Hugh, The error you are seeing has one (or both) causes: 1) The GroupName/GroupPassword is incorrect 2) The VPN client cannot connect to the PIX for ?? reason. I have set multiple VPN clients (cisco type) on Linux going to multiple VPN server (cisco) and haven't had any problems. I hope that helps. Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: Hugh E Cruickshank [mailto:hugh@xxxxxxxxxxx] Sent: Wednesday, December 17, 2003 1:02 PM To: Redhat-List Subject: Cicso Linux VPN Client problems Hi All: Can someone give me a sanity check? I am relatively new to Linux (less then 2 years) and have never setup a VPN before. We are attempting to establish a VPN to a client's system. The client has a Cisco PIX Firewall 515 and I have been attempting to implement Cisco's Linux VPN Client software (V3.5.2) without much success. To start with, I doubt that the problem is at the client's end as the Cisco unit has been in place for a while and they have several Windows based clients accessing it without any problems. However they have never implement the Linux VPH client software so they have been of limited help. At our end, we have an GNet DSL Modem that is feeding one side of RH6.2/IPChains based firewall. The other side of the firewall feeds our internal class C subnet. I have setup the Cisco client software on a separate RH7.2 system for testing. Question 1: Is this configuration viable or should have setup the VPN software on either the firewall or a box with external access. Continuing with my story, I am able to ping the Cisco router from the test system so the overall connectivity would appear to be good and NAT is working. I have added the following rules to our firewall script: ipchains -A input -p 50 -s $ANY -d $ANY -j ACCEPT ipchains -A input -p 51 -s $ANY -d $ANY -j ACCEPT ipchains -A input -p tcp -s $ANY -d $ANY 500 -j ACCEPT ipchains -A input -p udp -s $ANY -d $ANY 500 -j ACCEPT ipchains -A input -p tcp -s $ANY -d $ANY 10000 -j ACCEPT ipchains -A input -p udp -s $ANY -d $ANY 10000 -j ACCEPT ipmasqadm portfw -a -P tcp -L $EXTIP1 500 -R $FISRH1 500 where ANY=0/0, EXTIP1 is the external IP address and FISRH1 is the IP address of the box that the VPN software is installed. In desparation I have also added: ipchains -A input -p tcp -s $ANY 500 -d $ANY -j ACCEPT ipchains -A input -p udp -s $ANY 500 -d $ANY -j ACCEPT ipchains -A input -p tcp -s $ANY 10000 -d $ANY -j ACCEPT ipchains -A input -p udp -s $ANY 10000 -d $ANY -j ACCEPT Question 2: Anything obiously wrong with the firewall mods? When I attempt connect the VPN client it failes with the messages: Cisco Systems VPN Client Version 3.5.2 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 Initializing the IPSec link. Contacting the gateway at AAA.BBB.CCC.DDD Remote peer is no longer responding. The resulting log file contains: 1 13:57:34.353 12/17/2003 Sev=Info/4 CLI/0x43900002 Started vpnclient: Cisco Systems VPN Client Version 3.5.2 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 2 13:57:34.365 12/17/2003 Sev=Info/4 CVPND/0x4340000F Started cvpnd: Cisco Systems VPN Client Version 3.5.2 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 3 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014 Deleted all keys 4 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009 IPSec driver already started 5 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009 IPSec driver already started 6 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014 Deleted all keys 7 13:57:35.369 12/17/2003 Sev=Info/4 CM/0x43100002 Begin connection process 8 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100004 Establish secure connection using Ethernet 9 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100026 Attempt connection with server "AAA.BBB.CCC.DDD" 10 13:57:35.371 12/17/2003 Sev=Info/6 IKE/0x4300003B Attempting to establish a connection with AAA.BBB.CCC.DDD. 11 13:57:35.586 12/17/2003 Sev=Info/4 IKE/0x43000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to AAA.BBB.CCC.DDD 12 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700009 IPSec driver already started 13 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700014 Deleted all keys 14 13:57:40.588 12/17/2003 Sev=Info/4 IKE/0x43000013 SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD 15 13:57:45.628 12/17/2003 Sev=Info/4 IKE/0x43000013 SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD 16 13:57:50.668 12/17/2003 Sev=Info/4 IKE/0x43000013 SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD 17 13:57:55.708 12/17/2003 Sev=Warning/2 IKE/0xC300007C Exceeded 3 IKE SA negotiation retransmits... peer is not responding 18 13:57:55.708 12/17/2003 Sev=Info/4 CM/0x43100014 Unable to establish Phase 1 SA with server "AAA.BBB.CCC.DDD" because of "DEL_REASON_PEER_NOT_RESPONDING" 19 13:57:55.708 12/17/2003 Sev=Info/5 CM/0x43100029 Initializing CVPNDrv 20 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700009 IPSec driver already started 21 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700014 Deleted all keys I have replaced the client IP address with AAA.BBB.CCC.DDD. An suggestions would be greatly appreciated. Regards, Hugh -- Hugh E Cruickshank, Forward Software, www.forward-software.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
