Cisco Easy VPN SDM and Cisco Client

[stevetotaro]

I am trying to setup a Cisco 1721 Easy VPN server through SDM with clients connecting via the Cisco VPN Client. I cannot get it working and have tried everything I can think of. I think the problem is with "NOTIFY:NO_PROPOSAL_CHOSEN" Does anyone have any idea what is wrong. Below is the log output from the client.


Cisco Systems VPN Client Version 4.0.4 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195

1385 11:39:27.256 01/02/05 Sev=Info/4 CM/0x63100002
Begin connection process

1386 11:39:27.266 01/02/05 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

1387 11:39:27.266 01/02/05 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"

1388 11:39:28.277 01/02/05 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.

1389 11:39:28.287 01/02/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.x

1390 11:39:28.287 01/02/05 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

1391 11:39:28.287 01/02/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

1392 11:39:28.938 01/02/05 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1393 11:39:28.938 01/02/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x

1394 11:39:28.938 01/02/05 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

1395 11:39:28.938 01/02/05 Sev=Info/5 IKE/0x63000001
Peer supports DPD

1396 11:39:28.938 01/02/05 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code Only

1397 11:39:28.938 01/02/05 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

1398 11:39:28.938 01/02/05 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

1399 11:39:28.948 01/02/05 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

1400 11:39:28.948 01/02/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x

1401 11:39:28.948 01/02/05 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

1402 11:39:28.948 01/02/05 Sev=Info/4 IKE/0x63000082
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

1403 11:39:28.948 01/02/05 Sev=Info/5 IKE/0x63000071
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

1404 11:39:28.948 01/02/05 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

1405 11:39:28.948 01/02/05 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

1406 11:39:28.948 01/02/05 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator

1407 11:39:28.948 01/02/05 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

1408 11:39:28.948 01/02/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x

1409 11:39:28.998 01/02/05 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1410 11:39:28.998 01/02/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x

1411 11:39:28.998 01/02/05 Sev=Info/5 IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds

1412 11:39:28.998 01/02/05 Sev=Info/5 IKE/0x63000046
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now

1413 11:39:28.998 01/02/05 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1414 11:39:28.998 01/02/05 Sev=Warning/3 IKE/0xA3000029
No keys are available to decrypt the received ISAKMP payload

1415 11:39:28.998 01/02/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Opaque) from x.x.x.x

1416 11:39:29.028 01/02/05 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1417 11:39:29.028 01/02/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x

1418 11:39:29.028 01/02/05 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.10.33

1419 11:39:29.028 01/02/05 Sev=Warning/3 IKE/0xE3000084
The length, 0, of the Mode Config option, INTERNAL_IPV4_NETMASK, is invalid

1420 11:39:29.028 01/02/05 Sev=Info/5 IKE/0xA3000016
MODE_CFG_REPLY: The received (32767) attribute and value (2) is not supported

1421 11:39:29.028 01/02/05 Sev=Info/5 IKE/0xA3000017
MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value (-1062729183) is not supported

1422 11:39:29.028 01/02/05 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

1423 11:39:29.028 01/02/05 Sev=Info/5 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME attribute with no data

1424 11:39:29.038 01/02/05 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value =
Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version 12.3(2)XE, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(3.5)T
TAC Support:

http://www.cisco.com/tac

Copyright (c) 1986-2003 by Cisco Systems, Inc.
Compiled Tue 18-Nov-03 19:00 by ealyon

1425 11:39:29.038 01/02/05 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

1426 11:39:29.038 01/02/05 Sev=Info/4 CM/0x63100019
Mode Config data received

1427 11:39:29.038 01/02/05 Sev=Info/4 IKE/0x63000055
Received a key request from Driver: Local IP = 192.168.10.33, GW IP = x.x.x.x, Remote IP = 0.0.0.0

1428 11:39:29.038 01/02/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to x.x.x.x

1429 11:39:29.118 01/02/05 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

1430 11:39:29.118 01/02/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x

1431 11:39:29.118 01/02/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x

1432 11:39:29.118 01/02/05 Sev=Info/4 IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=DBEB6925

1433 11:39:29.118 01/02/05 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=C36F7E24C171F15B R_Cookie=8AF08B8573A7179C) reason = DEL_REASON_IKE_NEG_FAILED

1434 11:39:29.679 01/02/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

1435 11:39:32.183 01/02/05 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=C36F7E24C171F15B R_Cookie=8AF08B8573A7179C) reason = DEL_REASON_IKE_NEG_FAILED

1436 11:39:32.183 01/02/05 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

1437 11:39:32.183 01/02/05 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

1438 11:39:32.183 01/02/05 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

1439 11:39:32.193 01/02/05 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

1440 11:39:32.683 01/02/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

1441 11:39:32.683 01/02/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

1442 11:39:32.683 01/02/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

1443 11:39:32.683 01/02/05 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped