I just can't get this to work out of the box/running wizard.  I'm
getting error on client of:

Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.

What areas should I be looking at please?  I've set the VPN Easy Server
up and made it Initiate as well as Respond.  I'm using a key phrase to
connect with.  I've tested the VPN server in the SDM software and its
says its ok.

Short of an entire dump please let me know what more info you need?

Are you using a firewall on your PC such as Windows XP firewall ?

Did you add the Cisco VPN client as an exception ?

Firewall must be configured to permit UDP ports 500 and 62515 whcih are
required for cisco vpn client.

I have F-Secure on client which I think is configured to allow the VPN
client - I will check.  As for the network there is no software
firewall on the server, just the Cisco box.  I assume that the wizard
setup the correct rules to allow clients in but how do I check this
port config?

Thanks for responding - you are the first one in over a month and I was
going slowly mad!

In article <1139578923.842010.93130@z14g2000cwz.googlegroups.com>,
Merv <merv.hrabi@rogers.com> wrote:
>Firewall must be configured to permit UDP ports 500 and 62515 whcih are
>required for cisco vpn client.

I'd never heard of 62515 being required before. I see it listed in
the VPN 3000 concentrator FAQ,
http://www.cisco.com/warp/public/471/vpn_3000_faq.shtml
along with 62514 thru 62524.

The description of the port use given in the FAQ does not suggest
to me that the firewall would need to be opened to permit any of those
ports: they appear to me to only to be talking from the local machine
to itself?

besides disabling your firewall, verify that you PC is actually
transmitting packets.
Start a cmd windows and run the command "netstat -s -p ip 60" to see IP
sned and receive packet counts

UDP port 62515 - Cisco Systems IPSec Driver to Cisco Systems, Inc. VPN
Service

Perhaps depends on where a firewall inserts itself in the dataflow

"James" <jpigott@ntlworld.com> wrote in message 
news:1139573586.324884.189250@o13g2000cwo.googlegroups.com...
>I just can't get this to work out of the box/running wizard.  I'm
> getting error on client of:
>
> Secure VPN Connection terminated locally by the Client.
> Reason 412: The remote peer is no longer responding.
>

Are you using IP/ESP, NAT-T, or TCP as your connect (Are you using NAT?)

Make sure you use a NAT-friendly VPN scheme.  I think the default is IP/ESP 
which fails with a lot of NAT devices. 

Also try the following commands to see a summary of what is or is not
happening:

C:\Program Files\Cisco Systems \ VPN Client\vpnclient stat traffic

C:\Program Files\Cisco Systems \ VPN Client\vpnclient stat tunnel

Great, thanks I will see what it states tonight.

Phillip,
Sorry for late reply - have been to France to try and chill from this
mess!!

I have NAT on the firewall. What am I using as my connect?  Good
question!
Do I search for this on the firewall or is it configured on the client
end -
or both?

Thanks,
James

How are you making out wih this issue ?

I can only test this when at another site - unfortunately I can not be
in the same building and "dial in".  So progress is slow.  However I
will add your command prompts tonight and let you know the outcome.  I
am still very confused by the whole thing as the webhelp that comes
with the SDM package is quite frankly - bloody useless!

Phillip has suggested IP/ESP as something to explore - but I am
awaiting where I look for this.  Also it makes me wonder what the
"wizard" is doing in setting up a complex system that basically then
fails to work.

Having had to reboot the box due to a total freeze I realise that I
have lost some previous settings - c'est la vie!  In wandering round
the maze again I see I don't have any IPSec Rules (ACL).  Do I need
some?  should not the "wizard" have produced the ones it needs?  Does
this "wizard" only work on Sundays!?

Thanks

Is now a good time to post the config?

OK, I've just tried from within the site.  Hoping that my packets will
leave and then come back to establish a link.  I now get an error:

Secure VPN Connection terminated locally by the Client.
Reason 401: An unrecognized error occurred while establishing the VPN
connection.

This happens after I log in:

Negotiating security policies...
Securing communications channel...

Can I assume that my security policies are at least set up ok?

Also found this in the log of the client:
1      11:58:32.550  02/14/06  Sev=Warning/3	GUI/0xE3B00003
GI EnumPPP callback timed out.

2      12:00:43.688  02/14/06  Sev=Warning/2	IKE/0xA3000062
Attempted incoming connection from 80.177.223.54. Inbound connections
are not allowed.

