution was to understand how password was found.
require-mppe-128 works fine as well.
Now it looks like this.
# Secrets for authentication using CHAP
# client server secret IP addresses
<USERNAME> PPTP <PASSWORD> *
pty "pptp vpn.ipredator.se --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name <USERNAME>
remotename PPTP
require-mppe-128
#file /etc/ppp/options.pptp
ipparam ipredator
Output:
[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 14
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x7540313b]
rcvd [LCP EchoReq id=0x0 magic=0xc615076a]
sent [LCP EchoRep id=0x0 magic=0x7540313b]
rcvd [CHAP Challenge id=0x46 <be769cd654150cc3dc0fd20bc73c03>, name = "pptpd"]
sent [CHAP Response id=0x46 <6ce74a85ab09e4ae223bc85f679395f0000000000000000dbb8dc66e8950ab46831b62f5815e015b1e72de1e01a4d00>, name = "<USERNAME>"]
rcvd [LCP EchoRep id=0x0 magic=0xc616076a]
rcvd [CHAP Success id=0x46 "S=2694D1D727F2B8C8E402125EA401750011F24F20"]
CHAP authentication succeeded
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
sent [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
rcvd [IPCP ConfNak id=0x1 <addr 93.182.150.56>]
sent [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
rcvd [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
Cannot determine ethernet address for proxy ARP
local IP address
remote IP address x.x.x.x
Script /etc/ppp/ip-up started (pid 1778)
Script /etc/ppp/ip-up finished (pid 1778), status = 0x0
All the best!
/Christer
Similar Messages
-
VPN Site-to-Site or VPN Client Server with Cisco IP Phone 8941 and 8945
Hi everyone,
I decide to deploy a CUCM (BE6K platform), SX20, and IP Phone 8941/8945 on Head Office and Cisco SX10 and IP Phone 8941/8945 for branch offices (actually 9 branch offices).
The connection will use internet connection for HO and each branch offices.
And the IT guy want to use kind a VPN client server or VPN site-to-site for the connection through internet,
what kind of VPN client server or VPN site-to-site that recommended for this deployment?
and what type of Cisco router that support that kind of VPN (the cheapest one will be great)?
So the SX10 and IP Phone 8941/8945 in branch offices can work properly through internet connection?
please advise
Regards,
OvindoHi Leo,
technically, the ipsec users will not use up any premium license seats, so if you have 10 ipsec users connecting first, the premium seats are still free and so you can then still have 10 phones/anyconnect users connect.
However, the 250 you mention is the global platform limit, so it refers to the sum of premium and non-premium connections. Or in other words, you can have 240 ipsec users and 10 phones, but not 250 ipsec users and 10 phones.
If 250 ipsec users and 10 phones would try to connect, it would be first-in, first-served, e.g. you could have 248 ipsec users and 2 phones connected.
Note: since you have Essentials disabled I'm assuming you are referring to the legacy "Cisco vpnclient" (IKEv1 client) which does not require any license on the ASA. But for the benefit of others reading this thread: if you do have Anyconnect clients (using SSL or IPsec/IKEv2) for which you currently have an Essentials license, then note that the Essentials and Premium license cannot co-exist. So for e.g. 240 Anyconnect users and no phones, you can use Essentials. For 240 Anyconnect users and 10 phones, you need a 250-seat Premium license (and a vpn phone license).
hth
Herbert -
Cisco VPN client crashes with Error 51 on Intel Mac Mini
I am in the process of migrating from XP to Tiger on a brand-new Mac Mini (Intel Duo). Now I am stuck:
I use v 4.8.00 of the Cisco VPN client supplied by my university's IT dept. to connect to the Campus intranet. I have been unable to succesfully use this software, as it crashes upon initializing with "Error 51: Cannot connect to the VPN subsystem." Re-installing the software does not change the state of affairs.
After some research, I used a hack found here (http://www.versiontracker.com/php/feedback/article.php?story=20060107011305622 and http://www.versiontracker.com/php/feedback/article.php?story=20060107011305622) to manually restart the VPN daemon. The Terminal result looks like this:
kld(): warning /System/Library/Extensions/CiscoVPN.kext/Contents/MacOS/CiscoVPN cputype (18, architecture ppc) does not match cputype (7 architecture i386) of objects files previously loaded (file not loaded)
kextload: kldlookup("_kmodinfo") failed for module /System/Library/Extensions/CiscoVPN.kext/Contents/MacOS/CiscoVPN
kextload: a link/load error occured for kernel extension /System/Library/Extensions/CiscoVPN.kext
load failed for extension /System/Library/Extensions/CiscoVPN.kext
(run kextload with -t for diagnostic output)
Not being fluent in Darwin, I can only interpret this to mean that the VPN client is incompatible with the Intel chip in the Mac mini... Is this correct? Is the only way for me to use VPN to wait for a 4.8.x version to be made available?
Hopeful still,
felixxAlso - the Mac VPN system will work with most Cisco networking devices. You can open up the PCF profile that your IT group wants you to use and figure out most of the questions Internet Connect will ask you to set up the VPN connection. For the rest, you have to ask the IT group or try some things and see what works...
cheers,
Mike -
Will Nortel's Contivity VPN Client work with Cisco's VPN 3000 concentrator?
Hi, need help. We have VPN 3000 concentrator and a number of VPN clients (these are using Cisco VPN client).
We have one user that wants to use Nortel's Contivity VPN Client. Will this work with the Cisco COncentrator 3000?Tricky question - in theory yes, if the nortel client follows all the ISPEC RFC's.
I did try to get the cisco VPN client working on a Nortel Contivity once - did not get it working - but did'nt have that much time to test and get it working.
My advise - Configure, TEST DEBUG TEST DEBUG! -
OEL ldap client setup with SSL against OID using either ldaps or starttls
Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger -
Solaris 8 client setup with solaris 9 ldap
I have managed to install iplanet directory server 5.1 that comes with solaris 9 using the utility idsconfig. As far as i can tell, all went well. Now i'm trying to initialize a solaris 8 client to authenticate to the iDS 5.1 on my solaris 9 box. What do i have to do on the solaris 8 client to "initialize it"? I've tried using ldapclient on the solaris 8 client as follows:
# ldapclient -v -P default x.x.x.x
but i keep getting the following errors:
findDN rename(/var/ldap/ldap_client_file.orig, /var/ldap/ldap_client_file) failed!
findDN rename(/var/ldap/ldap_client_cred.orig, /var/ldap/ldap_client_cred) failed!
There are no files in /var/ldap. I thought that one uses ldapclient to create them. Am i wrong?
Also, the output from idsconfig says that a 'NisDomainObject' was added to my domain but looking at the object classes in iDS5.1, there is no nisdomainobject.
I also noticed that when i run the command domain on my solaris 8 box, there's no output. Do i need to set the domain on my solaris 8 client? I have the domain defined in /etc/resolv.conf.
Stewarthi Stewart,
You may find what you are looking for in the following technical note: http://knowledgebase.iplanet.com/ikb/kb/articles/7966.html
It is called: "Cookbook for Solaris 8 client with Directory Server 5.1/Solaris 9" :-)
Hope this will help you.
Cheers / Damien. -
New SAP R/3 Client setup with SRM
Hi Guys,
Can anyone guide me if I am deleting my SAP R/3 backend client and setting up a new client then do I need to delete all the current material groups and do an Initial upload by setting up the middleware settings in new R/3 client.
Also is it necessary to delete the settings of Old middleware settings?
Please clarify me.
Thanks !!!!
Regards,
SrujankHi Nagarjun,
If you look at the exporting and importing paramters of your Method EXECUTE_SYNC...
You would find the abap equivalent of your Message Type. Hence you know all the fields.
No it depends on the business Logic, or ratheer what the RFC is suppose to be requested for is filled in an an Input paramter to the Method.
This can be an IDOC To, in that case your MT should be similar. Fill in the transmiaaion IDOC values.
OR you can Actually harcode the values, make your Itab, and send it across ( as this is just for test purposes )
Hope this helps.
Regards
Abhishek -
Ical client setup with 10.6 server
I have iCal server up and running on my 10.6 server and everything seems to be working right. however I have set the server side up to use ssl and have opened those ports on my firewall which works. My problem is that after setting up a user I send out the welcome email and that has the configure my mac link. Which was done before I change the iCal server settings to use ssl. And now every time I go in and manually set the server settings to use ssl on the client side and quit and reopen ical another account is added without the ssl settings. How do i get it to stop automatically adding an account to iCal?
