RE: Cicso Linux VPN Client problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hugh,

As long as you allowing UDP/500 to pass through, you should be OK. It
looks like you are in your IPTables setup.

One thing you could do is copy a Windows profile over to your Linux
setup.

Goto: C:\Programs and Settings\Cisco\Profile\profile.pcf (you mileage
will vary) and copy the file straight away into you profile directory on
the Linux box. It should work fine.

Also, you may want to double check your start up. Make sure you have the
VPNCLIENT working (/etc/rc.d/init.d/CISCOVPN start) and then
sh# vpnclient connect <profile_name WITHOUT the extension>

It should connect you from that.

Mike

-----Original Message-----
From: Hugh E Cruickshank [mailto:hugh@xxxxxxxxxxx] 
Sent: Wednesday, December 17, 2003 2:11 PM
To: redhat-list@xxxxxxxxxx
Subject: RE: Cicso Linux VPN Client problems

Hi Mike:

Thanks for your reply. I will double check my handling for the
group and user name/passwords in the profile.

Besides that does my setup appear viable?

Thanks muchly!

Regards, Hugh

-- 
Hugh E Cruickshank, Forward Software, www.forward-software.com

From: Mike Koponick Sent: Wednesday, December 17, 2003 13:58
> 
> Hugh,
> 
> The error you are seeing has one (or both) causes:
> 
> 1) The GroupName/GroupPassword is incorrect
> 2) The VPN client cannot connect to the PIX for ?? reason.
> 
> I have set multiple VPN clients (cisco type) on Linux going to
multiple
> VPN server (cisco) and haven't had any problems.
> 
> I hope that helps.
> 
> Mike
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> -----Original Message-----
> From: Hugh E Cruickshank [mailto:hugh@xxxxxxxxxxx] 
> Sent: Wednesday, December 17, 2003 1:02 PM
> To: Redhat-List
> Subject: Cicso Linux VPN Client problems
> 
> Hi All:
> 
> Can someone give me a sanity check? I am relatively new to Linux
> (less then 2 years) and have never setup a VPN before.
> 
> We are attempting to establish a VPN to a client's system. The
> client has a Cisco PIX Firewall 515 and I have been attempting to
> implement Cisco's Linux VPN Client software (V3.5.2) without
> much success.
> 
> To start with, I doubt that the problem is at the client's end as
> the Cisco unit has been in place for a while and they have several
> Windows based clients accessing it without any problems. However
> they have never implement the Linux VPH client software so they
> have been of limited help.
> 
> At our end, we have an GNet DSL Modem that is feeding one side of
> RH6.2/IPChains based firewall. The other side of the firewall
> feeds our internal class C subnet. I have setup the Cisco client
> software on a separate RH7.2 system for testing.
> 
> Question 1: Is this configuration viable or should have setup the
>             VPN software on either the firewall or a box with
>             external access.
> 
> Continuing with my story, I am able to ping the Cisco router from
> the test system so the overall connectivity would appear to be good
> and NAT is working.
> 
> I have added the following rules to our firewall script:
> 
> ipchains -A input -p 50  -s $ANY -d $ANY       -j ACCEPT
> ipchains -A input -p 51  -s $ANY -d $ANY       -j ACCEPT
> ipchains -A input -p tcp -s $ANY -d $ANY 500   -j ACCEPT
> ipchains -A input -p udp -s $ANY -d $ANY 500   -j ACCEPT
> ipchains -A input -p tcp -s $ANY -d $ANY 10000 -j ACCEPT
> ipchains -A input -p udp -s $ANY -d $ANY 10000 -j ACCEPT
> ipmasqadm portfw -a -P tcp -L $EXTIP1 500 -R $FISRH1 500
> 
> where ANY=0/0, EXTIP1 is the external IP address and FISRH1 is
