CiscoVPN - stateful firewall?
I got the ciscovpn running pretty easily. When I try to connect at work I get the following:
Secure VPN Connection terminated by Peer.
Reason: Firewall Policy Mismatch
I'm the first person in my company attempting to connect with the Linux client. I know some of the unix guys are able to get in without issue. I'm thinking the server is configured to allow connections with machines running firewall software and only accepting TCP/IP traffic originating from the VPN. I found a thread on a mac bulletin board with the following:
# Firewall configuration written by Cisco Systems
# Designed for the Linux VPN Client 4.8.00.0490 Virtual Adapter
# Blocks ALL traffic on eth0 except for tunneled traffic
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all traffic in both directions through the VA adapter
-A INPUT -i cipsec0 -j ACCEPT
-A OUTPUT -o cipsec0 -j ACCEPT
# Accept all encrypted VPN Client traffic in either direction on eth0
-A INPUT -i eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 1024: -d 0/0 --dport 29747 -j ACCEPT
# Block all other traffic in either direction on eth0
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT
It's not clear where this should go. Anyone have some tips?
I'll follow up with unix guys at work to see if they're running iptables or something comparable. Anyone else run into this?
Thanks in advance.
Mate are you just trying to connect your linux desktop/server to a Cisco 3000 series VPN concentrator? Same as the Cisco VPN client GUI on a Mac/Windows box?
If so this is a doddle and will tell you how :p
from your Linux client, is there a gateway device? Lynksys,netlink? and is it doing NAT? and are you running iptables on the Linux box? iptables -nL -t filter
You don't need to do anything with the firewall to connect to the VPN concentrator in Linux, you just need the right drivers compiled into the kernel and this program called vpnc.
Download, compile & install the vpn client. After the install a directory should have been created /etc/vpnc
Browse this directory, and look for a file, default.conf. If it doesn't exist, create it with the following lines:
IPSec gateway <ip addr> ; Hostname
IPSec ID <username> ; IPsec Group Auth Name
IPSec secret <password> ; IPsec Group Auth Password
Xauth username <username> ; IPsec User Auth Name
Xauth password <password> ; IPsec User Auth Password
The Xauth username and password is the one you are presented with when you double click the Connection Entry with the Win/Mac client.
You may not have the IPsec secret password for the VPN, but this doesn't matter as you can use a program to instantly decrypt the hash stored in Windows.
Browse your VPN Client directory in Windows, i.e - C:\Program Files\Cisco Systems\VPN Client\Profiles
Use WinSCP or another means to send the .pcf files to your Linux system, and put them in the /etc/vpnc/ directory. Edit the file and look for the line which begins "enc_GroupPwd" followed by the hash. This hash is what you will need to get the IPsec secret needed for the .conf file you created.
Run the hash through a decrypter (you should be able to find one on google), if not then you could e-mail me just the hash. It will present you with a password you can use as the IPsec secret
Finish the default.conf file and at your shell type vpnc. This will parse the /etc/vpnc directory, find the default.conf and automatically try to create the VPN with the credentials in the default.conf.
If all works it should create the VPN and the PID should be running in the background. If you then type ip route and check the routes, or ifconfig etc.
If there are problems with creating the VPN, you may have to recompile your kernel. Hope that helps.
I got vpnc running and configured and get the following when trying to connect:
vpnc: quick mode response rejected: ISAKMP_N_INVALID_PAYLOAD_TYPE(1)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall this locks out even Cisco clients on any platform expect windows which is an obvious security improvment. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using compression, expect on low-bandwith (read: ISDN) links, because it uses much CPU-resources on the concentrator
Sound like the same issue when using the ciscovpn. It requires I run some kind of firewall software on my end.
Hmmm, its possible you don't have the required encryption algorithms compiled in the Kernel. Are you using 3DES or AES as the transmission cipher?
I would recommend you rebuild your current kernel or compile the latest, and go through the Cryptographic options & Networking options in the Kernel and flag the required.
Make sure you have the majority (I have all) of the algorithms in Cryptographic options, the IPsec stuff and the ESP/AH transformation for IKE in Networking options and recompile, then try running vpnc.
This should sort it out. If not post here!
Do you still have the same problem Nigel?
Unsure if anyone has a solution to this but i also have the same problem connecting into work.
I have tried using vpnc on both ubuntu dapper (2.6.15-26-386) and SuSE Enterprise 10.
I am running iptables as firewall but am unsure how to apply the configuration script listed below in this thread
I'm not sure fiddling with iptables will help.
If you read the logs of the Windows Cisco client, the client has a conversation with the concentrator about which firewall capabilities it supports.
The administrator of the concentrator has the ability to set which firewall abilities they want enforced on the client, such as forcing the client to be unable to communicate with its LAN for security purposes.
My office enforces such a policy to prevent laptops placed on the internet from becoming a gateway into a government network (which I find to be a giant pain in the ass because my home network is pretty secure and I'd like to be able to access internal services in the office whilst, for example, using my own printer, and my own bandwidth where possible instead of the incredibly clogged office link).
The solution with vpnc would be to allow it to give the responses about firewalls that the Cisco concentrator desires. The Cisco engineer mentioned is probably right - the Cisco client software for *nix and BSD does not (or cannot, because of the nature of the OS) enforce a local firewall. Hence the concentrator is telling you where to stick it. The same for vpnc.
The vpnc client can report any client identifier that it likes to the concentrator, but as yet it cannot report firewall capabilities.
Bad error message
While I don't think this is the case for the OP on this thread, some others may find it useful. Occasionally the error message shown above (rather poorly) indicates that the cipher negotiation failed (http://lists.unix-ag.uni-kl.de/piper...st/000959.html). In some cases, you may be able to specify the --1des-enabled option or place 'Enable Single DES' in your config file to resolve this issue.
|All times are GMT -5. The time now is 11:29 PM.|