This looks like a bug in the iCal client. I, too, have had problems with delegated calendars and end users mistaking events for being missing, not updated or incorrect only because their local copy was not synced with the true copy on the server. The refresh rate on delegated calendars can be changed with the "Refresh calendars: [ Every 1 minute ]" preference. You can verify this by right-clicking or control-clicking on the delegated calendar and choosing "Show CalDAV Queue." This brings up a queue of activity with the iCal Server. You'll note at the top that it mentions "Refresh every 1 minute."
The problem, of course, is if you quit iCal and recheck the "Show CalDAV Queue" on the delegated calendar, the refresh interval has reverted to some long interval like 300 or 900 minutes. This is a bug, for sure. For now, you can tell your clients not to quit iCal or to refresh manually or reset the refresh interval whenever they restart iCal/their computer, etc. -
Asa 5505 vpn from internet native vpn client, tcp discarted 1723
Hello to all,
I'm configuring this asa for to connect home users to my network using the native microsoft vpn clients with windows xp over internet.
This asa have on the outside interface one public intenet ip and in the inside inferface have configured in the the network 192.168.0.x and i want to acces to this network from internet users using native vpn clients.
I tested with one pc connected directly to the outside interface and works well, but when i connect this interface to internet and tried to connect on user to the vpn i can see in the logs this, and can't connect with error 800.
TCP request discarded from "public_ip_client/61648" to outside:publicip_outside_interface/1723"
Can help me please?, Very thanks in advance !
(running configuration)
: Saved
ASA Version 8.4(3)
hostname ciscoasa
enable password *** encrypted
passwd *** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address publicinternetaddress 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network gatewayono
host gatewayofinternetprovideraccess
description salida gateway ono
object service remotointerno
service tcp destination eq 3389
description remoto
object network pb_clienteing_2
host 192.168.0.15
description Pebble cliente ingesta 2
object service remotoexternopebble
service tcp destination eq 5353
description remotoexterno
object network actusmon
host 192.168.0.174
description Actus monitor web
object service Web
service tcp destination eq www
description 80
object network irdeto
host 192.168.0.31
description Irdeto
object network nmx_mc_p
host 192.168.0.60
description NMX Multicanal Principal
object network nmx_mc_r
host 192.168.0.61
description NMX multicanal reserva
object network tarsys
host 192.168.0.10
description Tarsys
object network nmx_teuve
host 192.168.0.30
description nmx cabecera teuve
object network tektronix
host 192.168.0.20
description tektronix vnc
object service vnc
service tcp destination eq 5900
description Acceso vnc
object service exvncnmxmcr
service tcp destination eq 5757
description Acceso vnc externo nmx mc ppal
object service exvncirdeto
service tcp destination eq 6531
description Acceso vnc externo irdeto
object service exvncnmxmcp
service tcp destination eq 5656
object service exvnctektronix
service tcp destination eq 6565
object service exvncnmxteuve
service tcp destination eq 6530
object service ssh
service tcp destination eq ssh
object service sshtedialexterno
service tcp destination eq 5454
object-group service puertosabiertos tcp
description remotedesktop
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object irdeto
network-object object nmx_mc_p
network-object object nmx_mc_r
network-object object nmx_teuve
network-object object tektronix
object-group service vpn udp
port-object eq 1723
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq pptp
object-group network DM_INLINE_NETWORK_2
network-object object actusmon
network-object object tarsys
access-list inside_access_in extended permit object remotointerno any any
access-list inside_access_in extended permit object ssh any any
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object vnc any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object remotointerno any object pb_clienteing_2
access-list outside_access_in extended permit object-group TCPUDP any object actusmon eq www
access-list outside_access_in remark Acceso tedial ssh
access-list outside_access_in extended permit tcp any object tarsys eq ssh
access-list outside_access_in extended permit object vnc any object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny icmp any any
access-list corporativa standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging asdm debugging
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool clientesvpn 192.168.0.100-192.168.0.110 mask 255.255.255.0
ip local pool clientesvpn2 192.168.1.120-192.168.1.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (outside,inside) source static any interface destination static interface actusmon service Web Web unidirectional
nat (outside,inside) source static any interface destination static interface tarsys service sshtedialexterno ssh unidirectional
nat (outside,inside) source static any interface destination static interface pb_clienteing_2 service remotoexternopebble remotointerno unidirectional
nat (outside,inside) source static any interface destination static interface irdeto service exvncirdeto vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_p service exvncnmxmcp vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_r service exvncnmxmcr vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_teuve service exvncnmxteuve vnc unidirectional
nat (outside,inside) source static any interface destination static interface tektronix service exvnctektronix vnc unidirectional
nat (any,outside) source dynamic DM_INLINE_NETWORK_2 interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
aaa local authentication attempts max-fail 10
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp mode transport
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set clientewindowsxp
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TP-VPN-MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint Ingenieria
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.0.5-192.168.0.36 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point Ingenieria outside
webvpn
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server none
dns-server value 192.168.0.1
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy ingenieria internal
group-policy ingenieria attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy L2TP-Policy internal
group-policy L2TP-Policy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
intercept-dhcp enable
username ingenieria password 4fD/5xY/6BwlkjGqMZbnKw== nt-encrypted privilege 0
username ingenieria attributes
vpn-group-policy ingenieria
username rjuve password SjBNOLNgSkUi5KWk/TUsTQ== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool clientesvpn
address-pool clientesvpn2
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
default-group-policy L2TP-Policy
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
prompt hostname context
call-home reporting anonymous
Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e
: end
no asdm history enableYes with this command creates this
policy-map global_policy
class inspection_default
inspect pptp
But don't work. I also tried to add the pptp and gre in the outside access rules but nothing...
I don't understand why if a connect directly to the outside interface with the same outside network works well.
ej: the pc have 89.120.145.14 ip and the outside asa have 89.120.145.140 and if I create one vpn in this pc the outside ip 89.120.145.140 with the correct parameters the asa don't discart 1723 and connect ok but if this ip is not of this range discards 1723... -
We NEED L2TP support on the Playbook VPN client!
The Playbook will never be useful for our company if it doesn't support a VPN client that uses "Layer Two Tunneling Protocol(L2TP)".
We use a standard Microsoft VPN server, configured with "MS-CHAP V2", but we like to use L2TP because it is more secure than PPTP.
When will RIM support this on the Playbook?
I love it when things don't work the way they are supposed to, because then I get to fix them.I would add a request for L2TP over IPSec. Our institution has over 25000 users and VPN access is important. Android 3.x supports it. Would expect the same from OS v2.0.
Thanks -
Cisco VPN client x64 for win7 - will not install
Hello guys,
I have fresh windows 7 x64 installation and I try install Cisco VPN client (vpnclient-winx64-msi-5.0.07.0290-k9.exe). Installation ends with fatal error "Installation ended prematurely of an error". I red lot of 'step-by-step' how to solve this problem (run as administrator, even though that I'm administrator; UAC disabled; run in WinXP-mode; etc), without success.
I tried run installation process from cmd with verbose logging "msiexec /i vpnclient_setup.msi /lv log.txt" (and other 'recomended' optional parameters). The same result - fatal error.
Can anybody tell me where is the problem? (installation file is not corupted)
Verbose log ends with this (whole log is attached):
<cut>
Action ended 22:35:25: WiseNextDlg. Return value 3.
DEBUG: Error 2896: Executing action WiseNextDlg failed.
Internal Error 2896. WiseNextDlg
Action ended 22:35:25: Welcome_Dialog. Return value 3.
MSI (c) (70:2C) [22:35:25:997]: Doing action: Fatal_Error
Action start 22:35:25: Fatal_Error.
MSI (c) (70:2C) [22:35:25:998]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'Fatal_Error'
MSI (c) (70:18) [22:35:26:725]: Doing action: WiseCleanup
Action start 22:35:26: WiseCleanup.
MSI (c) (70:1C) [22:35:26:736]: Invoking remote custom action. DLL: C:\Users\kyrcm\AppData\Local\Temp\MSI2023.tmp, Entrypoint: Cleanup
Action ended 22:35:26: WiseCleanup. Return value 1.
Action ended 22:35:26: Fatal_Error. Return value 2.
Action ended 22:35:26: INSTALL. Return value 3.
MSI (c) (70:2C) [22:35:26:791]: Destroying RemoteAPI object.
MSI (c) (70:4C) [22:35:26:792]: Custom Action Manager thread ending.
=== Logging stopped: 4. 10. 2010 22:35:26 ===
MSI (c) (70:2C) [22:35:26:794]: Note: 1: 1708
MSI (c) (70:2C) [22:35:26:794]: Product: Cisco Systems VPN Client 5.0.07.0290 -- Installation operation failed.