3      12:08:04.452  02/14/06  Sev=Warning/2	IKE/0xA3000062
Attempted incoming connection from 80.177.223.54. Inbound connections
are not allowed.

Have you always been getting as far as getting the messages:

Negotiating security policies...
Securing communications channel...

post the firewall config and the contents of the client VPN profile for
the connection

post the contents of the PIX firewall log  - use command "show log"

is the IP address 80.177.223.54. for your firewall ?

BTW is this a new VPN server setup or are there other users that are
able to connect to the VPN server sucessfully?

Here's the config:

Building configuration...

Current configuration : 8568 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$LR.f$pB8.ZdKhW3GXtV8S4gj3J.
!
username James privilege 15 secret 5 $1$lURO$tewOxEtKEAqZxNz7Zdbd4.
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default if-authenticated local
aaa authorization network default local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name XXX
ip name-server 158.152.1.58
ip name-server 158.152.1.43
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 group 2
crypto isakmp key pwd address 82.0.98.178
!
crypto isakmp client configuration group groupname
 key key
 dns 158.152.1.58 158.152.1.43
 wins xxx.xxx.xxx.200
 domain XXX
 pool SDM_POOL_1
 include-local-lan
 max-users 1
 max-logins 3
!
!
crypto ipsec transform-set TransformSet1 esp-3des esp-sha-hmac
!
crypto ipsec profile IPSecProfile1
 set transform-set TransformSet1
!
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set TransformSet1
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list default
crypto map SDM_CMAP_1 isakmp authorization list default
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface Dot11Radio0
 no ip address
 !
 ssid SSIDname
    authentication open
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0
 channel 2462
 no cdp enable
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 80.177.223.54 255.0.0.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname pigotts-ppm@lon1-aj1e.demonadsl.co.uk
 ppp chap password 7 05082E1D2042405A0A
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address xxx.xxx.xxx.100 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 xxx.xxx.xxx.50 xxx.xxx.xxx.55
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
logging xxx.xxx.xxx.100
logging 80.177.223.54
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit xxx.xxx.xxx.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit xxx.xxx.xxx.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by Cisco SDM Express firewall
configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip host xxx.xxx.xxx.50 any
access-list 100 permit ip host xxx.xxx.xxx.51 any
access-list 100 permit ip host xxx.xxx.xxx.52 any
access-list 100 permit ip host xxx.xxx.xxx.53 any
access-list 100 permit ip host xxx.xxx.xxx.54 any
access-list 100 permit ip host xxx.xxx.xxx.55 any
access-list 100 permit udp any host xxx.xxx.xxx.100 eq non500-isakmp
access-list 100 permit udp any host xxx.xxx.xxx.100 eq isakmp
access-list 100 permit esp any host xxx.xxx.xxx.100
access-list 100 permit ahp any host xxx.xxx.xxx.100
access-list 100 deny   ip 80.0.0.0 0.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall
configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host xxx.xxx.xxx.50 any
access-list 101 permit ip host xxx.xxx.xxx.51 any
access-list 101 permit ip host xxx.xxx.xxx.52 any
access-list 101 permit ip host xxx.xxx.xxx.53 any
access-list 101 permit ip host xxx.xxx.xxx.54 any
access-list 101 permit ip host xxx.xxx.xxx.55 any
access-list 101 permit udp any host 80.177.223.54 eq non500-isakmp
access-list 101 permit udp any host 80.177.223.54 eq isakmp
access-list 101 permit esp any host 80.177.223.54
access-list 101 permit ahp any host 80.177.223.54
access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
non500-isakmp
access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
isakmp
access-list 101 permit esp host 82.0.98.178 host 80.177.223.54
access-list 101 permit ahp host 82.0.98.178 host 80.177.223.54
access-list 101 permit udp host 158.152.1.43 eq domain host
80.177.223.54
access-list 101 permit udp host 158.152.1.58 eq domain host
80.177.223.54
access-list 101 deny   ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 101 permit icmp any host 80.177.223.54 echo-reply
access-list 101 permit icmp any host 80.177.223.54 time-exceeded
access-list 101 permit icmp any host 80.177.223.54 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 101 remark IPSec Rule
access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 xxx.xxx.xxx.0
0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip any host xxx.xxx.xxx.50
access-list 103 deny   ip any host xxx.xxx.xxx.51
access-list 103 deny   ip any host xxx.xxx.xxx.52
access-list 103 deny   ip any host xxx.xxx.xxx.53
access-list 103 deny   ip any host xxx.xxx.xxx.54
access-list 103 deny   ip any host xxx.xxx.xxx.55
access-list 103 permit ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 105 remark VTY Access-class list
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 105 deny   ip any any
access-list 700 permit 0001.e694.aa0a   0000.0000.0000
access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 transport preferred all
 transport output telnet
line vty 0 4
 access-class 105 in
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 130.88.203.12 prefer
end

I'm a bit unclear about the PIX bit - the client has a log but it is
only populated on attempted connection.  At the moment it only contains
this:

Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client

I can increase the logging of such things like IPSec, IKE, PPP, GUI
etc.

