VPNC connection problems

Hi all,

I am trying to work out where my notebook has a problem.

Last week I could connect to the work VPN, and this week I cannot. (No
support available because I use VPNC at home to connect and they mandate
Windows only. Another topic for another time.)


The PC can authenicate with the server, and bring up the interface tun0
and then set the default route, but I cannot ping, SSH, telnet nor DNS
requests, through the tunnel : Essentially any network traffic.

I am using the IP addresses for the servers because I know that DNS
fails. I have verified that the name servers are correct with the IT
department.

Any ideas, as I have to start on-call next week (I cannot take the PC at
work to my home becuase I locked it to the desk, and lost the key...
bolt cutters perhaps next buy.)

/etc/vpnc/tt.conf
IPSec gateway 62.51.16.11
IPSec ID VTL-VPN
IPSec secret nnnnnnnnnnnnnnnnnnnnnnnnnnRemoved
IKE Authmode psk
Xauth username p-tranner
Domain itservices


# vpnc --dpd-idle 0 tt
Enter password for p-tranner@62.51.16.11:
Connect Banner:
| access only for authorized personnel!

VPNC started in background (pid: 10537)...



# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.254.98.5 P-t-P:10.254.98.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)



# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
62.51.16.11 10.90.90.1 255.255.255.255 UGH 1500 0 0
eth0
10.90.90.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.254.96.0 0.0.0.0 255.255.252.0 U 0 0 0
tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0
tun0



# traceroute 10.205.8.1
traceroute to 10.205.8.1 (10.205.8.1), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
#

On 06/26/2010 10:37 AM, ziikell101 wrote:
> Hi all,
>
> I am trying to work out where my notebook has a problem.
>
> Last week I could connect to the work VPN, and this week I cannot. (No
> support available because I use VPNC at home to connect and they mandate
> Windows only. Another topic for another time.)
>

I have found where the problem is. I swapped out my Cisco PIX 501 with a
bog standard Asus wireless router. Suddenly, the VPN works. Thus the
problem lies with the PIX. Unsure what causes this.

ziikell101 <(E-Mail Removed)> wrote:
> I have found where the problem is. I swapped out my Cisco PIX 501 with a
> bog standard Asus wireless router. Suddenly, the VPN works. Thus the
> problem lies with the PIX. Unsure what causes this.

The PIX may well be trying to do something clever with your IPSec packets,
whereas the Asus doesn't. (Or the Asus is successfully doing something
clever, whereas the PIX isn't, of course.) The PIX may be trying to
terminate the IPSec connection on your behalf instead of "transparently"
NATing it or passing it straight through to you.

(This sort of thing used to happen a lot with SIP based VoIP. Turning off
the SIP awareness in the router usually made the connection work again.)

Chris

On 06/26/2010 04:33 PM, Chris Davies wrote:
> ziikell101 <(E-Mail Removed)> wrote:
[SNIP]

Hi Chris,

A chap on comp.dcom.sys.cisco found the problem: Copied his post below.
It worked. It sounded a lot like what you wrote.

z

On 06/27/2010 07:15 AM, Scott Lowe wrote:
> > On 2010-06-26 06:44:58 -0400, ziikell101 said:
> >
> >
> >
> > It looks like the PIX is blocking ESP (IP protocol 50), which is
> > generally required in order for IPSec to work properly. You probably
> > need to enable NAT traversal on your IPSec client so that it can
> > encapsulate the traffic in TCP or UDP and help it work correctly
with NAT.
>
>
> ziikell wrote:
> >
> Thank-you very much - The problem solved.
>
> Added *fixup protocol esp-ike* to the config,
>
> Added *NAT Traversal Mode cisco-udp* to the VPNC config file.
>
> All is well.