Cisco VPN - authentication failure?

The IKE (isakmp) negotiation is failing.  Can you post your PIX config?

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ****** encrypted
hostname *******
domain-name jobb.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list jobb_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.32 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.32 255.255.255.240
access-list inside_access_in remark ping
access-list inside_access_in permit icmp any any time-exceeded
access-list inside_access_in remark ping
access-list inside_access_in permit icmp any any echo
access-list inside_access_in remark ping
access-list inside_access_in permit icmp any any unreachable
access-list inside_access_in remark Ping
access-list inside_access_in permit icmp any any echo-reply
access-list inside_access_in remark Godtar alt
access-list inside_access_in permit ip any any
pager lines 24
logging on
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-inn 192.168.1.35-192.168.1.45
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 129.240.64.2 source outside prefer
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup jobb address-pool vpn-inn
vpngroup jobb dns-server *.*.*.*
vpngroup jobb default-domain jobb.local
vpngroup jobb split-tunnel jobb_splitTunnelAcl
vpngroup jobb idle-time 1800
vpngroup jobb password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 10
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns *.*.*.* *.*.*.*
dhcpd lease 7600
dhcpd ping_timeout 750
dhcpd domain jobb.local
dhcpd auto_config outside
dhcpd enable inside
username **** password ****** encrypted privilege 15
username admin password ******* encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
: end
[OK]

The use of a VPN pool with adresses in the same subnet, yet not the same range, have worked fine previously.

I am asking due to lack of knowlegde:
Why is it better to use a diffferent subnet for this?
And, when changing the subnet to 172.x, is it the mentioned access list that will handle the connection between the 172. subnet and the hosts on the 192. net behind the pix, making the VPN clients able to reach the 192 network?

Will changing the above mentioned fix the IKE problem?

Yes, it will because the rest of your config is correct.

Again out of curiosity/lack of knowledge:
What was causing the IKE trouble then? Since we're not (as I can see) changing anything IKE-specific, just changing the ip range for VPN clients?

I am not positive but since IKE is the first phase of negotiation of the tunnel, for exchanging the crypto keys, if it can't get past IKE, there is most likely something wrong with the rest of the config which DOES interface with VPN.  In this case, I think IKE hangs on the ACLs.  

I am not an expert on DH or the inner workings of IKE or cryptography, however, I know from a practical stand point and doing many remote access Cisco VPN implementations that you HAVE to have the correct NAT ACLs first, then the correct VPN config or else, you risk having troubles even if the tunnel comes up.

It worked! The authentication problem disappeared, and I can now reach all hosts inside.

Only one small thing left... How do I grant access to the PIX management utility (PDM) and PIX ssh access from the VPN ip range?

The following is in the running config:
telnet 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
management-access inside

Hmm... I was celebrating a little too soon...
It all worked when testing from a 217-address (where computer inside a firewall, our PIX located in DMZ)

When connecting from home, on a 192.168.1.x network, in other words outside the firewall, I get a perfectly good VPN connection, get an IP (172.16.1.1), but I can`t ping ANYTHING.

I´m stuck - again...

Just to make sure I´m making myself clear:

Me --> FIREWALL (non-pix) --> PIX (in FW-DMZ) --> Hosts I want to reach by VPN (behind the PIX, inside IF)

Get a VPN connection to the PIX, get IP, no connection to any hosts...

<<Only one small thing left... How do I grant access to the PIX management utility (PDM) and PIX ssh access from the VPN ip range?
The following is in the running config:
telnet 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
management-access inside>>

You need to add your VPN subnet (which is considered an "inside" network).  For example:
ssh 172.16.1.0 255.255.255.240 inside
The same thing applies to telnet and PDM.

Can you repost your latest config?
Note- I am going on vacation for 7 days (shutting down my laptop right now)... So, I will help out some more when I come back.  Hopefully someone else can take over while I am gone... good luck.

In other words, to enable management access from VPN:
management-access 172.16.1.0 255.255.255.240 inside ?

But - why can't I reach any remote hosts?

I didn't get the authentication to work until I changed the VPN IP Pool to a 172.x.x.x range.
Now I can't get a connection to the 192-network, what kind of changes has to be made?

Besides, it DOES work with 192-range on both ends, as you can disable local lan access in the Cisco VPN Client...

>I didn't get the authentication to work until I changed the VPN IP Pool to a 172.x.x.x range.
  Right.  The way Cisco's VPN is designed, your VPN client pool must be different than your LAN behind the PIX or the LAN where the remote client resides; also, the LAN where the remote VPN client resides *must* use a different IP range than the LAN behind the PIX, otherwise you'll encounter a routing loop & you will *not* be able to ping across the VPN tunnel. Period.