</cut>
thanks,
martinLOG:
=== Verbose logging started: 13.10.2010 14:58:45 Build type: SHIP UNICODE 5.00.7600.00 Calling process: C:\Windows\SysWOW64\msiexec.exe ===
MSI (c) (48:6C) [14:58:45:636]: Font created. Charset: Req=0, Ret=0, Font: Req=, Ret=Arial
MSI (c) (48:6C) [14:58:45:636]: Font created. Charset: Req=0, Ret=0, Font: Req=, Ret=Arial
MSI (c) (48:AC) [14:58:45:657]: Resetting cached policy values
MSI (c) (48:AC) [14:58:45:657]: Machine policy value 'Debug' is 0
MSI (c) (48:AC) [14:58:45:657]: ******* RunEngine:
******* Product: vpnclient_setup.msi
******* Action:
******* CommandLine: **********
MSI (c) (48:AC) [14:58:45:666]: Machine policy value 'DisableUserInstalls' is 0
MSI (c) (48:AC) [14:58:45:683]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\vpnclient_setup.msi' against software restriction policy
MSI (c) (48:AC) [14:58:45:683]: Note: 1: 2262 2: DigitalSignature 3: -2147287038
MSI (c) (48:AC) [14:58:45:683]: SOFTWARE RESTRICTION POLICY: C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\vpnclient_setup.msi is not digitally signed
MSI (c) (48:AC) [14:58:45:685]: SOFTWARE RESTRICTION POLICY: C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\vpnclient_setup.msi is permitted to run at the 'unrestricted' authorization level.
MSI (c) (48:AC) [14:58:45:738]: Cloaking enabled.
MSI (c) (48:AC) [14:58:45:738]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (48:AC) [14:58:45:744]: End dialog not enabled
MSI (c) (48:AC) [14:58:45:744]: Original package ==> C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\vpnclient_setup.msi
MSI (c) (48:AC) [14:58:45:744]: Package we're running from ==> C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\vpnclient_setup.msi
MSI (c) (48:AC) [14:58:45:749]: APPCOMPAT: Compatibility mode property overrides found.
MSI (c) (48:AC) [14:58:45:749]: APPCOMPAT: looking for appcompat database entry with ProductCode '{467D5E81-8349-4892-9E81-C3674ED8E451}'.
MSI (c) (48:AC) [14:58:45:749]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (48:AC) [14:58:45:753]: MSCOREE not loaded loading copy from system32
MSI (c) (48:AC) [14:58:45:755]: Machine policy value 'TransformsSecure' is 0
MSI (c) (48:AC) [14:58:45:755]: User policy value 'TransformsAtSource' is 0
MSI (c) (48:AC) [14:58:45:756]: Machine policy value 'DisablePatch' is 0
MSI (c) (48:AC) [14:58:45:756]: Machine policy value 'AllowLockdownPatch' is 0
MSI (c) (48:AC) [14:58:45:756]: Machine policy value 'DisableLUAPatching' is 0
MSI (c) (48:AC) [14:58:45:756]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (c) (48:AC) [14:58:45:756]: APPCOMPAT: looking for appcompat database entry with ProductCode '{467D5E81-8349-4892-9E81-C3674ED8E451}'.
MSI (c) (48:AC) [14:58:45:756]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (48:AC) [14:58:45:757]: Transforms are not secure.
MSI (c) (48:AC) [14:58:45:757]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\log.txt'.
MSI (c) (48:AC) [14:58:45:757]: Command Line: CURRENTDIRECTORY=C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9 CLIENTUILEVEL=0 CLIENTPROCESSID=7496
MSI (c) (48:AC) [14:58:45:757]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{A8E53AA2-297F-4262-9996-753440EF4AB0}'.
MSI (c) (48:AC) [14:58:45:757]: Product Code passed to Engine.Initialize: ''
MSI (c) (48:AC) [14:58:45:757]: Product Code from property table before transforms: '{467D5E81-8349-4892-9E81-C3674ED8E451}'
MSI (c) (48:AC) [14:58:45:757]: Product Code from property table after transforms: '{467D5E81-8349-4892-9E81-C3674ED8E451}'
MSI (c) (48:AC) [14:58:45:757]: Product not registered: beginning first-time install
MSI (c) (48:AC) [14:58:45:757]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (c) (48:AC) [14:58:45:757]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (c) (48:AC) [14:58:45:757]: User policy value 'SearchOrder' is 'nmu'
MSI (c) (48:AC) [14:58:45:757]: Adding new sources is allowed.
MSI (c) (48:AC) [14:58:45:757]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (c) (48:AC) [14:58:45:757]: Package name extracted from package path: 'vpnclient_setup.msi'
MSI (c) (48:AC) [14:58:45:757]: Package to be registered: 'vpnclient_setup.msi'
MSI (c) (48:AC) [14:58:45:758]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (c) (48:AC) [14:58:45:758]: Machine policy value 'DisableMsi' is 0
MSI (c) (48:AC) [14:58:45:758]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (c) (48:AC) [14:58:45:758]: User policy value 'AlwaysInstallElevated' is 0
MSI (c) (48:AC) [14:58:45:758]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (c) (48:AC) [14:58:45:758]: Running product '{467D5E81-8349-4892-9E81-C3674ED8E451}' with elevated privileges: Product is assigned.
MSI (c) (48:AC) [14:58:45:758]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9'.
MSI (c) (48:AC) [14:58:45:758]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '0'.
MSI (c) (48:AC) [14:58:45:758]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '7496'.
MSI (c) (48:AC) [14:58:45:758]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (c) (48:AC) [14:58:45:758]: TRANSFORMS property is now:
MSI (c) (48:AC) [14:58:45:758]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (c) (48:AC) [14:58:45:758]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming
MSI (c) (48:AC) [14:58:45:759]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\Favorites
MSI (c) (48:AC) [14:58:45:759]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (c) (48:AC) [14:58:45:759]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\Documents
MSI (c) (48:AC) [14:58:45:759]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (c) (48:AC) [14:58:45:760]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Recent
MSI (c) (48:AC) [14:58:45:760]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\SendTo
MSI (c) (48:AC) [14:58:45:760]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Templates
MSI (c) (48:AC) [14:58:45:760]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (c) (48:AC) [14:58:45:761]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Local
MSI (c) (48:AC) [14:58:45:761]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\Pictures
MSI (c) (48:AC) [14:58:45:761]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (48:AC) [14:58:45:761]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (48:AC) [14:58:45:761]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (c) (48:AC) [14:58:45:762]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (c) (48:AC) [14:58:45:762]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (c) (48:AC) [14:58:45:762]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (48:AC) [14:58:45:763]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (48:AC) [14:58:45:763]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (c) (48:AC) [14:58:45:763]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (c) (48:AC) [14:58:45:763]: SHELL32::SHGetFolderPath returned: C:\Users\andrea\Desktop
MSI (c) (48:AC) [14:58:45:764]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (c) (48:AC) [14:58:45:764]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (c) (48:AC) [14:58:45:765]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (c) (48:AC) [14:58:45:769]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation
MSI (c) (48:AC) [14:58:45:769]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (48:AC) [14:58:45:769]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (48:AC) [14:58:45:769]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (c) (48:AC) [14:58:45:769]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (48:AC) [14:58:45:769]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'CIO'.
MSI (c) (48:AC) [14:58:45:769]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (48:AC) [14:58:45:769]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is 'Accenture'.
MSI (c) (48:AC) [14:58:45:769]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\vpnclient_setup.msi'.
MSI (c) (48:AC) [14:58:45:769]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\vpnclient_setup.msi'.
MSI (c) (48:AC) [14:58:45:769]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (c) (48:AC) [14:58:45:769]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\'.
MSI (c) (48:AC) [14:58:45:769]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\Users\andrea\Downloads\Cisco VPN client\NEW\vpnclient-winx64-msi-5.0.07.0290-k9\'.
MSI (c) (48:6C) [14:58:45:770]: PROPERTY CHANGE: Adding VersionHandler property. Its value is '5.00'.
=== Logging started: 13.10.2010 14:58:45 ===
MSI (c) (48:AC) [14:58:45:776]: Note: 1: 2205 2: 3: PatchPackage
MSI (c) (48:AC) [14:58:45:776]: Machine policy value 'DisableRollback' is 0
MSI (c) (48:AC) [14:58:45:776]: User policy value 'DisableRollback' is 0
MSI (c) (48:AC) [14:58:45:776]: PROPERTY CHANGE: Adding UILevel property. Its value is '5'.
MSI (c) (48:AC) [14:58:45:776]: Note: 1: 2262 2: Font 3: -2147287038
MSI (c) (48:AC) [14:58:45:777]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (c) (48:AC) [14:58:45:777]: PROPERTY CHANGE: Adding SHIMFLAGS property. Its value is '512'.
MSI (c) (48:AC) [14:58:45:777]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (c) (48:AC) [14:58:45:777]: Doing action: INSTALL
Action start 14:58:45: INSTALL.
MSI (c) (48:AC) [14:58:45:777]: UI Sequence table 'InstallUISequence' is present and populated.
MSI (c) (48:AC) [14:58:45:777]: Running UISequence
MSI (c) (48:AC) [14:58:45:777]: PROPERTY CHANGE: Adding EXECUTEACTION property. Its value is 'INSTALL'.
MSI (c) (48:AC) [14:58:45:778]: Doing action: WiseStartup
Action start 14:58:45: WiseStartup.
MSI (c) (48:AC) [14:58:45:778]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'WiseStartup'
MSI (c) (48:8C) [14:58:45:791]: Invoking remote custom action. DLL: C:\Users\ANDREA\AppData\Local\Temp\MSI8E45.tmp, Entrypoint: Startup
MSI (c) (48:B0) [14:58:45:793]: Cloaking enabled.
MSI (c) (48:B0) [14:58:45:793]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (48:B0) [14:58:45:793]: Connected to service for CA interface.
Action ended 14:58:45: WiseStartup. Return value 1.
MSI (c) (48:AC) [14:58:45:926]: Doing action: LaunchConditions
Action start 14:58:45: LaunchConditions.
Action ended 14:58:45: LaunchConditions. Return value 1.
MSI (c) (48:AC) [14:58:45:927]: Doing action: SetDLLDIR
Action start 14:58:45: SetDLLDIR.
MSI (c) (48:AC) [14:58:45:927]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'SetDLLDIR'
MSI (c) (48:AC) [14:58:45:927]: PROPERTY CHANGE: Adding DLLDIR property. Its value is '{467D5E81-8349-4892-9E81-C3674ED8E451}'.
Action ended 14:58:45: SetDLLDIR. Return value 1.
MSI (c) (48:AC) [14:58:45:927]: Doing action: SetDLLLOC
Action start 14:58:45: SetDLLLOC.
MSI (c) (48:AC) [14:58:45:927]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'SetDLLLOC'
MSI (c) (48:AC) [14:58:45:927]: PROPERTY CHANGE: Adding DLLLOC property. Its value is 'C:\Users\ANDREA\AppData\Local\Temp\{467D5E81-8349-4892-9E81-C3674ED8E451}\'.
Action ended 14:58:45: SetDLLLOC. Return value 1.
MSI (c) (48:AC) [14:58:45:927]: Doing action: CsCa_CopyInstHelperDll
Action start 14:58:45: CsCa_CopyInstHelperDll.
MSI (c) (48:AC) [14:58:45:928]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'CsCa_CopyInstHelperDll'
MSI (c) (48:DC) [14:58:45:939]: Invoking remote custom action. DLL: C:\Users\ANDREA\AppData\Local\Temp\MSI8EE2.tmp, Entrypoint: f0
MSI (c) (48!40) [14:58:45:960]: PROPERTY CHANGE: Adding CsProp_CopyInstHelperDll property. Its value is '1'.
Action ended 14:58:45: CsCa_CopyInstHelperDll. Return value 1.
MSI (c) (48:AC) [14:58:45:961]: Skipping action: ClearDisableUAP (condition is false)
MSI (c) (48:AC) [14:58:45:961]: Skipping action: CsCaErr_NTNotSupported1 (condition is false)
MSI (c) (48:AC) [14:58:45:961]: Skipping action: CsCaErr_Win64BitNotSupported2 (condition is false)
MSI (c) (48:AC) [14:58:45:961]: Skipping action: SetPatchMode (condition is false)
MSI (c) (48:AC) [14:58:45:961]: Skipping action: SetPatchReinstallMode (condition is false)
MSI (c) (48:AC) [14:58:45:961]: Doing action: CsCaDll_AreWeInstalled1
Action start 14:58:45: CsCaDll_AreWeInstalled1.
MSI (c) (48:AC) [14:58:45:961]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'CsCaDll_AreWeInstalled1'
MSI (c) (48:04) [14:58:45:972]: Invoking remote custom action. DLL: C:\Users\ANDREA\AppData\Local\Temp\MSI8F02.tmp, Entrypoint: f2
MSI (c) (48!C0) [14:58:45:997]: PROPERTY CHANGE: Adding CLIENT_INSTALLED property. Its value is '0'.
Action ended 14:58:45: CsCaDll_AreWeInstalled1. Return value 1.
MSI (c) (48:AC) [14:58:45:998]: Skipping action: CsCaDll_AreWeInstalled (condition is false)
MSI (c) (48:AC) [14:58:45:998]: Skipping action: CsCaProp_SetLegacyClient2Unity (condition is false)
MSI (c) (48:AC) [14:58:45:998]: Skipping action: CsCaDll_ClientAlreadyInstalledOnVista (condition is false)
MSI (c) (48:AC) [14:58:45:998]: Doing action: Setup_Dialog
Action start 14:58:45: Setup_Dialog.
MSI (c) (48:AC) [14:58:45:999]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'Setup_Dialog'
Info 2898. For MSSansSerif8 textstyle, the system created a 'MS Sans Serif' font, in 1 character set, of 13 pixels height.
Info 2898. For Arial10 textstyle, the system created a 'Arial' font, in 1 character set, of 16 pixels height.
Info 2898. For Arial14 textstyle, the system created a 'Arial' font, in 1 character set, of 22 pixels height.
Action ended 14:58:46: Setup_Dialog. Return value 1.
MSI (c) (48:AC) [14:58:46:030]: Doing action: FindRelatedProducts
Action start 14:58:46: FindRelatedProducts.
MSI (c) (48:AC) [14:58:46:031]: Note: 1: 2262 2: Upgrade 3: -2147287038
Action ended 14:58:46: FindRelatedProducts. Return value 1.
MSI (c) (48:AC) [14:58:46:031]: Doing action: AppSearch
Action start 14:58:46: AppSearch.
MSI (c) (48:AC) [14:58:46:032]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (c) (48:AC) [14:58:46:032]: Note: 1: 2262 2: CompLocator 3: -2147287038
MSI (c) (48:AC) [14:58:46:033]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNE\Parameters\Order 3: 2
MSI (c) (48:AC) [14:58:46:033]: Note: 1: 2262 2: IniLocator 3: -2147287038
MSI (c) (48:AC) [14:58:46:033]: Note: 1: 2262 2: DrLocator 3: -2147287038
Action ended 14:58:46: AppSearch. Return value 1.
MSI (c) (48:AC) [14:58:46:033]: Skipping action: CCPSearch (condition is false)
MSI (c) (48:AC) [14:58:46:033]: Skipping action: CCPDialog (condition is false)
MSI (c) (48:AC) [14:58:46:033]: Skipping action: RMCCPSearch (condition is false)
MSI (c) (48:AC) [14:58:46:033]: Doing action: ValidateProductID
Action start 14:58:46: ValidateProductID.
Action ended 14:58:46: ValidateProductID. Return value 1.
MSI (c) (48:AC) [14:58:46:033]: Doing action: CostInitialize
Action start 14:58:46: CostInitialize.
MSI (c) (48:AC) [14:58:46:034]: Machine policy value 'MaxPatchCacheSize' is 10
MSI (c) (48:AC) [14:58:46:035]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'.
MSI (c) (48:AC) [14:58:46:036]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
Action ended 14:58:46: CostInitialize. Return value 1.
MSI (c) (48:AC) [14:58:46:036]: Doing action: FileCost
Action start 14:58:46: FileCost.
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: MsiAssembly 3: -2147287038
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: RemoveFile 3: -2147287038
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: MoveFile 3: -2147287038
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: DuplicateFile 3: -2147287038
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: TypeLib 3: -2147287038
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: IniFile 3: -2147287038
MSI (c) (48:AC) [14:58:46:037]: Note: 1: 2262 2: ReserveCost 3: -2147287038
Action ended 14:58:46: FileCost. Return value 1.
MSI (c) (48:AC) [14:58:46:038]: Doing action: IsolateComponents
Action start 14:58:46: IsolateComponents.
MSI (c) (48:AC) [14:58:46:040]: Note: 1: 2262 2: BindImage 3: -2147287038
MSI (c) (48:AC) [14:58:46:041]: Note: 1: 2262 2: IsolatedComponent 3: -2147287038
MSI (c) (48:AC) [14:58:46:041]: Note: 1: 2205 2: 3: Patch
Action ended 14:58:46: IsolateComponents. Return value 1.
MSI (c) (48:AC) [14:58:46:041]: Doing action: CostFinalize
Action start 14:58:46: CostFinalize.
MSI (c) (48:AC) [14:58:46:041]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (c) (48:AC) [14:58:46:042]: Note: 1: 2205 2: 3: Patch
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding WWWROOT property. Its value is 'C:\'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding GAC property. Its value is 'C:\'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding System16Folder property. Its value is 'C:\Windows\'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding Drivers property. Its value is 'C:\Windows\system32\Drivers\'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding WinSxS property. Its value is 'C:\Windows\'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding ProfilesFolder property. Its value is 'C:\Windows\'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding Cisco_Systems_VPN_Client property. Its value is 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco Systems VPN Client\'.
MSI (c) (48:AC) [14:58:46:042]: PROPERTY CHANGE: Adding Cisco_Systems property. Its value is 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco Systems\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding CommonFiles64Folder.BEE04CD6_610D_4F5B_AC11_6AD2E290CC1D property. Its value is 'C:\Program Files\Common Files\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding D64_CFDetNet.BEE04CD6_610D_4F5B_AC11_6AD2E290CC1D property. Its value is 'C:\Program Files\Common Files\Deterministic Networks\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding D64_DNCF.BEE04CD6_610D_4F5B_AC11_6AD2E290CC1D property. Its value is 'C:\Program Files\Common Files\Deterministic Networks\Common Files\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding D64_DNE.BEE04CD6_610D_4F5B_AC11_6AD2E290CC1D property. Its value is 'C:\Program Files\Common Files\Deterministic Networks\DNE\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding CommonFiles64Folder.0525718E_E263_4E57_A46E_C584C25A7F93 property. Its value is 'C:\Program Files\Common Files\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding INSTALLDIR2 property. Its value is 'C:\Program Files (x86)\VPN Client\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding INSTALLDIR1 property. Its value is 'C:\Program Files (x86)\Cisco Systems\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding INSTALLDIR property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding updates property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\updates\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding TempInstall property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\TempInstall\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding Resources property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\Resources\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding Profiles property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding Logs property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\Logs\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding include property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\include\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding Certificates property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\Certificates\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding accessible property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\accessible\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding Setup property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\Setup\'.
MSI (c) (48:AC) [14:58:46:043]: PROPERTY CHANGE: Adding Languages property. Its value is 'C:\Program Files (x86)\Cisco Systems\VPN Client\Languages\'.
MSI (c) (48:AC) [14:58:46:043]: Target path resolution complete. Dumping Directory table...
MSI (c) (48:AC) [14:58:46:043]: Note: target paths subject to change (via custom actions or browsing)
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: TARGETDIR , Object: C:\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: WWWROOT , Object: C:\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: GAC , Object: C:\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: MyPicturesFolder , Object: C:\Users\andrea\Pictures\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: CommonAppDataFolder , Object: C:\ProgramData\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: WindowsFolder , Object: C:\Windows\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: System16Folder , Object: C:\Windows\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: TemplateFolder , Object: C:\ProgramData\Microsoft\Windows\Templates\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: AdminToolsFolder , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: System64Folder , Object: C:\Windows\system32\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: Drivers , Object: C:\Windows\system32\Drivers\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: WinSxS , Object: C:\Windows\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: SystemFolder , Object: C:\Windows\SysWOW64\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: FontsFolder , Object: C:\Windows\Fonts\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: TempFolder , Object: C:\Users\ANDREA\AppData\Local\Temp\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: ProfilesFolder , Object: C:\Windows\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: AppDataFolder , Object: C:\Users\andrea\AppData\Roaming\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: FavoritesFolder , Object: C:\Users\andrea\Favorites\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: NetHoodFolder , Object: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: DesktopFolder , Object: C:\Users\Public\Desktop\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: RecentFolder , Object: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Recent\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: StartMenuFolder , Object: C:\ProgramData\Microsoft\Windows\Start Menu\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: ProgramMenuFolder , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: Cisco_Systems_VPN_Client , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco Systems VPN Client\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: StartupFolder , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: Cisco_Systems , Object: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco Systems\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: PersonalFolder , Object: C:\Users\andrea\Documents\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: SendToFolder , Object: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\SendTo\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: PrintHoodFolder , Object: C:\Users\andrea\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: LocalAppDataFolder , Object: C:\Users\andrea\AppData\Local\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: ProgramFiles64Folder , Object: C:\Program Files\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: CommonFiles64Folder , Object: C:\Program Files\Common Files\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: CommonFiles64Folder.BEE04CD6_610D_4F5B_AC11_6AD2E290CC1D , Object: C:\Program Files\Common Files\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: D64_CFDetNet.BEE04CD6_610D_4F5B_AC11_6AD2E290CC1D , Object: C:\Program Files\Common Files\Deterministic Networks\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: D64_DNCF.BEE04CD6_610D_4F5B_AC11_6AD2E290CC1D , Object: C:\Program Files\Common Files\Deterministic Networks\Common Files\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: D64_DNE.BEE04CD6_610D_4F5B_AC11_6AD2E290CC1D , Object: C:\Program Files\Common Files\Deterministic Networks\DNE\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: CommonFiles64Folder.0525718E_E263_4E57_A46E_C584C25A7F93 , Object: C:\Program Files\Common Files\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: ProgramFilesFolder , Object: C:\Program Files (x86)\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: CommonFilesFolder , Object: C:\Program Files (x86)\Common Files\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: INSTALLDIR2 , Object: C:\Program Files (x86)\VPN Client\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: INSTALLDIR1 , Object: C:\Program Files (x86)\Cisco Systems\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: INSTALLDIR , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: updates , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\updates\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: TempInstall , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\TempInstall\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: Resources , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\Resources\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: Profiles , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: Logs , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\Logs\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: include , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\include\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: Certificates , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\Certificates\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: accessible , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\accessible\
MSI (c) (48:AC) [14:58:46:043]: Dir (target): Key: Setup , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\Setup\
MSI (c) (48:AC) [14:58:46:044]: Dir (target): Key: Languages , Object: C:\Program Files (x86)\Cisco Systems\VPN Client\Languages\
MSI (c) (48:AC) [14:58:46:045]: Note: 1: 2262 2: RemoveFile 3: -2147287038
Action ended 14:58:46: CostFinalize. Return value 1.
MSI (c) (48:AC) [14:58:46:045]: Doing action: MigrateFeatureStates
Action start 14:58:46: MigrateFeatureStates.
Action ended 14:58:46: MigrateFeatureStates. Return value 0.
MSI (c) (48:AC) [14:58:46:047]: Doing action: SetWizardProperty1
Action start 14:58:46: SetWizardProperty1.
MSI (c) (48:AC) [14:58:46:048]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'SetWizardProperty1'
MSI (c) (48:AC) [14:58:46:048]: PROPERTY CHANGE: Adding WiseCurrentWizard property. Its value is 'Welcome_Dialog'.
Action ended 14:58:46: SetWizardProperty1. Return value 1.
MSI (c) (48:AC) [14:58:46:048]: Doing action: Welcome_Dialog
Action start 14:58:46: Welcome_Dialog.
MSI (c) (48:AC) [14:58:46:049]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'Welcome_Dialog'
MSI (c) (48:2C) [14:58:46:068]: Note: 1: 2262 2: DuplicateFile 3: -2147287038
MSI (c) (48:2C) [14:58:46:068]: Note: 1: 2262 2: ReserveCost 3: -2147287038
MSI (c) (48:2C) [14:58:46:068]: Note: 1: 2205 2: 3: _RemoveFilePath
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: TypeLib 3: -2147287038
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:2C) [14:58:46:075]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: BindImage 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: ProgId 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: PublishComponent 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: SelfReg 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Extension 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Font 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: Note: 1: 2262 2: Class 3: -2147287038
MSI (c) (48:2C) [14:58:46:076]: PROPERTY CHANGE: Modifying PrimaryVolumeSpaceAvailable property. Its current value is '0'. Its new value: '60293640'.
MSI (c) (48:2C) [14:58:46:077]: PROPERTY CHANGE: Modifying PrimaryVolumeSpaceRequired property. Its current value is '0'. Its new value: '50274'.
MSI (c) (48:2C) [14:58:46:077]: PROPERTY CHANGE: Modifying PrimaryVolumeSpaceRemaining property. Its current value is '0'. Its new value: '60243366'.
MSI (c) (48:2C) [14:58:46:077]: PROPERTY CHANGE: Adding PrimaryVolumePath property. Its value is 'C:'.
MSI (c) (48:6C) [14:58:46:746]: Doing action: WiseNextDlg
Action start 14:58:46: WiseNextDlg.
MSI (c) (48:6C) [14:58:46:746]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'WiseNextDlg'
Action ended 14:58:46: WiseNextDlg. Return value 3.
DEBUG: Error 2896: Executing action WiseNextDlg failed.
Internal Error 2896. WiseNextDlg
Action ended 14:58:46: Welcome_Dialog. Return value 3.
