VPN for remote office.

I am currently trying to establish a vpn with a remote office user.  I've got the cisco vpn client installed on their laptop and I've gone through the VPN wizard in ASDM ui, however I am getting the following error message:
Secure VPN Connection terminated Peer.
Reason 433 (Reason not specified by Peer).
VFtechnologyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stuknhawaiiCommented:
Can you provide output from the VPN clients log. On the VPN CLient click on Log at the top of the client, then click enable. Then click on log again and select "log window". This will pop up a window and then you can cut/paste the log here.
0
Michael WorshamStaff Infrastructure ArchitectCommented:
0
VFtechnologyAuthor Commented:
Here is the log from the VPN client:

Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      16:13:13.046  01/24/08  Sev=Info/4      CM/0x63100002
Begin connection process

2      16:13:13.078  01/24/08  Sev=Info/4      CM/0x63100004
Establish secure connection

3      16:13:13.078  01/24/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "72.236.69.130"

4      16:13:13.453  01/24/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

5      16:13:13.453  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

6      16:13:18.828  01/24/08  Sev=Info/4      CM/0x63100026
Abort connection attempt before TCP session up

7      16:13:18.828  01/24/08  Sev=Info/4      CM/0x6310002D
Resetting TCP connection on port 10000

8      16:13:18.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      16:13:18.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

10     16:13:18.953  01/24/08  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

11     16:14:20.796  01/24/08  Sev=Info/4      CM/0x63100002
Begin connection process

12     16:14:20.812  01/24/08  Sev=Info/4      CM/0x63100004
Establish secure connection

13     16:14:20.812  01/24/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "72.236.69.130"

14     16:14:20.953  01/24/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

15     16:14:20.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

16     16:14:20.953  01/24/08  Sev=Info/4      CM/0x63100029
TCP connection established on port 10000 with server "72.236.69.130"

17     16:14:21.453  01/24/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "72.236.69.130"

18     16:14:21.468  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 72.236.69.130

19     16:14:21.515  01/24/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 72.236.69.130

20     16:14:21.531  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 72.236.69.130

21     16:14:21.531  01/24/08  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x092B, Remote Port = 0x01F4

22     16:14:21.531  01/24/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

23     16:14:21.562  01/24/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 72.236.69.130

24     16:14:21.562  01/24/08  Sev=Info/4      CM/0x63100015
Launch xAuth application

25     16:14:26.015  01/24/08  Sev=Info/4      CM/0x63100017
xAuth application returned

26     16:14:26.015  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130

27     16:14:26.062  01/24/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 72.236.69.130

28     16:14:26.062  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130

29     16:14:26.062  01/24/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

30     16:14:26.640  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130

31     16:14:26.687  01/24/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 72.236.69.130

32     16:14:26.687  01/24/08  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=A087C206C81115C4 R_Cookie=01086DE0622A66C9) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

33     16:14:27.453  01/24/08  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A087C206C81115C4 R_Cookie=01086DE0622A66C9) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

34     16:14:27.453  01/24/08  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_UNSPECIFIED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

35     16:14:27.453  01/24/08  Sev=Info/4      CM/0x6310002D
Resetting TCP connection on port 10000

36     16:14:27.468  01/24/08  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

37     16:14:27.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

38     16:14:27.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

39     16:14:27.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

40     16:14:27.953  01/24/08  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

stuknhawaiiCommented:
It looks to me like the VPN client's not getting an IP address offered to it. Can others connect? Can you post a copy of your config?
0
Michael WorshamStaff Infrastructure ArchitectCommented:
Does the remote user have a router in front of their laptop? If so, is VPN IPSec/PPTP/L2TP passthrough enabled on it?
0
VFtechnologyAuthor Commented:
Here is a portion of the config that I think is applicable to the issue, let me know if you need more, also I'll check if they have VPN IPSec/PPTP/L2TP passthrough enabled on their router.  No other user's are using the VPN at this time, this user is our first attempt.

group-policy VFvpn internal
group-policy VFvpn attributes
 dns-server value 192.168.1.8 192.168.1.5
 vpn-tunnel-protocol IPSec
 default-domain value ourdomain.local
 webvpn
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy VF internal
group-policy VF attributes
 dns-server value 192.168.1.8
 webvpn
group-policy VPN internal
group-policy VPN attributes
 dns-server value 192.168.1.8
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 webvpn
 vpn-tunnel-protocol IPSec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1480
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
 pre-shared-key *
tunnel-group VF type ipsec-ra
tunnel-group VF general-attributes
 address-pool VPNip
 default-group-policy VF
tunnel-group VF ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 30
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect tftp
service-policy global_policy global
webvpn
 nbns-server 192.168.1.8 timeout 2 retry 2
 authorization-server-group LOCAL
 default-group-policy VFvpn
 authorization-required
 authorization-dn-attributes use-entire-name
smtp-server 192.168.1.6
0
stuknhawaiiCommented:
Try adding:
sysopt connection permit-ipsec
to the config, this allows the VPN traffic to bypass any ACL's
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VFtechnologyAuthor Commented:
Thanks, i can take it from here.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.