RE: Cicso Linux VPN Client problems
From: Hugh E Cruickshank (hugh_at_forsoft.com)
Date: 12/17/03
- Previous message: Ed Kim: "RE: compiling fasttrak raid driver in with latest RH kernel"
- In reply to: Mike Koponick: "RE: Cicso Linux VPN Client problems"
- Next in thread: Ed Alexander: "Re: Cicso Linux VPN Client problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <redhat-list@redhat.com> Date: Wed, 17 Dec 2003 14:47:57 -0800
Hi Mike:
Thanks muchly, you have given me several things to check out.
That's great.
Regards, Hugh
From: Mike Koponick Sent: Wednesday, December 17, 2003 14:30
>
> Hugh,
>
> As long as you allowing UDP/500 to pass through, you should be OK. It
> looks like you are in your IPTables setup.
>
> One thing you could do is copy a Windows profile over to your Linux
> setup.
>
> Goto: C:\Programs and Settings\Cisco\Profile\profile.pcf (you mileage
> will vary) and copy the file straight away into you profile directory on
> the Linux box. It should work fine.
>
> Also, you may want to double check your start up. Make sure you have the
> VPNCLIENT working (/etc/rc.d/init.d/CISCOVPN start) and then
> sh# vpnclient connect <profile_name WITHOUT the extension>
>
> It should connect you from that.
>
> Mike
>
> -----Original Message-----
> From: Hugh E Cruickshank [mailto:hugh@forsoft.com]
> Sent: Wednesday, December 17, 2003 2:11 PM
> To: redhat-list@redhat.com
> Subject: RE: Cicso Linux VPN Client problems
>
> Hi Mike:
>
> Thanks for your reply. I will double check my handling for the
> group and user name/passwords in the profile.
>
> Besides that does my setup appear viable?
>
> Thanks muchly!
>
> Regards, Hugh
>
> --
> Hugh E Cruickshank, Forward Software, www.forward-software.com
>
> From: Mike Koponick Sent: Wednesday, December 17, 2003 13:58
> >
> > Hugh,
> >
> > The error you are seeing has one (or both) causes:
> >
> > 1) The GroupName/GroupPassword is incorrect
> > 2) The VPN client cannot connect to the PIX for ?? reason.
> >
> > I have set multiple VPN clients (cisco type) on Linux going to
> multiple
> > VPN server (cisco) and haven't had any problems.
> >
> > I hope that helps.
> >
> > Mike
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >
> > -----Original Message-----
> > From: Hugh E Cruickshank [mailto:hugh@forsoft.com]
> > Sent: Wednesday, December 17, 2003 1:02 PM
> > To: Redhat-List
> > Subject: Cicso Linux VPN Client problems
> >
> > Hi All:
> >
> > Can someone give me a sanity check? I am relatively new to Linux
> > (less then 2 years) and have never setup a VPN before.
> >
> > We are attempting to establish a VPN to a client's system. The
> > client has a Cisco PIX Firewall 515 and I have been attempting to
> > implement Cisco's Linux VPN Client software (V3.5.2) without
> > much success.
> >
> > To start with, I doubt that the problem is at the client's end as
> > the Cisco unit has been in place for a while and they have several
> > Windows based clients accessing it without any problems. However
> > they have never implement the Linux VPH client software so they
> > have been of limited help.
> >
> > At our end, we have an GNet DSL Modem that is feeding one side of
> > RH6.2/IPChains based firewall. The other side of the firewall
> > feeds our internal class C subnet. I have setup the Cisco client
> > software on a separate RH7.2 system for testing.
> >
> > Question 1: Is this configuration viable or should have setup the
> > VPN software on either the firewall or a box with
> > external access.
> >
> > Continuing with my story, I am able to ping the Cisco router from
> > the test system so the overall connectivity would appear to be good
> > and NAT is working.
> >
> > I have added the following rules to our firewall script:
> >
> > ipchains -A input -p 50 -s $ANY -d $ANY -j ACCEPT
> > ipchains -A input -p 51 -s $ANY -d $ANY -j ACCEPT
> > ipchains -A input -p tcp -s $ANY -d $ANY 500 -j ACCEPT
> > ipchains -A input -p udp -s $ANY -d $ANY 500 -j ACCEPT
> > ipchains -A input -p tcp -s $ANY -d $ANY 10000 -j ACCEPT
> > ipchains -A input -p udp -s $ANY -d $ANY 10000 -j ACCEPT
> > ipmasqadm portfw -a -P tcp -L $EXTIP1 500 -R $FISRH1 500
> >
> > where ANY=0/0, EXTIP1 is the external IP address and FISRH1 is
> > the IP address of the box that the VPN software is installed.
> >
> > In desparation I have also added:
> >
> > ipchains -A input -p tcp -s $ANY 500 -d $ANY -j ACCEPT
> > ipchains -A input -p udp -s $ANY 500 -d $ANY -j ACCEPT
> > ipchains -A input -p tcp -s $ANY 10000 -d $ANY -j ACCEPT
> > ipchains -A input -p udp -s $ANY 10000 -d $ANY -j ACCEPT
> >
> > Question 2: Anything obiously wrong with the firewall mods?
> >
> > When I attempt connect the VPN client it failes with the messages:
> >
> > Cisco Systems VPN Client Version 3.5.2 (Rel)
> > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> > Client Type(s): Linux
> > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> >
> > Initializing the IPSec link.
> > Contacting the gateway at AAA.BBB.CCC.DDD
> > Remote peer is no longer responding.
> >
> >
> > The resulting log file contains:
> >
> > 1 13:57:34.353 12/17/2003 Sev=Info/4 CLI/0x43900002
> > Started vpnclient:
> > Cisco Systems VPN Client Version 3.5.2 (Rel)
> > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> > Client Type(s): Linux
> > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> >
> > 2 13:57:34.365 12/17/2003 Sev=Info/4 CVPND/0x4340000F
> > Started cvpnd:
> > Cisco Systems VPN Client Version 3.5.2 (Rel)
> > Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
> > Client Type(s): Linux
> > Running on: Linux 2.4.20-24.7 #1 Mon Dec 1 13:21:45 EST 2003 i586
> >
> > 3 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014
> > Deleted all keys
> >
> > 4 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009
> > IPSec driver already started
> >
> > 5 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700009
> > IPSec driver already started
> >
> > 6 13:57:34.366 12/17/2003 Sev=Info/4 IPSEC/0x43700014
> > Deleted all keys
> >
> > 7 13:57:35.369 12/17/2003 Sev=Info/4 CM/0x43100002
> > Begin connection process
> >
> > 8 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100004
> > Establish secure connection using Ethernet
> >
> > 9 13:57:35.371 12/17/2003 Sev=Info/4 CM/0x43100026
> > Attempt connection with server "AAA.BBB.CCC.DDD"
> >
> > 10 13:57:35.371 12/17/2003 Sev=Info/6 IKE/0x4300003B
> > Attempting to establish a connection with AAA.BBB.CCC.DDD.
> >
> > 11 13:57:35.586 12/17/2003 Sev=Info/4 IKE/0x43000013
> > SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to
> > AAA.BBB.CCC.DDD
> >
> > 12 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700009
> > IPSec driver already started
> >
> > 13 13:57:35.586 12/17/2003 Sev=Info/4 IPSEC/0x43700014
> > Deleted all keys
> >
> > 14 13:57:40.588 12/17/2003 Sev=Info/4 IKE/0x43000013
> > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> >
> > 15 13:57:45.628 12/17/2003 Sev=Info/4 IKE/0x43000013
> > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> >
> > 16 13:57:50.668 12/17/2003 Sev=Info/4 IKE/0x43000013
> > SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.BBB.CCC.DDD
> >
> > 17 13:57:55.708 12/17/2003 Sev=Warning/2 IKE/0xC300007C
> > Exceeded 3 IKE SA negotiation retransmits... peer is not responding
> >
> > 18 13:57:55.708 12/17/2003 Sev=Info/4 CM/0x43100014
> > Unable to establish Phase 1 SA with server "AAA.BBB.CCC.DDD" because
> of
> > "DEL_REASON_PEER_NOT_RESPONDING"
> >
> > 19 13:57:55.708 12/17/2003 Sev=Info/5 CM/0x43100029
> > Initializing CVPNDrv
> >
> > 20 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700009
> > IPSec driver already started
> >
> > 21 13:57:56.828 12/17/2003 Sev=Info/4 IPSEC/0x43700014
> > Deleted all keys
> >
> > I have replaced the client IP address with AAA.BBB.CCC.DDD.
> >
> >
> > An suggestions would be greatly appreciated.
> >
> > Regards, Hugh
> >
> > --
> > Hugh E Cruickshank, Forward Software, www.forward-software.com
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Ed Kim: "RE: compiling fasttrak raid driver in with latest RH kernel"
- In reply to: Mike Koponick: "RE: Cicso Linux VPN Client problems"
- Next in thread: Ed Alexander: "Re: Cicso Linux VPN Client problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