MSI (c) (48:AC) [14:58:46:753]: Doing action: Fatal_Error
Action start 14:58:46: Fatal_Error.
MSI (c) (48:AC) [14:58:46:754]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'Fatal_Error'
MSI (c) (48:6C) [14:58:47:418]: Doing action: WiseCleanup
Action start 14:58:47: WiseCleanup.
MSI (c) (48:6C) [14:58:47:418]: Note: 1: 2235 2: 3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'WiseCleanup'
MSI (c) (48:40) [14:58:47:445]: Invoking remote custom action. DLL: C:\Users\ANDREA\AppData\Local\Temp\MSI94AE.tmp, Entrypoint: Cleanup
Action ended 14:58:47: WiseCleanup. Return value 1.
Action ended 14:58:47: Fatal_Error. Return value 2.
Action ended 14:58:47: INSTALL. Return value 3.
MSI (c) (48:AC) [14:58:47:467]: Destroying RemoteAPI object.
MSI (c) (48:B0) [14:58:47:487]: Custom Action Manager thread ending.
=== Logging stopped: 13.10.2010 14:58:47 ===
MSI (c) (48:AC) [14:58:47:488]: Note: 1: 1708
MSI (c) (48:AC) [14:58:47:488]: Product: Cisco Systems VPN Client 5.0.07.0290 -- Installation operation failed.
MSI (c) (48:AC) [14:58:47:489]: Windows Installer installed the product. Product Name: Cisco Systems VPN Client 5.0.07.0290. Product Version: 5.0.7. Product Language: 1033. Manufacturer: Cisco Systems, Inc.. Installation success or error status: 1603.
MSI (c) (48:AC) [14:58:47:491]: Grabbed execution mutex.
MSI (c) (48:AC) [14:58:47:491]: Cleaning up uninstalled install packages, if any exist
MSI (c) (48:AC) [14:58:47:493]: MainEngineThread is returning 1603
=== Verbose logging stopped: 13.10.2010 14:58:47 === -
VPN Clients cannot access remote site
Hey there,
I am pretty new in configuring Cisco devices and now I need some help.
I have 2 site here:
site A
Cisco 891
external IP: 195.xxx.yyy.zzz
VPN Gateway for Remote users
local IP: VLAN10 10.133.10.0 /23
site B
Cisco 891
external IP: 62.xxx.yyy.zzz
local IP VLAN10 10.133.34.0 /23
Those two sites are linked together with a Site-to-Site VPN. Accessing files or ressources from one site to the other is working fine while connected to the local LAN.
I configured VPN connection with Radius auth. VPN clients can connect to Site A, get an IP adress from VPN Pool (172.16.100.2-100) and can access files and servers on site A. But for some reason they cannot access ressources on site B. I already added the site B network to the ACL and when connecting with VPN it shows secured routes to 10.133.10.0 and 10.133.34.0 in the statistics. Same thing for other VPN Tunnels to ERP system.
What is missing here to make it possible to reach remote sites when connected through VPN? I had a look at the logs but could not find anything important.
Here is the config of site A
Building configuration...
Current configuration : 24257 bytes
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Englerstrasse
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
aaa new-model
aaa group server radius Radius-AD
server 10.133.10.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_2 group Radius-AD local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
clock timezone Berlin 1 0
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki trustpoint TP-self-signed-27361994
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-27361994
revocation-check none
rsakeypair TP-self-signed-27361994
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-27361994
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373336 31393934 301E170D 31323038 32373038 30343238
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323733 36313939
3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B709
64CE1874 BF812A9F 0B761522 892373B9 10F0BB52 6263DCDB F9877AA3 7BD34E53
BCFDA45C 2A991777 4DDC7E6B 1FCEE36C B6E35679 C4A18771 9C0F871F 38310234
2D89A4FF 37B616D8 362B3103 A8A319F2 10A72DC7 490A04AC 7955DF68 32EF9615
9E1A3B31 2A1AB243 B3ED3E35 F4AAD029 CDB1F941 5E794300 5C5EF8AE 5C890203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 14D0F5E7 D3A9311D 1675AA8F 38F064FC 4D04465E F5301D06 03551D0E
04160414 D0F5E7D3 A9311D16 75AA8F38 F064FC4D 04465EF5 300D0609 2A864886
F70D0101 05050003 818100AB 2CD4363A E5ADBFB0 943A38CB AC820801 117B52CC
20216093 79D1F777 2B3C0062 4301CF73 094B9CA5 805F585E 04CF3301 9B839DEB
14A334A2 F5A5316F C65EEF21 0B0DF3B5 F4322440 F28B984B E769876D 6EF94895
C3D5048A A4E2A180 12DF6652 176942F8 58187D7B D37B1F1A 4DDD7AE9 5189F9AF
AF3EF676 26AD3F31 D368F5
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM smtp
ip cef
no ipv6 cef
appfw policy-name CCP_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
parameter-map type inspect global
log dropped-packets enable
multilink bundle-name authenticated
redundancy
ip tcp synwait-time 10
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any CCP-Management-1
match dscp cs2
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
policy-map sdm-qos-test-123
class class-default
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
policy-map CCP-QoS-Policy-1
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
class CCP-Voice-1
priority percent 33
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key REMOVED address 62.20.xxx.yyy
crypto isakmp key REMOVED address 195.243.xxx.yyy
crypto isakmp key REMOVED address 195.243.xxx.yyy
crypto isakmp key REMOVED address 83.140.xxx.yyy
crypto isakmp client configuration group VPN_local
key REMOVED
dns 10.133.10.5 10.133.10.7
wins 10.133.10.7
domain domain.de
pool SDM_POOL_2
acl 115
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPN_local
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA11
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to62.20.xxx.xxx
set peer 62.20.xxx.xxx
set transform-set ESP-3DES-SHA
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to195.243.xxx.xxx
set peer 195.243.xxx.xxx
set transform-set ESP-3DES-SHA4
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to83.140.xxx.xxx
set peer 83.140.xxx.xxx
set transform-set ESP-DES-SHA1
match address 118
interface Loopback2
ip address 192.168.10.1 255.255.254.0
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
spanning-tree portfast
interface FastEthernet4
description Internal LAN
switchport access vlan 10
switchport trunk native vlan 10
no ip address
spanning-tree portfast
interface FastEthernet5
no ip address
spanning-tree portfast
interface FastEthernet6
no ip address
spanning-tree portfast
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
description $FW_OUTSIDE$$ETH-WAN$
ip address 62.153.xxx.xxx 255.255.255.248
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CCP_MEDIUM out
no ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output CCP-QoS-Policy-1
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet8
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
no ip address
interface Vlan10
description $FW_INSIDE$
ip address 10.133.10.1 255.255.254.0
ip access-group 112 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip local pool SDM_POOL_1 192.168.10.101 192.168.10.200
ip local pool VPN_Pool 192.168.20.2 192.168.20.100
ip local pool SDM_POOL_2 172.16.100.2 172.16.100.100
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip forward-protocol nd
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 62.153.xxx.xxx
ip access-list extended VPN1
remark VPN_Haberstrasse
remark CCP_ACL Category=4
permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
ip radius source-interface Vlan10
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 195.243.xxx.xxx
access-list 23 permit 10.133.10.0 0.0.1.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.133.10.0 0.0.1.255 any
access-list 101 remark CCP_ACL Category=16
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 deny ip 10.10.10.0 0.0.0.7 any
access-list 102 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 102 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 102 permit icmp any host 62.153.xxx.xxx unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit udp any host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp any host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp any host 62.153.xxx.xxx
access-list 103 permit ahp any host 62.153.xxx.xxx
access-list 103 permit udp host 194.25.0.60 eq domain any
access-list 103 permit udp host 194.25.0.68 eq domain any
access-list 103 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
access-list 103 deny ip 10.10.10.0 0.0.0.7 any
access-list 103 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 103 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 103 permit icmp any host 62.153.xxx.xxx unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark CCP_ACL Category=4
access-list 104 permit ip 10.133.10.0 0.0.1.255 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
access-list 106 permit ip 10.10.10.0 0.0.0.7 any
access-list 106 permit ip 10.133.10.0 0.0.1.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark CCP_ACL Category=1
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq telnet
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 22
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq www
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 443
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq cmd
access-list 108 deny tcp any host 10.133.10.1 eq telnet
access-list 108 deny tcp any host 10.133.10.1 eq 22
access-list 108 deny tcp any host 10.133.10.1 eq www
access-list 108 deny tcp any host 10.133.10.1 eq 443
access-list 108 deny tcp any host 10.133.10.1 eq cmd
access-list 108 deny udp any host 10.133.10.1 eq snmp
access-list 108 permit ip any any
access-list 109 remark CCP_ACL Category=1
access-list 109 permit ip 10.133.10.0 0.0.1.255 any
access-list 109 permit ip 10.10.10.0 0.0.0.7 any
access-list 109 permit ip 192.168.10.0 0.0.1.255 any
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip host 195.243.xxx.xxx any
access-list 110 permit ip host 84.44.xxx.xxx any
access-list 110 permit ip 10.133.10.0 0.0.1.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.7 any
access-list 110 permit ip 192.168.10.0 0.0.1.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.133.10.0 0.0.1.255 any
access-list 112 remark CCP_ACL Category=1
access-list 112 permit udp host 10.133.10.5 eq 1812 any
access-list 112 permit udp host 10.133.10.5 eq 1813 any
access-list 112 permit udp any host 10.133.10.1 eq non500-isakmp
access-list 112 permit udp any host 10.133.10.1 eq isakmp
access-list 112 permit esp any host 10.133.10.1