>what kind of changes has to be made?
  Please post your current, complete but "sanitized" config (passwords removed, public IPs masked out as you've done previously), confirm if the network you're testing the remote VPN client from (home network or otherwise) is using the 192.168.1.x IP range.

I see that you're using VPN client v4.0.3 - you need to upgrade to newer than 4.0.5 if the client PCs are XP SP2.  Highly suggest upgrading to the latest v4.8.

cheers

PIX config will follow shortly...

IP address summary:
The network I'm connection FROM is using a 10.0.0.x network.
The network behind the PIX is a 192.168.1.x  network
The VPN clients get 172.16.1.x adresses.

Here's the current config:

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd ************* encrypted
hostname busoadminpix
domain-name jobb.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list jobb_splitTunnelAcl permit ip any any
access-list jobb_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 192.168.1.32 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.32 255.255.255.240
access-list inside_access_in remark ping
access-list inside_access_in permit icmp any any time-exceeded
access-list inside_access_in remark ping
access-list inside_access_in permit icmp any any echo
access-list inside_access_in remark ping
access-list inside_access_in permit icmp any any unreachable
access-list inside_access_in remark Ping
access-list inside_access_in permit icmp any any echo-reply
access-list inside_access_in remark Godtar alt
access-list inside_access_in permit ip any any
pager lines 24
logging on
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 217.x.x.x 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-inn 172.16.1.1-172.16.1.14 mask 255.255.255.240
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.32 255.255.255.240 outside
pdm location 0.0.0.0 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 129.240.64.2 source outside prefer
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup jobb address-pool vpn-inn
vpngroup jobb dns-server 217.x.x.x 195.x.x.x
vpngroup jobb default-domain jobb.local
vpngroup jobb split-tunnel jobb_splitTunnelAcl
vpngroup jobb idle-time 1800
vpngroup jobb password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 10
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 217.x.x.x 195.x.x.x
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd domain jobb.local
dhcpd auto_config outside
username admin password ************* encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80

Thanks, I'll try this in the morning.
This will allow traffic between 172.x.x.x VPN clients and 192.x.x.x hosts behind the PIX (remote site)?

Is is possible to download the v4.8 client from somewhere? I'm don't have the necessary privileges to download it from Cisco...
Could of course order a CD, but I takes 2 weeks to have it delivered.

hi again,
>This will allow traffic between 172.x.x.x VPN clients and 192.x.x.x hosts behind the PIX (remote site)?
  Yes, between 192.168.1.x & the VPN client pool 172.16.1.x.  Your IPSec ACLs (access lists) previously were configured with "permit ip any" which isn't how it should be.

>Is is possible to download the v4.8 client from somewhere?
  Yes, from Cisco's website if you have a current SmartNet contract on the PIX  & a "CCO" login if you don't already have one (same goes for downloading a newer PIX software image).  

  CCO registration page:
http://tools.cisco.com/RPF/register/register.do

cheers

Nope, this didn't change anything...
Client gets 172.16.1.1 IP, subnet .240, no gateway assigned.
No connection to any hosts on the 192. network.

Local IP (internet connection clientside) is 10.0.0.x

One other thing I noticed is the following:
The PIX is located in the DMZ of my primary firewall. When creating a VPN connection to the PIX from INSIDE of the firewall (not inside the pix) using a 217.x.x.x address, I get connection with all 192. hosts.
Why should this make any difference? This is still outside the PIX, right?

Any other solutions? I need this to work as soon as possible :)

Found this in the VPN Client connection log, don't know if it has anything to do with the problem, but here it is...

201    18:02:16.765  03/26/06  Sev=Info/5      IKE/0x6300000F
SPLIT_NET #1
      subnet = 192.168.1.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0

The "SPLIT_NET #1" entry is correct & expected; it just shows the 192.168.1.x network behind the PIX.

>The PIX is located in the DMZ of my primary firewall. ...Why should this make any difference?
  This makes a world of difference, since your primary firewall affects what traffic gets to/from the PIX *from the Internet*.  Now that your PIX config is corrected, & you've verified that you can successfully create a VPN tunnel AND reach the 192.168.1.x subnet behind the PIX, you must ensure that you're allowing the following through your primary firewall to/from the PIX outside interface *from the outside world*:
   UDP port 500
   UDP port 4500
   ESP traffic (protocol 50, *not* port 50)

>...This is still outside the PIX, right?
  Yes, as far as the PIX is concerned, but this really isn't a valid test since your primary firewall is in the mix. You'd instead want to test from another external site (from home, etc) since this is where the VPN clients will be.  