Thanks for all your help.

And yes 80.177.223.54 is the external NAT'd address of the firewall
(Cisco 857W).

This is a new setup - and only one person (myself) will be allowed in.
Also forgot to say that the Negotiating security etc is new to me!!
Must be getting somewhere, right.  Trouble is that was from within the
site and all previous tests have been from outside.  Not sure what diff
that makes...

On your  VPN client profile setup, please confirm that the groupname is
set to"groupname" and the password is set to "key"

BTW I would suggest for clarity during testing  that you change these
settings on both the 837W and your PC.
For example use a captilized groupname and password

clear the logging buffer ("clear log") , attempt a connection, and then
post the contents of the 857's logging buffer (" show log')

lost the last response!

I can only see the 857 log, I have no text equivalent to copy and
paste.  It only has 5 info records the last being:

Processing of Quick mode failed with peer at "my pc's ip"

But here is the log of the client with IKE set to medium.  I changed
the group key on both.
Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      16:12:21.348  02/14/06  Sev=Warning/3	GUI/0xE3B00003
GI EnumPPP callback timed out.

Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1      16:14:50.652  02/14/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag), VID(Unity)) to 80.177.223.54

2      16:14:50.732  02/14/06  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?),
VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from
80.177.223.54

3      16:14:50.742  02/14/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D,
NAT-D, VID(?), VID(Unity)) to 80.177.223.54

4      16:14:50.742  02/14/06  Sev=Info/4	IKE/0x63000082
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

5      16:14:50.752  02/14/06  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from
80.177.223.54

6      16:14:50.752  02/14/06  Sev=Warning/2	IKE/0xA3000062
Attempted incoming connection from 80.177.223.54. Inbound connections
are not allowed.

7      16:14:50.762  02/14/06  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54

8      16:14:55.750  02/14/06  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 80.177.223.54

9      16:14:57.172  02/14/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54

10     16:14:57.182  02/14/06  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54

11     16:14:57.192  02/14/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54

12     16:14:57.212  02/14/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54

13     16:14:57.222  02/14/06  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54

14     16:14:57.532  02/14/06  Sev=Info/4	IKE/0x63000055
Received a key request from Driver: Local IP = 192.168.36.55, GW IP =
80.177.223.54, Remote IP = 0.0.0.0

15     16:14:57.532  02/14/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 80.177.223.54

16     16:14:57.542  02/14/06  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from
80.177.223.54

17     16:14:57.552  02/14/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 80.177.223.54

18     16:14:57.552  02/14/06  Sev=Info/4	IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=CABD5A7C

19     16:14:57.552  02/14/06  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=5ED0E3343207D013
R_Cookie=E82601E7412816C6) reason = DEL_REASON_IKE_NEG_FAILED

20     16:15:00.957  02/14/06  Sev=Info/4	IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=5ED0E3343207D013
R_Cookie=E82601E7412816C6) reason = DEL_REASON_IKE_NEG_FAILED

21     16:15:01.037  02/14/06  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection

Try deleting crypto policy 1 and changing the hash on policy 2 from MD5
to sha so that it matches with the transform set.

Do this with the command line interface from the console not any Cisco
GUI.

How? I'm not familiar with any CLI and don't know the commands!  Sorry.
 If you could point to the prog that would be great.

To save time I did use the GUI and it seems that DES3 will work because
if using DES I get Peer not reponding - don't even get log on option.
Changing 2 to sha and DES3 has not changed the error which I think is
related to one of the log entries:

NOTIFY:NO_PROPOSAL_CHOSEN

whatever that means!  Thanks for perservering.

Going home to try connecting from there, just in case.  What is trying
to take place that fails?  It seems that we have established the
security policy as we then move on to establishing the "Securing
communications channel" bit - or is this like coding where to fix an
error it can often be in the line above?!

Will let you know how I get on tonight... thanks again.

When connecting from home I don't even get offered to enter my username
& pwd...