access-list 112 permit ahp any host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1645 host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1646 host 10.133.10.1
access-list 112 remark auto generated by CCP firewall configuration
access-list 112 permit udp host 10.133.10.5 eq 1812 host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1813 host 10.133.10.1
access-list 112 permit udp host 10.133.10.7 eq domain any
access-list 112 permit udp host 10.133.10.5 eq domain any
access-list 112 deny ip 62.153.xxx.xxx 0.0.0.7 any
access-list 112 deny ip 10.10.10.0 0.0.0.7 any
access-list 112 deny ip host 255.255.255.255 any
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 permit ip any any
access-list 113 remark CCP_ACL Category=1
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.60.16.0 0.0.0.255 192.168.10.0 0.0.1.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.60.16.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq non500-isakmp
access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq isakmp
access-list 113 permit esp host 83.140.100.4 host 62.153.xxx.xxx
access-list 113 permit ahp host 83.140.100.4 host 62.153.xxx.xxx
access-list 113 permit ip host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit ip host 84.44.xxx.xxx host 62.153.xxx.xxx
access-list 113 remark auto generated by CCP firewall configuration
access-list 113 permit udp host 194.25.0.60 eq domain any
access-list 113 permit udp host 194.25.0.68 eq domain any
access-list 113 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
access-list 113 permit udp host 194.25.0.60 eq domain host 62.153.xxx.xxx
access-list 113 permit udp any host 62.153.xxx.xxx eq non500-isakmp
access-list 113 permit udp any host 62.153.xxx.xxx eq isakmp
access-list 113 permit esp any host 62.153.xxx.xxx
access-list 113 permit ahp any host 62.153.xxx.xxx
access-list 113 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 113 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 113 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 113 remark Pop3
access-list 113 permit tcp host 82.127.xxx.xxx eq 8080 host 62.153.xxx.xxx
access-list 113 remark Pop3
access-list 113 permit tcp any eq pop3 host 62.153.xxx.xxx
access-list 113 remark SMTP
access-list 113 permit tcp any eq 465 host 62.153.xxx.xxx
access-list 113 remark IMAP
access-list 113 permit tcp any eq 587 host 62.153.xxx.xxx
access-list 113 deny ip 10.133.10.0 0.0.1.255 any
access-list 113 deny ip 10.10.10.0 0.0.0.7 any
access-list 113 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 113 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 113 permit icmp any host 62.153.xxx.xxx unreachable
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 deny ip any any log
access-list 114 remark auto generated by CCP firewall configuration
access-list 114 remark CCP_ACL Category=1
access-list 114 deny ip 10.133.10.0 0.0.1.255 any
access-list 114 deny ip 10.10.10.0 0.0.0.7 any
access-list 114 permit icmp any any echo-reply
access-list 114 permit icmp any any time-exceeded
access-list 114 permit icmp any any unreachable
access-list 114 deny ip 10.0.0.0 0.255.255.255 any
access-list 114 deny ip 172.16.0.0 0.15.255.255 any
access-list 114 deny ip 192.168.0.0 0.0.255.255 any
access-list 114 deny ip 127.0.0.0 0.255.255.255 any
access-list 114 deny ip host 255.255.255.255 any
access-list 114 deny ip host 0.0.0.0 any
access-list 114 deny ip any any log
access-list 115 remark VPN_Sub
access-list 115 remark CCP_ACL Category=5
access-list 115 permit ip 10.133.10.0 0.0.1.255 172.16.0.0 0.0.255.255
access-list 115 permit ip 10.133.34.0 0.0.1.255 172.16.0.0 0.0.255.255
access-list 115 permit ip 10.133.20.0 0.0.0.255 any
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 117 remark CCP_ACL Category=4
access-list 117 remark IPSec Rule
access-list 117 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 118 remark CCP_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
mgcp profile default
line con 0
transport output telnet
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
session-timeout 45
access-class 110 in
transport input telnet ssh
line vty 5 15
access-class 109 in
transport input telnet ssh
scheduler interval 500
endThe crypto ACL for the site to site vpn should also include the vpn client pool, otherwise, traffic from the vpn client does not match the interesting traffic for the site to site vpn.
On Site A:
should include "access-list 107 permit ip 172.16.100.0 0.0.0.255 10.133.34.0 0.0.1.255"
You should also remove the following line as the pool is incorrect:
access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
On Site B:
should include: permit ip 10.133.34.0 0.0.1.255 172.16.100.0 0.0.0.255"
NAT exemption on site B should also be configured with deny on the above ACL. -
Anybody have any success connecting to a BM 3.8.5 VPN server (C2S) using this client?
I've setup a SLED 10 box patched to the hilt and installed the latest Novell Client for Linux as well as the VPN client (installed and configured as per the documentation...http://www.novell.com/documentation/.../bookinfo.html) that comes with the BM 3.9 Trial and I'm unable to get connected. I'm still able to connect with my Windows and MAC boxes so I don't think my VPN server is the issue.
On the SLED box I get one the following errors after it tries to connect to our VPN:
Error #1:
VPN Connect Failure
Could not start the VPN connection "XXXX" due to a connection error.
The VPN login failed because the VPN program could not connect to the VPN server.
Error #2:
VPN Connect Error
Could not start the VPN connection "XXXX" due to a connection error.
VPNCLIENT-UI-4611:Failed to connect to the Gateway.
Here is a snippet from the IKE.LOG file:
6-27-2007 2:04:26 pm ***Receive Main Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm I-COOKIE=80441C99D658EC20,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1640542708
6-27-2007 2:04:26 pm The client 200.13.38.18 removed from vpninf
6-27-2007 2:04:26 pm Freeing IKE SA
6-27-2007 2:04:26 pm Start IKE-SA ABD1CDC0 - Responder,src=<BM_VPN_EXT_IP>,dst=<LINUX_CLIENT_IP >,TotSA=5
6-27-2007 2:04:26 pm AUTH ALG IS 1
6-27-2007 2:04:26 pm Negotiating for an NMAS user <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000002
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000002
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000002
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000002
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 HASH Algorithm mismatch mine : SHA his : MD5 dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000004
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 HASH Algorithm mismatch mine : SHA his : MD5 dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000004
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm ****DH private exponent size is 1016****
6-27-2007 2:04:26 pm Local server's interfaces : <BM_VPN_EXT_IP>
6-27-2007 2:04:26 pm Local server's interfaces : <BM_VPN_INT_IP>
6-27-2007 2:04:26 pm Recieved Supported Vendor id Novell Linux Client from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-03 from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-02 from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm ***Send Main Mode message to <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=SA-PAYLOAD,state=-1640542708
6-27-2007 2:04:26 pm ***Receive Main Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=KEY-PAYLOAD,state=-1640542656
6-27-2007 2:04:26 pm No NAT detected
6-27-2007 2:04:26 pm ***Send Main Mode message to <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=KEY-PAYLOAD,state=-1640542656
6-27-2007 2:04:27 pm ***Receive Main Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=ID-PAYLOAD,state=-1640542644
6-27-2007 2:04:27 pm Recieved MM ID payload type 1 protocol 17 portnum 500 length 8
6-27-2007 2:04:27 pm *Received MM ID ID_IPV4_ADDR <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm IKE : Nmas user check authentication and traffic rule
6-27-2007 2:04:27 pm Adding user :original address is <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm
Client 200.13.38.18 is added successfully
6-27-2007 2:04:27 pm *Sending MM id payload IPSEC_ID_IPV4_ADDR <BM_VPN_EXT_IP>
6-27-2007 2:04:27 pm *protocol 0 portnum 0 length 8
6-27-2007 2:04:27 pm ***Send Main Mode message to <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=ID-PAYLOAD,state=-1640542644
6-27-2007 2:04:27 pm ***Receive Unacknowledge Informational message from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=E212BBAB,1stPL=HASH-PAYLOAD,state=-1640542596
6-27-2007 2:04:27 pm Recieved notify message type 24578 from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm Recieved INITIAL_CONTACT notify deleting all old SA's with <LINUX_CLIENT_IP> address
6-27-2007 2:04:27 pm ***Receive Quick Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=F99A0483,1stPL=HASH-PAYLOAD,state=-1640542596
6-27-2007 2:04:27 pm Start IPSEC SA 9191F5A0 - Responder****totSA=1
6-27-2007 2:04:27 pm ****DH private exponent size is 1016****
6-27-2007 2:04:27 pm Final IKE (phase 1) SA lifetime is 28800 secs
6-27-2007 2:04:27 pm IKE-SA is created. rekey time = 21600 encr=1,hash=1,auth=1,lifesec=28800
6-27-2007 2:04:27 pm dst=<LINUX_CLIENT_IP>,time=144349413
6-27-2007 2:04:27 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm IPSE SA NEGOTIATION: Peer lifetime = 1800 My lifetime=1000
6-27-2007 2:04:27 pm Warn :Proposal mismatch Quick Mode : ESP - esp desHASH Algorithm mismatch mine : SHA his : MD5 dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000020
6-27-2007 2:04:27 pm IPSE SA NEGOTIATION: Peer lifetime = 1800 My lifetime=1000
6-27-2007 2:04:27 pm IKE peer requesting PFS - Accepted
6-27-2007 2:04:27 pm ****DH private exponent size is 760****
6-27-2007 2:04:27 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm Sending DH params in QM - PFS Configured or Requested by Peer
6-27-2007 2:04:27 pm *Sending proxy ID type 4 0.0.0.0/0.0.0.0
6-27-2007 2:04:27 pm *Sending proxy ID type 1 <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm ***Send Quick Mode message to <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=F99A0483,1stPL=HASH-PAYLOAD,state=-1640542596
6-27-2007 2:04:27 pm ***Receive Quick Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=F99A0483,1stPL=HASH-PAYLOAD,state=-1640542596
6-27-2007 2:04:27 pm ESP-SA is created:algorID=esp des,mySPI=42A06A25,peerSPI=640F580D,time=8019411 ,dst=<LINUX_CLIENT_IP>
Any ideas?