Also, do this to your PIX:
  clear crypto ipsec sa
  clear crypto isakmp sa
  isakmp nat-traversal  <- helps when VPN client or PIX is behind a NAT device
  clear xlate
*And test the VPN connection from home or some other external location where you have some knowledge & control over the local network.

cheers

Both UDP ports have been open all the time.
Don't know how I can allow the ESP traffic... The primary firewall is an IPCop firewall (iptables)... (soon to be replaced by a PIX 515)

Any idea?

>Both UDP ports have been open all the time.
  In both inbound/outbound directions?

IPCop firewall? Haven't played with one, but checking the website, it doesn't look good with the IPCop web interface.  The firewall & " DMZ Pinholes" section of the admin guide says tcp, udp, & gre protocols are supported.  Check the drop-down list, see if ESP is there (probably not).  If it can't be done via IPCop directly, can you get "root level" command-line access to the IPCop box? If so, you should be able to directly modify the iptables rules...  I'm rusty on iptables, but without seeing your iptables rules, but you could try the following:
 iptables -A INPUT -p 50 -s 0/0 -d <PIX outside IP> -j ACCEPT
 iptables -A OUTPUT -p 50 -s <PIX outside IP> -d 0/0 -j ACCEPT

Also, be aware that if you need to modify the rules directly as above, you'll need to add similar lines to one of the startup scripts so they're added upon reboot. Usually adding to the rc.local file is sufficient.

If still no good, I'd strongly suggest posting a separate question in either of the following topic areas for iptables help:
  https://www.experts-exchange.com/Networking/Linux_Networking/
  https://www.experts-exchange.com/Security/Linux_Security/

>...soon to be replaced by a PIX 515
  Very glad to hear it!!

cheers

I have a PIX 515R-DMZ available, but feel it's a bit over my head to configure it.
I'm fairly familiar with the PDM, but really not a network wiz :)
Yet I would really like to get the VPN to work as well as get rid of the NAT'ed hosts on the DMZ and inside interfaces.

How much config is required for the following:

- Outside interface setup with static IP
- DMZ (with a few servers and the VPN-PIX inside)
- Inside with routed traffic, all hosts on the inside have official IPs

Do you think I'll manage to do this with some assistance from you or others here at EE?

>I'm fairly familiar with the PDM
  Do yourself a favor & learn the CLI when you can - it's faster, easier to use, no limitations, doesn't require a browser/Java; all you need is console, telnet or SSH access & you're able to configure it all.

>How much config is required for the following:..
   Shouldn't take a whole lot, unless you've got some unusual or problematic requirements.

>Do you think I'll manage to do this with some assistance from you or others here at EE?
   Sure, shouldn't be a problem, there are several experienced PIX regulars on EE.  
You'll want to open a new question (~400-500 pts) in the Firewalls TA, mention "PIX 515 with a DMZ" in the title, & provide as much info as possible - this will help people here to get you going faster.  Posting a URL to a Visio/picture network diagram (with public IPs masked of course like so: x.x.x.83) of your current setup would also help.  Some of the info you'll want to provide:
- "x.x.x.45" masked public IPs (with correct subnet masks unaltered)
- Any private IPs left unaltered (ie in the ranges: 10.x.x.x, 172.16.x.x-172.31.x.x., 192.168.x.x)
- PIX version (eg, "7.0(2)")
- How you want DMZ servers/hosts to be accessible ("only from Internet", "from Internet & from inside LAN on these ports")
- What types of servers are on DMZ & what IPs they'll be using; ie, "www server accessible from outside public IP x.x.x.21 on port 80, 443 & accessible from inside LAN on port 443, 22, etc.
- Mention that you'll have a PIX in the DMZ as a VPN endpoint (although you could just use the 515 itself as the VPN endpoint, that's up to you).
- State how you'll need NAT setup or not, as the case may be.
- Mention any other subnets inside the 515 that might need access to the DMZ or to the Internet, & specify if there are any routers that'll be inside the PIX that may affect things.
...etc.  Be as clear & complete in your requirements so this will get done faster & easier.

If the PIX 515 is version 6.x I'll be glad to help if I can (I'll be unavailable Mon night due to a large project for a client); if it's v7.x then I'll defer to someone else (lrmoore or others) who have a lot of experience with v7.x.

cheers

I'm fairly familiar with CLI from other devices (like 2950 etc), but have just started working with PIX'es, a bit over my head since I'm lacking the expert knowledge :)
But - I can't learn without getting over my head once in a while.. :)

Sounds like we could give it a shot :)
Thanks a lot for you excellent guidance so far!

Moved the PIX out of the DMZ, but now I can't get authentication to work (nothing changed except IP, subnet and default GW.
Get an outgoing connection from behind the PIX, confirming the GW etc. is correct...

