Hi Mike: Thanks muchly, you have given me several things to check out. That's great. Regards, Hugh From: Mike Koponick Sent: Wednesday, December 17, 2003 14:30 > > Hugh, > > As long as you allowing UDP/500 to pass through, you should be OK. It > looks like you are in your IPTables setup. > > One thing you could do is copy a Windows profile over to your Linux > setup. > > Goto: C:\Programs and Settings\Cisco\Profile\profile.pcf (you mileage > will vary) and copy the file straight away into you profile directory on > the Linux box. It should work fine. > > Also, you may want to double check your start up. Make sure you have the > VPNCLIENT working (/etc/rc.d/init.d/CISCOVPN start) and then > sh# vpnclient connect <profile_name WITHOUT the extension> > > It should connect you from that. > > Mike > > -----Original Message----- > From: Hugh E Cruickshank [mailto:hugh@xxxxxxxxxxx] > Sent: Wednesday, December 17, 2003 2:11 PM > To: redhat-list@xxxxxxxxxx > Subject: RE: Cicso Linux VPN Client problems > > Hi Mike: > > Thanks for your reply. I will double check my handling for the > group and user name/passwords in the profile. > > Besides that does my setup appear viable? > > Thanks muchly! > > Regards, Hugh > > -- > Hugh E Cruickshank, Forward Software, www.forward-software.com > > From: Mike Koponick Sent: Wednesday, December 17, 2003 13:58 > > > > Hugh, > > > > The error you are seeing has one (or both) causes: > > > > 1) The GroupName/GroupPassword is incorrect > > 2) The VPN client cannot connect to the PIX for ?? reason. > > > > I have set multiple VPN clients (cisco type) on Linux going to > multiple > > VPN server (cisco) and haven't had any problems. > > > > I hope that helps. > > > > Mike > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > -----Original Message----- > > From: Hugh E Cruickshank [mailto:hugh@xxxxxxxxxxx] > > Sent: Wednesday, December 17, 2003 1:02 PM > > To: Redhat-List > > Subject: Cicso Linux VPN Client problems > > > > Hi All: > > > > Can someone give me a sanity check? I am relatively new to Linux > > (less then 2 years) and have never setup a VPN before. > > > > We are attempting to establish a VPN to a client's system. The > > client has a Cisco PIX Firewall 515 and I have been attempting to > > implement Cisco's Linux VPN Client software (V3.5.2) without > > much success. > > > > To start with, I doubt that the problem is at the client's end as > > the Cisco unit has been in place for a while and they have several > > Windows based clients accessing it without any problems. However > > they have never implement the Linux VPH client software so they > > have been of limited help. > > > > At our end, we have an GNet DSL Modem that is feeding one side of > > RH6.2/IPChains based firewall. The other side of the firewall > > feeds our internal class C subnet. I have setup the Cisco client > > software on a separate RH7.2 system for testing. > > > > Question 1: Is this configuration viable or should have setup the > > VPN software on either the firewall or a box with > > external access. > > > > Continuing with my story, I am able to ping the Cisco router from > > the test system so the overall connectivity would appear to be good > > and NAT is working. > > > > I have added the following rules to our firewall script: > > > > ipchains -A input -p 50 -s $ANY -d $ANY -j ACCEPT > > ipchains -A input -p 51 -s $ANY -d $ANY -j ACCEPT > > ipchains -A input -p tcp -s $ANY -d $ANY 500 -j ACCEPT > > ipchains -A input -p udp -s $ANY -d $ANY 500 -j ACCEPT > > ipchains -A input -p tcp -s $ANY -d $ANY 10000 -j ACCEPT > > ipchains -A input -p udp -s $ANY -d $ANY 10000 -j ACCEPT > > ipmasqadm portfw -a -P tcp -L $EXTIP1 500 -R $FISRH1 500 > > > > where ANY=0/0, EXTIP1 is the external IP address and FISRH1 is > > the IP address of the box that the VPN software is installed. > > > > In desparation I have also added: > > > > ipchains -A input -p tcp -s $ANY 500 -d $ANY -j ACCEPT > > ipchains -A input -p udp -s $ANY 500 -d $ANY -j ACCEPT > > ipchains -A input -p tcp -s $ANY 10000 -d $ANY -j ACCEPT > > ipchains -A input -p udp -s $ANY 10000 -d $ANY -j ACCEPT > > > > Question 2: Anything obiously wrong with the firewall mods? > > > > When I attempt connect the VPN client it failes with the messages: > > > > Cisco Systems VPN Client Version 3.5.2 (Rel) > > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. > > Client Type(s): Linux > > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 > > > > Initializing the IPSec link. > > Contacting the gateway at AAA.BBB.CCC.DDD > > Remote peer is no longer responding. > > > > > > The resulting log file contains: > > > > 1 13:57:34.353 12/17/2003 Sev=Info/4 CLI/0x43900002 > > Started vpnclient: > > Cisco Systems VPN Client Version 3.5.2 (Rel) > > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. > > Client Type(s): Linux > > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 > > > > 2 13:57:34.365 12/17/2003 Sev=Info/4 CVPND/0x4340000F > > Started cvpnd: > > Cisco Systems VPN Client Version 3.5.2 (Rel) > > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. > > Client Type(s): Linux > > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586 > > > > 3 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014 > > Deleted all keys > > > > 4 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009 > > IPSec driver already started > > > > 5 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009 > > IPSec driver already started > > > > 6 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014 > > Deleted all keys > > > > 7 13:57:35.369 12/17/2003 Sev=Info/4 CM/0x43100002 > > Begin connection process > > > > 8 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100004 > > Establish secure connection using Ethernet > > > > 9 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100026 > > Attempt connection with server "AAA.BBB.CCC.DDD" > > > > 10 13:57:35.371 12/17/2003 Sev=Info/6 IKE/0x4300003B > > Attempting to establish a connection with AAA.BBB.CCC.DDD. > > > > 11 13:57:35.586 12/17/2003 Sev=Info/4 IKE/0x43000013 > > SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to > > AAA.BBB.CCC.DDD > > > > 12 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700009 > > IPSec driver already started > > > > 13 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700014 > > Deleted all keys > > > > 14 13:57:40.588 12/17/2003 Sev=Info/4 IKE/0x43000013 > > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD > > > > 15 13:57:45.628 12/17/2003 Sev=Info/4 IKE/0x43000013 > > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD > > > > 16 13:57:50.668 12/17/2003 Sev=Info/4 IKE/0x43000013 > > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD > > > > 17 13:57:55.708 12/17/2003 Sev=Warning/2 IKE/0xC300007C > > Exceeded 3 IKE SA negotiation retransmits... peer is not responding > > > > 18 13:57:55.708 12/17/2003 Sev=Info/4 CM/0x43100014 > > Unable to establish Phase 1 SA with server "AAA.BBB.CCC.DDD" because > of > > "DEL_REASON_PEER_NOT_RESPONDING" > > > > 19 13:57:55.708 12/17/2003 Sev=Info/5 CM/0x43100029 > > Initializing CVPNDrv > > > > 20 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700009 > > IPSec driver already started > > > > 21 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700014 > > Deleted all keys > > > > I have replaced the client IP address with AAA.BBB.CCC.DDD. > > > > > > An suggestions would be greatly appreciated. > > > > Regards, Hugh > > > > -- > > Hugh E Cruickshank, Forward Software, www.forward-software.com > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
