|
»
»
« Return to Thread: vpnc or openvpn
Re: vpnc or openvpn
by Kambiz Aghaiepour-2
::
Rate this Message:
Dr. Brown,
Sorry for resurrecting this thread so far after the fact. I didn't have
the means at the time we were (re)discussing the issue with connecting
to Duke's Cisco VPN Concentrator to try to find a solution to this
issue. I may have found a solution to the problem you were having with
vpnc and and CCing the list in the hopes that others will also benefit.
Please attempt to run vpnc using the following flags:
vpnc --natt-mode force-natt --local-port 501
So far I have not seen a single failure to connect to Duke networks.
I came across this as a possible workaround when looking through the
vpnc-devel mailing list archives. I ran multiple tests using a Fedora 8
(i386) patched system and I was at best connecting 10-15% of the time
using no arguments to vpnc, The failure responses I was seeing were:
no response from target
response was invalid [1]: (ISAKMP_N_PAYLOAD_MALFORMED)(16)
response was invalid [1]: (ISAKMP_N_INVALID_COOKIE)(4)
I am using a Linksys cable modem router, and they are apparently
notorious for causing problems with IPSec connections (although I have
options in my linksys to allow for IPSec tunneling). RFC3947 and
RFC3948 describe ESP encapsulation in UDP which is what the foce-natt
option does. I suspect that at times the IKE and ESP over UDP tend to
use big UDP packets which will get fragmented, and subsequently dropped.
For some reason when running vpnc without any options, this seems to
be the case and when using the above mentioned options, this doesn't
happen. I haven't compared tcpdump output yet.
Please let me know if this helps.
Kambiz
Robert G. Brown wrote:
> <div class="moz-text-flowed" style="font-family: -moz-fixed">On Tue, 11
> Mar 2008, Kambiz Aghaiepour wrote:
>
>> Robert G. Brown wrote:
>>
>>> Suggestions welcome, although I'm inclined to build/fix vpnclient again
>>> for F8. It will probably take less time than any of the alternatives
>>> unless the patches are REALLY nasty.
>>>
>>> rgb
>>
>> Try to open tcp port 10000 on your system (and limit it to the VPN peer
>> of course). I believe that is the port that the duke vpn concentrator
>> calls back on.
>
> I turned off my local firewall altogether on the f8 laptop. selinux is
> already disabled. The laptop is bare-naked to the world. I drilled
> explicit port forwarding through my household firewall to my laptop,
> even though as noted vpnclient works fine without any such thing on
> other non-F8 systems.
>
> Exactly the same symptoms. In fact, I just burned yet another hour
> permuting the location of the certificate, the hash link to the
> certificate, the command line arguments, the firewall settings (down to
> no firewall at all anywhere on the explicitly given paths). I have
> tried both sean's rpm build and a direct build from the source.
>
> rgb
>
>>
>> Kambiz
>>
>>
>
--
+- .--. ------------------------------------+
| |o_o | Kambiz Aghaiepour |
| |:_/ | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |
| // \ \ "We can't solve problems by using |
|(| | ) the same kind of thinking we used |
/'\_ _/`\ when we created them." -Einstein |
\___)=(___/ ----------------------------------+
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug
Sorry for resurrecting this thread so far after the fact. I didn't have
the means at the time we were (re)discussing the issue with connecting
to Duke's Cisco VPN Concentrator to try to find a solution to this
issue. I may have found a solution to the problem you were having with
vpnc and and CCing the list in the hopes that others will also benefit.
Please attempt to run vpnc using the following flags:
vpnc --natt-mode force-natt --local-port 501
So far I have not seen a single failure to connect to Duke networks.
I came across this as a possible workaround when looking through the
vpnc-devel mailing list archives. I ran multiple tests using a Fedora 8
(i386) patched system and I was at best connecting 10-15% of the time
using no arguments to vpnc, The failure responses I was seeing were:
no response from target
response was invalid [1]: (ISAKMP_N_PAYLOAD_MALFORMED)(16)
response was invalid [1]: (ISAKMP_N_INVALID_COOKIE)(4)
I am using a Linksys cable modem router, and they are apparently
notorious for causing problems with IPSec connections (although I have
options in my linksys to allow for IPSec tunneling). RFC3947 and
RFC3948 describe ESP encapsulation in UDP which is what the foce-natt
option does. I suspect that at times the IKE and ESP over UDP tend to
use big UDP packets which will get fragmented, and subsequently dropped.
For some reason when running vpnc without any options, this seems to
be the case and when using the above mentioned options, this doesn't
happen. I haven't compared tcpdump output yet.
Please let me know if this helps.
Kambiz
Robert G. Brown wrote:
> <div class="moz-text-flowed" style="font-family: -moz-fixed">On Tue, 11
> Mar 2008, Kambiz Aghaiepour wrote:
>
>> Robert G. Brown wrote:
>>
>>> Suggestions welcome, although I'm inclined to build/fix vpnclient again
>>> for F8. It will probably take less time than any of the alternatives
>>> unless the patches are REALLY nasty.
>>>
>>> rgb
>>
>> Try to open tcp port 10000 on your system (and limit it to the VPN peer
>> of course). I believe that is the port that the duke vpn concentrator
>> calls back on.
>
> I turned off my local firewall altogether on the f8 laptop. selinux is
> already disabled. The laptop is bare-naked to the world. I drilled
> explicit port forwarding through my household firewall to my laptop,
> even though as noted vpnclient works fine without any such thing on
> other non-F8 systems.
>
> Exactly the same symptoms. In fact, I just burned yet another hour
> permuting the location of the certificate, the hash link to the
> certificate, the command line arguments, the firewall settings (down to
> no firewall at all anywhere on the explicitly given paths). I have
> tried both sean's rpm build and a direct build from the source.
>
> rgb
>
>>
>> Kambiz
>>
>>
>
--
+- .--. ------------------------------------+
| |o_o | Kambiz Aghaiepour |
| |:_/ | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |
| // \ \ "We can't solve problems by using |
|(| | ) the same kind of thinking we used |
/'\_ _/`\ when we created them." -Einstein |
\___)=(___/ ----------------------------------+
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug
« Return to Thread: vpnc or openvpn
| Free embeddable forum powered by Nabble | Forum Help |