Here's the log:


1      23:21:29.937  03/29/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 84.*.*.*.

2      23:21:29.937  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 84.*.*.*

3      23:21:29.937  03/29/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

4      23:21:29.937  03/29/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

5      23:21:31.046  03/29/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 84.*.*.*

6      23:21:31.046  03/29/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 84.*.*.*

7      23:21:31.046  03/29/06  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

8      23:21:31.046  03/29/06  Sev=Info/5      IKE/0x63000001
Peer supports DPD

9      23:21:31.046  03/29/06  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

10     23:21:31.046  03/29/06  Sev=Info/5      IKE/0x63000081
Received IOS Vendor ID with unknown capabilities flag 0x00000025

11     23:21:31.046  03/29/06  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

12     23:21:31.046  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 84.*.*.*

13     23:21:31.046  03/29/06  Sev=Info/4      IKE/0x63000082
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

14     23:21:31.078  03/29/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 84.*.*.*

15     23:21:31.078  03/29/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 84.*.*.*

16     23:21:31.078  03/29/06  Sev=Info/5      IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds

17     23:21:31.078  03/29/06  Sev=Info/5      IKE/0x63000046
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now

18     23:21:31.078  03/29/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 84.*.*.*

19     23:21:31.078  03/29/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 84.*.*.*

20     23:21:32.953  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 84.*.*.*

21     23:21:32.984  03/29/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 84.*.*.*

22     23:21:32.984  03/29/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 84.*.*.*

23     23:21:32.984  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 84.*.*.*

24     23:21:33.015  03/29/06  Sev=Info/5      IKE/0x6300005D
Client sending a firewall request to concentrator

25     23:21:33.015  03/29/06  Sev=Info/5      IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

26     23:21:33.015  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 84.*.*.*

27     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 84.*.*.*

28     23:21:33.031  03/29/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 84.*.*.*

29     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.1.1

30     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.240

31     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 217.*.*.*

32     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 195.*.*.*

33     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = jobb.local

34     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

35     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x6300000F
SPLIT_NET #1
      subnet = 192.168.1.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0

36     23:21:33.031  03/29/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

37     23:21:33.031  03/29/06  Sev=Info/4      IKE/0x63000055
Received a key request from Driver: Local IP = 172.16.1.1, GW IP = 84.*.*.*, Remote IP = 0.0.0.0

38     23:21:33.031  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 84.*.*.*

39     23:21:33.093  03/29/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 84.*.*.*

40     23:21:33.093  03/29/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 84.*.*.*

41     23:21:33.093  03/29/06  Sev=Warning/3      IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)

42     23:21:33.093  03/29/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

43     23:21:38.109  03/29/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

44     23:21:38.109  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 84.*.*.*

45     23:21:43.109  03/29/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

46     23:21:43.109  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 84.*.*.*

47     23:21:48.109  03/29/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

48     23:21:48.109  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 84.*.*.*

49     23:21:53.109  03/29/06  Sev=Info/4      IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=F37BA41F

50     23:21:53.109  03/29/06  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 84.*.*.*, seq# = 745309007

51     23:21:53.109  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 84.*.*.*

52     23:21:53.109  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 84.*.*.*

53     23:21:53.109  03/29/06  Sev=Info/4      IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=F37BA41F

54     23:21:53.125  03/29/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 84.*.*.*

55     23:21:53.125  03/29/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 84.*.*.*

56     23:21:53.125  03/29/06  Sev=Info/5      IKE/0x6300003F
Received DPD ACK from 84.*.*.*, seq# received = 745309008, seq# expected = 745309008

57     23:22:23.109  03/29/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=A9CCE9728D46E05D R_Cookie=CE71A3950C08F037) reason = DEL_REASON_PEER_NOT_RESPONDING

58     23:22:23.109  03/29/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 84.*.*.*

59     23:22:23.609  03/29/06  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=A9CCE9728D46E05D R_Cookie=CE71A3950C08F037) reason = DEL_REASON_PEER_NOT_RESPONDING

60     23:22:23.609  03/29/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

61     23:22:23.625  03/29/06  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

62     23:22:23.625  03/29/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

63     23:22:23.625  03/29/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

64     23:22:23.625  03/29/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

65     23:22:23.625  03/29/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Excellent - it worked out perfectly!

Thanks for sharing you knowledge :)

You're welcome, glad it worked out!

Do you happen to know how to make outgoing VPN work when behind a PIX?

I.e. a computer at my office (behind a PIX) wants to create a host-to-site VPN connection, but this fails.
I've been told there is a simple solution to this...

FYI - You might want to post this question as a new one for visibility.  And it is different from the initial one anyway.