RE: Cicso Linux VPN Client problems

• Previous message: MKlinke: "Re: Network profiler"
• In reply to: Mike Koponick: "RE: Cicso Linux VPN Client problems"
• Next in thread: Mike Koponick: "RE: Cicso Linux VPN Client problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: <redhat-list@redhat.com>
Date: Wed, 17 Dec 2003 14:11:24 -0800

Hi Mike:

Thanks for your reply. I will double check my handling for the
group and user name/passwords in the profile.

Besides that does my setup appear viable?

Thanks muchly!

Regards, Hugh

-- 
Hugh E Cruickshank, Forward Software, www.forward-software.com
From: Mike Koponick Sent: Wednesday, December 17, 2003 13:58
> 
> Hugh,
> 
> The error you are seeing has one (or both) causes:
> 
> 1) The GroupName/GroupPassword is incorrect
> 2) The VPN client cannot connect to the PIX for ?? reason.
> 
> I have set multiple VPN clients (cisco type) on Linux going to multiple
> VPN server (cisco) and haven't had any problems.
> 
> I hope that helps.
> 
> Mike
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> -----Original Message-----
> From: Hugh E Cruickshank [mailto:hugh@forsoft.com] 
> Sent: Wednesday, December 17, 2003 1:02 PM
> To: Redhat-List
> Subject: Cicso Linux VPN Client problems
> 
> Hi All:
> 
> Can someone give me a sanity check? I am relatively new to Linux
> (less then 2 years) and have never setup a VPN before.
> 
> We are attempting to establish a VPN to a client's system. The
> client has a Cisco PIX Firewall 515 and I have been attempting to
> implement Cisco's Linux VPN Client software (V3.5.2) without
> much success.
> 
> To start with, I doubt that the problem is at the client's end as
> the Cisco unit has been in place for a while and they have several
> Windows based clients accessing it without any problems. However
> they have never implement the Linux VPH client software so they
> have been of limited help.
> 
> At our end, we have an GNet DSL Modem that is feeding one side of
> RH6.2/IPChains based firewall. The other side of the firewall
> feeds our internal class C subnet. I have setup the Cisco client
> software on a separate RH7.2 system for testing.
> 
> Question 1: Is this configuration viable or should have setup the
>             VPN software on either the firewall or a box with
>             external access.
> 
> Continuing with my story, I am able to ping the Cisco router from
> the test system so the overall connectivity would appear to be good
> and NAT is working.
> 
> I have added the following rules to our firewall script:
> 
> ipchains -A input -p 50  -s $ANY -d $ANY       -j ACCEPT
> ipchains -A input -p 51  -s $ANY -d $ANY       -j ACCEPT
> ipchains -A input -p tcp -s $ANY -d $ANY 500   -j ACCEPT
> ipchains -A input -p udp -s $ANY -d $ANY 500   -j ACCEPT
> ipchains -A input -p tcp -s $ANY -d $ANY 10000 -j ACCEPT
> ipchains -A input -p udp -s $ANY -d $ANY 10000 -j ACCEPT
> ipmasqadm portfw -a -P tcp -L $EXTIP1 500 -R $FISRH1 500
> 
> where ANY=0/0, EXTIP1 is the external IP address and FISRH1 is
> the IP address of the box that the VPN software is installed.
> 
> In desparation I have also added:
> 
> ipchains -A input -p tcp -s $ANY 500   -d $ANY -j ACCEPT
> ipchains -A input -p udp -s $ANY 500   -d $ANY -j ACCEPT
> ipchains -A input -p tcp -s $ANY 10000 -d $ANY -j ACCEPT
> ipchains -A input -p udp -s $ANY 10000 -d $ANY -j ACCEPT
> 
> Question 2: Anything obiously wrong with the firewall mods?
> 
> When I attempt connect the VPN client it failes with the messages:
> 
> Cisco Systems VPN Client Version 3.5.2 (Rel)
> Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Linux
> Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> 
> Initializing the IPSec link.
> Contacting the gateway at AAA.BBB.CCC.DDD
> Remote peer is no longer responding.
> 
> 
> The resulting log file contains:
> 
> 1      13:57:34.353  12/17/2003  Sev=Info/4	CLI/0x43900002
> Started vpnclient:
> Cisco Systems VPN Client Version 3.5.2 (Rel)
> Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Linux
> Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> 
> 2      13:57:34.365  12/17/2003  Sev=Info/4	CVPND/0x4340000F
> Started cvpnd:
> Cisco Systems VPN Client Version 3.5.2 (Rel)
> Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Linux
> Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> 
> 3      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700014
> Deleted all keys
> 
> 4      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700009
> IPSec driver already started
> 
> 5      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700009
> IPSec driver already started
> 
> 6      13:57:34.366  12/17/2003  Sev=Info/4	IPSEC/0x43700014
> Deleted all keys
> 
> 7      13:57:35.369  12/17/2003  Sev=Info/4	CM/0x43100002
> Begin connection process
> 
> 8      13:57:35.371  12/17/2003  Sev=Info/4	CM/0x43100004
> Establish secure connection using Ethernet
> 
> 9      13:57:35.371  12/17/2003  Sev=Info/4	CM/0x43100026
> Attempt connection with server "AAA.BBB.CCC.DDD"
> 
> 10     13:57:35.371  12/17/2003  Sev=Info/6	IKE/0x4300003B
> Attempting to establish a connection with AAA.BBB.CCC.DDD.
> 
> 11     13:57:35.586  12/17/2003  Sev=Info/4	IKE/0x43000013
> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to
> AAA.BBB.CCC.DDD
> 
> 12     13:57:35.586  12/17/2003  Sev=Info/4	IPSEC/0x43700009
> IPSec driver already started
> 
> 13     13:57:35.586  12/17/2003  Sev=Info/4	IPSEC/0x43700014
> Deleted all keys
> 
> 14     13:57:40.588  12/17/2003  Sev=Info/4	IKE/0x43000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> 
> 15     13:57:45.628  12/17/2003  Sev=Info/4	IKE/0x43000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> 
> 16     13:57:50.668  12/17/2003  Sev=Info/4	IKE/0x43000013
> SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> 
> 17     13:57:55.708  12/17/2003  Sev=Warning/2	IKE/0xC300007C
> Exceeded 3 IKE SA negotiation retransmits... peer is not responding
> 
> 18     13:57:55.708  12/17/2003  Sev=Info/4	CM/0x43100014
> Unable to establish Phase 1 SA with server "AAA.BBB.CCC.DDD" because of
> "DEL_REASON_PEER_NOT_RESPONDING"
> 
> 19     13:57:55.708  12/17/2003  Sev=Info/5	CM/0x43100029
> Initializing CVPNDrv
> 
> 20     13:57:56.828  12/17/2003  Sev=Info/4	IPSEC/0x43700009
> IPSec driver already started
> 
> 21     13:57:56.828  12/17/2003  Sev=Info/4	IPSEC/0x43700014
> Deleted all keys
> 
> I have replaced the client IP address with AAA.BBB.CCC.DDD.
> 
> 
> An suggestions would be greatly appreciated.
> 
> Regards, Hugh
> 
> --
> Hugh E Cruickshank, Forward Software, www.forward-software.com
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

• Previous message: MKlinke: "Re: Network profiler"
• In reply to: Mike Koponick: "RE: Cicso Linux VPN Client problems"
• Next in thread: Mike Koponick: "RE: Cicso Linux VPN Client problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]