RE: Cicso Linux VPN Client problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hugh,

The error you are seeing has one (or both) causes:

1) The GroupName/GroupPassword is incorrect
2) The VPN client cannot connect to the PIX for ?? reason.

I have set multiple VPN clients (cisco type) on Linux going to multiple
VPN server (cisco) and haven't had any problems.

I hope that helps.

Mike

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


-----Original Message-----
From: Hugh E Cruickshank [mailto:hugh@xxxxxxxxxxx] 
Sent: Wednesday, December 17, 2003 1:02 PM
To: Redhat-List
Subject: Cicso Linux VPN Client problems

Hi All:

Can someone give me a sanity check? I am relatively new to Linux
(less then 2 years) and have never setup a VPN before.

We are attempting to establish a VPN to a client's system. The
client has a Cisco PIX Firewall 515 and I have been attempting to
implement Cisco's Linux VPN Client software (V3.5.2) without
much success.

To start with, I doubt that the problem is at the client's end as
the Cisco unit has been in place for a while and they have several
Windows based clients accessing it without any problems. However
they have never implement the Linux VPH client software so they
have been of limited help.

At our end, we have an GNet DSL Modem that is feeding one side of
RH6.2/IPChains based firewall. The other side of the firewall
feeds our internal class C subnet. I have setup the Cisco client
software on a separate RH7.2 system for testing.

Question 1: Is this configuration viable or should have setup the
            VPN software on either the firewall or a box with
            external access.

Continuing with my story, I am able to ping the Cisco router from
the test system so the overall connectivity would appear to be good
and NAT is working.

I have added the following rules to our firewall script:

ipchains -A input -p 50  -s $ANY -d $ANY       -j ACCEPT
ipchains -A input -p 51  -s $ANY -d $ANY       -j ACCEPT
ipchains -A input -p tcp -s $ANY -d $ANY 500   -j ACCEPT
ipchains -A input -p udp -s $ANY -d $ANY 500   -j ACCEPT
ipchains -A input -p tcp -s $ANY -d $ANY 10000 -j ACCEPT
ipchains -A input -p udp -s $ANY -d $ANY 10000 -j ACCEPT
ipmasqadm portfw -a -P tcp -L $EXTIP1 500 -R $FISRH1 500

where ANY=0/0, EXTIP1 is the external IP address and FISRH1 is
the IP address of the box that the VPN software is installed.

In desparation I have also added:

ipchains -A input -p tcp -s $ANY 500   -d $ANY -j ACCEPT
ipchains -A input -p udp -s $ANY 500   -d $ANY -j ACCEPT
ipchains -A input -p tcp -s $ANY 10000 -d $ANY -j ACCEPT
ipchains -A input -p udp -s $ANY 10000 -d $ANY -j ACCEPT

Question 2: Anything obiously wrong with the firewall mods?

When I attempt connect the VPN client it failes with the messages:

Cisco Systems VPN Client Version 3.5.2 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586

Initializing the IPSec link.
Contacting the gateway at AAA.BBB.CCC.DDD
Remote peer is no longer responding.


The resulting log file contains:

1      13:57:34.353  12/17/2003  Sev=Info/4	CLI/0x43900002
Started vpnclient:
Cisco Systems VPN Client Version 3.5.2 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586

2      13:57:34.365  12/17/2003  Sev=Info/4	CVPND/0x4340000F
Started cvpnd:
Cisco Systems VPN Client Version 3.5.2 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586

3      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

4      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700009
IPSec driver already started

5      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700009
IPSec driver already started

6      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

7      13:57:35.369  12/17/2003  Sev=Info/4	CM/0x43100002
Begin connection process

8      13:57:35.371  12/17/2003  Sev=Info/4	CM/0x43100004
Establish secure connection using Ethernet

9      13:57:35.371  12/17/2003  Sev=Info/4	CM/0x43100026
Attempt connection with server "AAA.BBB.CCC.DDD"

10     13:57:35.371  12/17/2003  Sev=Info/6	IKE/0x4300003B
Attempting to establish a connection with AAA.BBB.CCC.DDD.

11     13:57:35.586  12/17/2003  Sev=Info/4	IKE/0x43000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to
AAA.BBB.CCC.DDD

12     13:57:35.586  12/17/2003  Sev=Info/4	IPSEC/0x43700009
IPSec driver already started

13     13:57:35.586  12/17/2003  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

14     13:57:40.588  12/17/2003  Sev=Info/4	IKE/0x43000013
SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD

15     13:57:45.628  12/17/2003  Sev=Info/4	IKE/0x43000013
SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD

16     13:57:50.668  12/17/2003  Sev=Info/4	IKE/0x43000013
SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD

17     13:57:55.708  12/17/2003  Sev=Warning/2	IKE/0xC300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding

18     13:57:55.708  12/17/2003  Sev=Info/4	CM/0x43100014
Unable to establish Phase 1 SA with server "AAA.BBB.CCC.DDD" because of
"DEL_REASON_PEER_NOT_RESPONDING"

19     13:57:55.708  12/17/2003  Sev=Info/5	CM/0x43100029
Initializing CVPNDrv

20     13:57:56.828  12/17/2003  Sev=Info/4	IPSEC/0x43700009
IPSec driver already started

21     13:57:56.828  12/17/2003  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

I have replaced the client IP address with AAA.BBB.CCC.DDD.


An suggestions would be greatly appreciated.

Regards, Hugh

--
Hugh E Cruickshank, Forward Software, www.forward-software.com


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux