RE: Cicso Linux VPN Client problems

From: Mike Koponick (mike_at_redhawk.info)
Date: 12/17/03

  • Next message: MKlinke: "Re: Network profiler" 
    To: <redhat-list@redhat.com>
Date: Wed, 17 Dec 2003 13:58:18 -0800

    Hugh,

    The error you are seeing has one (or both) causes:

    1) The GroupName/GroupPassword is incorrect
    2) The VPN client cannot connect to the PIX for ?? reason.

    I have set multiple VPN clients (cisco type) on Linux going to multiple
    VPN server (cisco) and haven't had any problems.

    I hope that helps.

    Mike

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    -----Original Message-----
    From: Hugh E Cruickshank [mailto:hugh@forsoft.com]
    Sent: Wednesday, December 17, 2003 1:02 PM
    To: Redhat-List
    Subject: Cicso Linux VPN Client problems

    Hi All:

    Can someone give me a sanity check? I am relatively new to Linux
    (less then 2 years) and have never setup a VPN before.

    We are attempting to establish a VPN to a client's system. The
    client has a Cisco PIX Firewall 515 and I have been attempting to
    implement Cisco's Linux VPN Client software (V3.5.2) without
    much success.

    To start with, I doubt that the problem is at the client's end as
    the Cisco unit has been in place for a while and they have several
    Windows based clients accessing it without any problems. However
    they have never implement the Linux VPH client software so they
    have been of limited help.

    At our end, we have an GNet DSL Modem that is feeding one side of
    RH6.2/IPChains based firewall. The other side of the firewall
    feeds our internal class C subnet. I have setup the Cisco client
    software on a separate RH7.2 system for testing.

    Question 1: Is this configuration viable or should have setup the
                VPN software on either the firewall or a box with
                external access.

    Continuing with my story, I am able to ping the Cisco router from
    the test system so the overall connectivity would appear to be good
    and NAT is working.

    I have added the following rules to our firewall script:

    ipchains -A input -p 50 -s $ANY -d $ANY -j ACCEPT
    ipchains -A input -p 51 -s $ANY -d $ANY -j ACCEPT
    ipchains -A input -p tcp -s $ANY -d $ANY 500 -j ACCEPT
    ipchains -A input -p udp -s $ANY -d $ANY 500 -j ACCEPT
    ipchains -A input -p tcp -s $ANY -d $ANY 10000 -j ACCEPT
    ipchains -A input -p udp -s $ANY -d $ANY 10000 -j ACCEPT
    ipmasqadm portfw -a -P tcp -L $EXTIP1 500 -R $FISRH1 500

    where ANY=0/0, EXTIP1 is the external IP address and FISRH1 is
    the IP address of the box that the VPN software is installed.

    In desparation I have also added:

    ipchains -A input -p tcp -s $ANY 500 -d $ANY -j ACCEPT
    ipchains -A input -p udp -s $ANY 500 -d $ANY -j ACCEPT
    ipchains -A input -p tcp -s $ANY 10000 -d $ANY -j ACCEPT
    ipchains -A input -p udp -s $ANY 10000 -d $ANY -j ACCEPT

    Question 2: Anything obiously wrong with the firewall mods?

    When I attempt connect the VPN client it failes with the messages:

    Cisco Systems VPN Client Version 3.5.2 (Rel)
    Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Linux
    Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586

    Initializing the IPSec link.
    Contacting the gateway at AAA.BBB.CCC.DDD
    Remote peer is no longer responding.

    The resulting log file contains:

    1 13:57:34.353 12/17/2003 Sev=Info/4 CLI/0x43900002
    Started vpnclient:
    Cisco Systems VPN Client Version 3.5.2 (Rel)
    Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Linux
    Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586

    2 13:57:34.365 12/17/2003 Sev=Info/4 CVPND/0x4340000F
    Started cvpnd:
    Cisco Systems VPN Client Version 3.5.2 (Rel)
    Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Linux
    Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586

    3 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    4 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009
    IPSec driver already started

    5 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009
    IPSec driver already started

    6 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    7 13:57:35.369 12/17/2003 Sev=Info/4 CM/0x43100002
    Begin connection process

    8 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100004
    Establish secure connection using Ethernet

    9 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100026
    Attempt connection with server "AAA.BBB.CCC.DDD"

    10 13:57:35.371 12/17/2003 Sev=Info/6 IKE/0x4300003B
    Attempting to establish a connection with AAA.BBB.CCC.DDD.

    11 13:57:35.586 12/17/2003 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to
    AAA.BBB.CCC.DDD

    12 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700009
    IPSec driver already started

    13 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    14 13:57:40.588 12/17/2003 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD

    15 13:57:45.628 12/17/2003 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD

    16 13:57:50.668 12/17/2003 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD

    17 13:57:55.708 12/17/2003 Sev=Warning/2 IKE/0xC300007C
    Exceeded 3 IKE SA negotiation retransmits... peer is not responding

    18 13:57:55.708 12/17/2003 Sev=Info/4 CM/0x43100014
    Unable to establish Phase 1 SA with server "AAA.BBB.CCC.DDD" because of
    "DEL_REASON_PEER_NOT_RESPONDING"

    19 13:57:55.708 12/17/2003 Sev=Info/5 CM/0x43100029
    Initializing CVPNDrv

    20 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700009
    IPSec driver already started

    21 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    I have replaced the client IP address with AAA.BBB.CCC.DDD.

    An suggestions would be greatly appreciated.

    Regards, Hugh 

    --
Hugh E Cruickshank, Forward Software, www.forward-software.com
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: MKlinke: "Re: Network profiler"

    Relevant Pages

    • RE: Cicso Linux VPN Client problems
      ... > 2) The VPN client cannot connect to the PIX for ?? ... > I have set multiple VPN clients on Linux going to multiple ... > and have never setup a VPN before. ... > Copyright 1998-2002 Cisco Systems, ...
      (RedHat)
    • RE: Cicso Linux VPN Client problems
      ... looks like you are in your IPTables setup. ... One thing you could do is copy a Windows profile over to your Linux ... > 2) The VPN client cannot connect to the PIX for ?? ... > Cisco Systems VPN Client Version 3.5.2 > Copyright 1998-2002 Cisco Systems, ...
      (RedHat)
    • Error connecting using CISCO VPN Client 4.0.4(D)
      ... When i try to connect using the VPN Client 4.0.4the following error ... Copyright 1998-2003 Cisco Systems, ... Unable to enable Virtual Adapter ...
      (comp.dcom.sys.cisco)
    • cant connet to VPN server even after SP2
      ... Even after intalled SP2, I still have the problem with ... The connecttion just lasted up to 20 seconds, ... Cisco Systems VPN Client Version 4.0.5 ... Copyright 1998-2003 Cisco Systems, ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: RHEL 4 WS Security--suggestions
      ... use their VPN client and auth directly to your workplace. ... I have a nice Linux workstation at home, running RHEL 4 WS, and I ... > have the firewall and SELinux enabled. ...
      (RedHat)