Hi Mike: Thanks for your reply. I will double check my handling for the group and user name/passwords in the profile. Besides that does my setup appear viable? Thanks muchly! Regards, Hugh -- Hugh E Cruickshank, Forward Software, www.forward-software.com From: Mike Koponick Sent: Wednesday, December 17, 2003 13:58 > > Hugh, > > The error you are seeing has one (or both) causes: > > 1) The GroupName/GroupPassword is incorrect > 2) The VPN client cannot connect to the PIX for ?? reason. > > I have set multiple VPN clients (cisco type) on Linux going to multiple > VPN server (cisco) and haven't had any problems. > > I hope that helps. > > Mike > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > -----Original Message----- > From: Hugh E Cruickshank [mailto:hugh@xxxxxxxxxxx] > Sent: Wednesday, December 17, 2003 1:02 PM > To: Redhat-List > Subject: Cicso Linux VPN Client problems > > Hi All: > > Can someone give me a sanity check? I am relatively new to Linux > (less then 2 years) and have never setup a VPN before. > > We are attempting to establish a VPN to a client's system. The > client has a Cisco PIX Firewall 515 and I have been attempting to > implement Cisco's Linux VPN Client software (V3.5.2) without > much success. > > To start with, I doubt that the problem is at the client's end as > the Cisco unit has been in place for a while and they have several > Windows based clients accessing it without any problems. However > they have never implement the Linux VPH client software so they > have been of limited help. > > At our end, we have an GNet DSL Modem that is feeding one side of > RH6.2/IPChains based firewall. The other side of the firewall > feeds our internal class C subnet. I have setup the Cisco client > software on a separate RH7.2 system for testing. > > Question 1: Is this configuration viable or should have setup the > VPN software on either the firewall or a box with > external access. > > Continuing with my story, I am able to ping the Cisco router from > the test system so the overall connectivity would appear to be good > and NAT is working. > > I have added the following rules to our firewall script: > > ipchains -A input -p 50 -s $ANY -d $ANY -j ACCEPT > ipchains -A input -p 51 -s $ANY -d $ANY -j ACCEPT > ipchains -A input -p tcp -s $ANY -d $ANY 500 -j ACCEPT > ipchains -A input -p udp -s $ANY -d $ANY 500 -j ACCEPT > ipchains -A input -p tcp -s $ANY -d $ANY 10000 -j ACCEPT > ipchains -A input -p udp -s $ANY -d $ANY 10000 -j ACCEPT > ipmasqadm portfw -a -P tcp -L $EXTIP1 500 -R $FISRH1 500 > > where ANY=0/0, EXTIP1 is the external IP address and FISRH1 is > the IP address of the box that the VPN software is installed. > > In desparation I have also added: > > ipchains -A input -p tcp -s $ANY 500 -d $ANY -j ACCEPT > ipchains -A input -p udp -s $ANY 500 -d $ANY -j ACCEPT > ipchains -A input -p tcp -s $ANY 10000 -d $ANY -j ACCEPT > ipchains -A input -p udp -s $ANY 10000 -d $ANY -j ACCEPT > > Question 2: Anything obiously wrong with the firewall mods? > > When I attempt connect the VPN client it failes with the messages: > > Cisco Systems VPN Client Version 3.5.2 (Rel) > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. > Client Type(s): Linux > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 > > Initializing the IPSec link. > Contacting the gateway at AAA.BBB.CCC.DDD > Remote peer is no longer responding. > > > The resulting log file contains: > > 1 13:57:34.353 12/17/2003 Sev=Info/4 CLI/0x43900002 > Started vpnclient: > Cisco Systems VPN Client Version 3.5.2 (Rel) > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. > Client Type(s): Linux > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 > > 2 13:57:34.365 12/17/2003 Sev=Info/4 CVPND/0x4340000F > Started cvpnd: > Cisco Systems VPN Client Version 3.5.2 (Rel) > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. > Client Type(s): Linux > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 > > 3 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014 > Deleted all keys > > 4 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009 > IPSec driver already started > > 5 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009 > IPSec driver already started > > 6 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014 > Deleted all keys > > 7 13:57:35.369 12/17/2003 Sev=Info/4 CM/0x43100002 > Begin connection process > > 8 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100004 > Establish secure connection using Ethernet > > 9 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100026 > Attempt connection with server "AAA.BBB.CCC.DDD" > > 10 13:57:35.371 12/17/2003 Sev=Info/6 IKE/0x4300003B > Attempting to establish a connection with AAA.BBB.CCC.DDD. > > 11 13:57:35.586 12/17/2003 Sev=Info/4 IKE/0x43000013 > SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to > AAA.BBB.CCC.DDD > > 12 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700009 > IPSec driver already started > > 13 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700014 > Deleted all keys > > 14 13:57:40.588 12/17/2003 Sev=Info/4 IKE/0x43000013 > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD > > 15 13:57:45.628 12/17/2003 Sev=Info/4 IKE/0x43000013 > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD > > 16 13:57:50.668 12/17/2003 Sev=Info/4 IKE/0x43000013 > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD > > 17 13:57:55.708 12/17/2003 Sev=Warning/2 IKE/0xC300007C > Exceeded 3 IKE SA negotiation retransmits... peer is not responding > > 18 13:57:55.708 12/17/2003 Sev=Info/4 CM/0x43100014 > Unable to establish Phase 1 SA with server "AAA.BBB.CCC.DDD" because of > "DEL_REASON_PEER_NOT_RESPONDING" > > 19 13:57:55.708 12/17/2003 Sev=Info/5 CM/0x43100029 > Initializing CVPNDrv > > 20 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700009 > IPSec driver already started > > 21 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700014 > Deleted all keys > > I have replaced the client IP address with AAA.BBB.CCC.DDD. > > > An suggestions would be greatly appreciated. > > Regards, Hugh > > -- > Hugh E Cruickshank, Forward Software, www.forward-software.com > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
