VPNC connection problems
in [Linux Networking]
|
Prev: Connecting via ssh from machines on different subnets
Next: Blocking arbitrary ports to some users
From: ziikell101 on 26 Jun 2010 04:37 Hi all, I am trying to work out where my notebook has a problem. Last week I could connect to the work VPN, and this week I cannot. (No support available because I use VPNC at home to connect and they mandate Windows only. Another topic for another time.) The PC can authenicate with the server, and bring up the interface tun0 and then set the default route, but I cannot ping, SSH, telnet nor DNS requests, through the tunnel : Essentially any network traffic. I am using the IP addresses for the servers because I know that DNS fails. I have verified that the name servers are correct with the IT department. Any ideas, as I have to start on-call next week (I cannot take the PC at work to my home becuase I locked it to the desk, and lost the key... bolt cutters perhaps next buy.) /etc/vpnc/tt.conf IPSec gateway 62.51.16.11 IPSec ID VTL-VPN IPSec secret nnnnnnnnnnnnnnnnnnnnnnnnnnRemoved IKE Authmode psk Xauth username p-tranner Domain itservices # vpnc --dpd-idle 0 tt Enter password for p-tranner(a)62.51.16.11: Connect Banner: | access only for authorized personnel! VPNC started in background (pid: 10537)... # ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.254.98.5 P-t-P:10.254.98.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) # netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 62.51.16.11 10.90.90.1 255.255.255.255 UGH 1500 0 0 eth0 10.90.90.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.254.96.0 0.0.0.0 255.255.252.0 U 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0 # traceroute 10.205.8.1 traceroute to 10.205.8.1 (10.205.8.1), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * #
From: ziikell101 on 26 Jun 2010 06:21 On 06/26/2010 10:37 AM, ziikell101 wrote: > Hi all, > > I am trying to work out where my notebook has a problem. > > Last week I could connect to the work VPN, and this week I cannot. (No > support available because I use VPNC at home to connect and they mandate > Windows only. Another topic for another time.) > I have found where the problem is. I swapped out my Cisco PIX 501 with a bog standard Asus wireless router. Suddenly, the VPN works. Thus the problem lies with the PIX. Unsure what causes this.
From: Chris Davies on 26 Jun 2010 10:33 ziikell101 <joekong20(a)yahoo.com> wrote: > I have found where the problem is. I swapped out my Cisco PIX 501 with a > bog standard Asus wireless router. Suddenly, the VPN works. Thus the > problem lies with the PIX. Unsure what causes this. The PIX may well be trying to do something clever with your IPSec packets, whereas the Asus doesn't. (Or the Asus is successfully doing something clever, whereas the PIX isn't, of course.) The PIX may be trying to terminate the IPSec connection on your behalf instead of "transparently" NATing it or passing it straight through to you. (This sort of thing used to happen a lot with SIP based VoIP. Turning off the SIP awareness in the router usually made the connection work again.) Chris
From: ziikell101 on 27 Jun 2010 06:08 On 06/26/2010 04:33 PM, Chris Davies wrote: > ziikell101 <joekong20(a)yahoo.com> wrote: [SNIP] Hi Chris, A chap on comp.dcom.sys.cisco found the problem: Copied his post below. It worked. It sounded a lot like what you wrote. z On 06/27/2010 07:15 AM, Scott Lowe wrote: > > On 2010-06-26 06:44:58 -0400, ziikell101 said: > > > > > > > > It looks like the PIX is blocking ESP (IP protocol 50), which is > > generally required in order for IPSec to work properly. You probably > > need to enable NAT traversal on your IPSec client so that it can > > encapsulate the traffic in TCP or UDP and help it work correctly with NAT. > > > ziikell wrote: > > > Thank-you very much - The problem solved. > > Added *fixup protocol esp-ike* to the config, > > Added *NAT Traversal Mode cisco-udp* to the VPNC config file. > > All is well.
|
Pages: 1 Prev: Connecting via ssh from machines on different subnets Next: Blocking arbitrary ports to some users |