Thanks,
John Hunter>>> Craig Johnson<[email protected]> 27/06/2007 10:29 pm >>>
>>>Do you have anything to go on in the VPN audit logs? (Check using NRM).
You bet...here is what's in the VPN Audit logs from NRM (from last entry to first) at the same time as my snippet from the IKE.log:
06/27/2007 02:04:30 PM IKE ESP SA was created successfully with <LINUX_CLIENT_IP>
06/27/2007 02:04:30 PM IKE Sending proxy id: Type 1 <LINUX_CLIENT_IP>
06/27/2007 02:04:30 PM IKE Sending proxy id :Type 4 0.0.0.0/0.0.0.0
06/27/2007 02:04:30 PM IKE Received proxy id ID_IPV4_ADDR <LINUX_CLIENT_IP>
06/27/2007 02:04:30 PM IKE Received proxy Id : IPV4 SUBNET 0.0.0.0/0.0.0.0
06/27/2007 02:04:30 PM IKE IPSEC SA NEGOTIATION - Peer lifetime is: 1800 My lifetime is: 1000
06/27/2007 02:04:30 PM IKE Proposal Mismatch - Quick Mode : ESP - esp desHASH Algorithm mismatch mine : SHA his : MD5 dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:30 PM IKE IPSEC SA NEGOTIATION - Peer lifetime is: 1800 My lifetime is: 1000
06/27/2007 02:04:30 PM IKE Received proxy id ID_IPV4_ADDR <LINUX_CLIENT_IP>
06/27/2007 02:04:28 PM IKE Received proxy Id : IPV4 SUBNET 0.0.0.0/0.0.0.0
06/27/2007 02:04:28 PM IKE IKE SA was created successfully with <LINUX_CLIENT_IP>, encr = DES, SA lifetime = 28800 sec
06/27/2007 02:04:28 PM IKE Final IKE SA (phase 1) lifetime is 28800 secs
06/27/2007 02:04:28 PM IKE Recieved INITIAL_CONTACT notify from <LINUX_CLIENT_IP> deleting all old sa's to <LINUX_CLIENT_IP>
06/27/2007 02:04:28 PM IKE Received notify message of type IPSEC_CONTACT : 24578 from <LINUX_CLIENT_IP>
06/27/2007 02:04:28 PM IKE Nmas user check authentication and traffic rule
06/27/2007 02:04:28 PM IKE Received MM ID type: 1 protocol : 17 portnum: 500 length 8
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 HASH Algorithm mismatch mine : SHA his : MD5 dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 HASH Algorithm mismatch mine : SHA his : MD5 dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM VPN Control Client JohnHu.SPCSS added to IPSEC.
06/27/2007 02:04:26 PM IKE Negotiating for an NMAS user <LINUX_CLIENT_IP>
06/27/2007 02:04:26 PM AUTH Gateway Connection closed for the VPN client at address <LINUX_CLIENT_IP>.
06/27/2007 02:04:26 PM AUTH Gateway VPN client NMAS user <USER.CONTEXT> at address <LINUX_CLIENT_IP> has been authenticated.
06/27/2007 02:04:26 PM AUTH Gateway Process NMAS request: NMAS authentication successful.
06/27/2007 02:04:24 PM AUTH Gateway A connection was opened for a VPN client at address <LINUX_CLIENT_IP>.
>>>By any chance do you have an IP address on the linux client that is in the same subnet as the VPN tunnel address?
Nope. The Linux box is using a public IP address...we've got a separate connection that seems to come in handy for issues like this. =)
Thanks for your response, Craig.
JH -
Cisco VPN Client 5.0.07.0440 Fails Installation on Win7 64
Dears,
I went to istall the Cisco VPN Client SW. I used "vpnclient-winx64-msi-5.0.07.0440-k9" installator. But the installation on my laptoop finished with the Error 1722.
Here is fagment from the log file:
MSI (s) (74:B0) [12:07:23:006]: Product: Cisco Systems VPN Client 5.0.07.0440 -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action CsCaExe_VAInstall, location: C:\Program Files (x86)\Cisco Systems\VPN Client\VAInst64.exe, command: nopopup i "C:\Program Files (x86)\Cisco Systems\VPN Client\Setup\CVirtA64.inf CS_VirtA
I use the Windows 7 Home Premium 64bit on my laptop, the UAC is switched OFF and the antivir SW is uninstalled and my account has administrators rights.
I looked for it on the net but I did not found satisfactory solution.
Please do knows somebody how can I solve this issue??
Thanks MilanHello Paul,
This seems to be a known issue:
Client cvpnd.exe errors on bootup if certain vendor's firewall installed.
However, just to try further options, what if you try this?
Restart VPN Client Service if You Install VPN Client before Zone Alarm
Also check: Check Point Integrity Firewall Incompatibility, found in the link above.
From the Zone Alarm FW, make sure you have the following advanced firewall options enabled:
Allow VPN protocols
Allow uncommon protocols at high security
Enable IPv6 networking
HTH
Portu. -
VPN Client Accounts: "Username and passwords must consist of numbers or letters"
I am configuring a username in the VPN Client Accounts withing a Cisco WRVS4400N.
The username I must enter is in the form: [email protected]
Unfortunately, when I input that username, the system informs me that I cannot have anything other than numbers an letters.
The instructions from my University require us to use that FULL email format.
http://net-services.ufl.edu/provided_services/vpn/anyconnect/legacy-install.html
Is there a way to fix this?Any solution for this? How can I pass in a blank domain parameter so I am automatically logged in instead of receiving the log-in dialog asking for the domain?
Maybe you are looking for
-
Hello, I would like to schedule with an agent some reports in OBIEE 11g that must be exported in excel format to a specific local directory. There is a need for a group of OBIEE users to have a set of reports ready (exported in .xlsx) every morning.
-
Hi I am not able to install my Windows XP Professional SP3 (original oficial CD - no crack or warez!) usin USB bootable instalation (as my Q180 configuration comes without DVD drive). I have preinstalled Windos 7 HP but I didn't like it so I decided
-
What vga cable should I buy for macbookair?
-
My wifi button on my iPad is whited out. How do I get it so I can slide it to on?
My wifi button on my iPad is whited out. How do I get it so I can slide it to on?
-
SUPER URGENT - I can't connect Discoverer with my own Oracle Data Base
Please sobebody help me! I've installed Oracle9i Personal, but I can't connect to Discoverer with it. When I put the "username" , "password" and the "name of the bank" the system returns the message: 'I was not able define the name of the service' Wh