Cisco vpn clients over adsl can't gain access to LAN...

Hi Experts!

I have a really strange problem going on at the moment... I have a Cisco 1751 router set up for adsl internet access/vpn server. Road warriors access email etc using the Cisco VPN client on they're home P.C's/Laptops. When using a 56k analogue modem to access the company LAN the vpn clients work fine. But anyone who has ADSL at home can't get in via the client. Nothing happens.. the client just times out after a while. Any ideas what might be causing this?? I know Cisco IOS but I'm still getting my head around the VPN's at the moment. Getting there bit by bit... Need to get this one sorted so it's worth 500 points.

Could it be a NAT issue? What you think guys?

Many thanks in advance. :)
Who is Participating?
Tim HolmanConnect With a Mentor Commented:
Config example here:

You will need to enable IKE over TCP/UDP on the VPN Client as well.
If they use the client, there is a SetMTU utility that comes with it. Use that utility to set the MTU to 1300
DSL (pppoe) has an extra 8-byte overhead that can cause packet fragmentation. That breaks the IPSEC.

What OS are they using? What version Client?
If XP, have they installed SP2?
needsyAuthor Commented:
Tried changing the client MTU to 576,1300 and 1500 with the same result.. :(
The machine i'm testing it on is: Win2000 SP4, client version 4.0.3(C)

Here is a debug from the client. (Though it might help?)

Cisco Systems VPN Client Version 4.0.3 (C)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195

223    10:51:41.201  10/06/04  Sev=Info/4      CM/0x63100002
Begin connection process

224    10:51:41.201  10/06/04  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

225    10:51:41.201  10/06/04  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

226    10:51:41.201  10/06/04  Sev=Info/4      CM/0x63100024
Attempt connection with server ""

227    10:51:41.202  10/06/04  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with

228    10:51:41.202  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to

229    10:51:41.202  10/06/04  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

230    10:51:41.266  10/06/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

231    10:51:41.918  10/06/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

232    10:51:41.926  10/06/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from

233    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

234    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer supports DPD

235    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

236    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

237    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

238    10:51:41.926  10/06/04  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

239    10:51:41.926  10/06/04  Sev=Info/4      IKE/0x63000013

240    10:51:41.926  10/06/04  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

241    10:51:41.926  10/06/04  Sev=Info/4      IKE/0x63000082
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

242    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000071
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

243    10:51:41.926  10/06/04  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

244    10:51:51.924  10/06/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

245    10:51:51.924  10/06/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from

246    10:51:51.924  10/06/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

247    10:51:51.924  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to

248    10:51:51.233  10/06/04  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

249    10:51:05.918  10/06/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

250    10:56:04.928  10/06/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from

251    10:56:04.928  10/06/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

252    10:56:04.928  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to

253    10:56:04.928  10/06/04  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

254    10:55:24.966  10/06/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

255    10:55:24.966  10/06/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from

256    10:55:24.966  10/06/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

257    10:55:24.966  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to

258    10:56:19.132  10/06/04  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

259    10:56:28.686  10/06/04  Sev=Info/4      CM/0x63100006
Abort connection attempt before Phase 1 SA up

260    10:56:28.686  10/06/04  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

261    10:56:28.686  10/06/04  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=3F67DC32A4ADF6E2 R_Cookie=A6BB3CCF301F9EAF) reason = DEL_REASON_RESET_SADB

262    10:56:28.686  10/06/04  Sev=Info/4      IKE/0x63000013

263    10:56:28.686  10/06/04  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=3F67DC32A4ADF6E2 R_Cookie=A6BB3CCF301F9EAF) reason = DEL_REASON_RESET_SADB

264    10:56:28.686  10/06/04  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

265    10:55:18.627  10/06/04  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

266    10:54:10.567  10/06/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

267    10:54:10.567  10/06/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

268    10:54:10.567  10/06/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

269    10:54:10.567  10/06/04  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Any ideas?? Thanks....

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Look at the ADSL end.  Make sure any routers that are deployed have been set to allow "IPSEC pass thru".  This is the most common problem we have seen with broadband users connecting.

Also check for firmware upgrades on your remote routers/ADSL equipment.
Tim HolmanCommented:
The difference I can see is that dial-up clients get a real address, whereas ADSL clients are often behind NAT.
Enable NAT-T on both client and server, and you should be all set.
Any progress? Do you need more information?

needsyAuthor Commented:
Gonna try enabling NAT-T but not quite sure how to do that. Can you help?

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.