> the IP address of the box that the VPN software is installed.
> 
> In desparation I have also added:
> 
> ipchains -A input -p tcp -s $ANY 500   -d $ANY -j ACCEPT
> ipchains -A input -p udp -s $ANY 500   -d $ANY -j ACCEPT
> ipchains -A input -p tcp -s $ANY 10000 -d $ANY -j ACCEPT
> ipchains -A input -p udp -s $ANY 10000 -d $ANY -j ACCEPT
> 
> Question 2: Anything obiously wrong with the firewall mods?
> 
> When I attempt connect the VPN client it failes with the messages:
> 
> Cisco Systems VPN Client Version 3.5.2 (Rel)
> Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Linux
> Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> 
> Initializing the IPSec link.
> Contacting the gateway at AAA.BBB.CCC.DDD
> Remote peer is no longer responding.
> 
> 
> The resulting log file contains:
> 
> 1      13:57:34.353  12/17/2003  Sev=Info/4	CLI/0x43900002
> Started vpnclient:
> Cisco Systems VPN Client Version 3.5.2 (Rel)
> Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Linux
> Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> 
> 2      13:57:34.365  12/17/2003  Sev=Info/4	CVPND/0x4340000F
> Started cvpnd:
> Cisco Systems VPN Client Version 3.5.2 (Rel)
> Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Linux
> Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> 
> 3      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700014
> Deleted all keys
> 
> 4      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700009
> IPSec driver already started
> 
> 5      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700009
> IPSec driver already started
> 
> 6      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700014
> Deleted all keys
> 
> 7      13:57:35.369  12/17/2003  Sev=Info/4	CM/0x43100002
> Begin connection process
> 
> 8      13:57:35.371  12/17/2003  Sev=Info/4	CM/0x43100004
> Establish secure connection using Ethernet
> 
> 9      13:57:35.371  12/17/2003  Sev=Info/4	CM/0x43100026
> Attempt connection with server "AAA.BBB.CCC.DDD"
> 
> 10     13:57:35.371  12/17/2003  Sev=Info/6	IKE/0x4300003B
> Attempting to establish a connection with AAA.BBB.CCC.DDD.
> 
> 11     13:57:35.586  12/17/2003  Sev=Info/4	IKE/0x43000013
> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to
> AAA.BBB.CCC.DDD
> 
> 12     13:57:35.586  12/17/2003  Sev=Info/4	IPSEC/0x43700009
> IPSec driver already started
> 
> 13     13:57:35.586  12/17/2003  Sev=Info/4	IPSEC/0x43700014
> Deleted all keys
> 
> 14     13:57:40.588  12/17/2003  Sev=Info/4	IKE/0x43000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> 
> 15     13:57:45.628  12/17/2003  Sev=Info/4	IKE/0x43000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> 
> 16     13:57:50.668  12/17/2003  Sev=Info/4	IKE/0x43000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> 
> 17     13:57:55.708  12/17/2003  Sev=Warning/2	IKE/0xC300007C
> Exceeded 3 IKE SA negotiation retransmits... peer is not responding
> 
> 18     13:57:55.708  12/17/2003  Sev=Info/4	CM/0x43100014
> Unable to establish Phase 1 SA with server "AAA.BBB.CCC.DDD" because
of
> "DEL_REASON_PEER_NOT_RESPONDING"
> 
> 19     13:57:55.708  12/17/2003  Sev=Info/5	CM/0x43100029
> Initializing CVPNDrv
> 
> 20     13:57:56.828  12/17/2003  Sev=Info/4	IPSEC/0x43700009
> IPSec driver already started
> 
> 21     13:57:56.828  12/17/2003  Sev=Info/4	IPSEC/0x43700014
> Deleted all keys
> 
> I have replaced the client IP address with AAA.BBB.CCC.DDD.
> 
> 
> An suggestions would be greatly appreciated.
> 
> Regards, Hugh
> 
> --
> Hugh E Cruickshank, Forward Software, www.forward-software.com
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux