LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-22-2006, 12:27 PM   #1
Nigel_Tufnel
Member
 
Registered: Jul 2002
Location: Easton, PA
Distribution: Debian, Kubuntu, Arch
Posts: 116

Rep: Reputation: 15
CiscoVPN - stateful firewall?


I got the ciscovpn running pretty easily. When I try to connect at work I get the following:
Secure VPN Connection terminated by Peer.
Reason: Firewall Policy Mismatch


I'm the first person in my company attempting to connect with the Linux client. I know some of the unix guys are able to get in without issue. I'm thinking the server is configured to allow connections with machines running firewall software and only accepting TCP/IP traffic originating from the VPN. I found a thread on a mac bulletin board with the following:

Quote:
I couldn’t use Cisco because I kept getting ‘firewall policy mismatch’ errors preventing connection with Cisco VPN Client 4.0.2 to a corporate network.
It turned out that this error is a fairly common error, according to a Cisco engineer. This occures with the Mac client and the VPN concentrator when the concentrator group is set to "Require Firewall" on the connecting host.
This function (“require firewall”) is available on the Windows VPN client software, but not the Mac client!
I also found this script at the end of the 4.8 release notes:
# Firewall configuration written by Cisco Systems
# Designed for the Linux VPN Client 4.8.00.0490 Virtual Adapter
# Blocks ALL traffic on eth0 except for tunneled traffic
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow all traffic in both directions through the VA adapter
-A INPUT -i cipsec0 -j ACCEPT
-A OUTPUT -o cipsec0 -j ACCEPT

# Accept all encrypted VPN Client traffic in either direction on eth0
-A INPUT -i eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT

-A INPUT -i eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT

-A OUTPUT -o eth0 -p udp -s 0/0 --sport 1024: -d 0/0 --dport 29747 -j ACCEPT

# Block all other traffic in either direction on eth0
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT
COMMIT


It's not clear where this should go. Anyone have some tips?


I'll follow up with unix guys at work to see if they're running iptables or something comparable. Anyone else run into this?
Thanks in advance.

Last edited by Nigel_Tufnel; 11-22-2006 at 12:29 PM.
 
Old 11-22-2006, 02:24 PM   #2
spectra
Member
 
Registered: Nov 2006
Location: UK
Distribution: Debian(s) / Gentoo
Posts: 30

Rep: Reputation: 15
Mate are you just trying to connect your linux desktop/server to a Cisco 3000 series VPN concentrator? Same as the Cisco VPN client GUI on a Mac/Windows box?

If so this is a doddle and will tell you how

Last edited by spectra; 11-22-2006 at 02:27 PM.
 
Old 11-24-2006, 12:02 PM   #3
Nigel_Tufnel
Member
 
Registered: Jul 2002
Location: Easton, PA
Distribution: Debian, Kubuntu, Arch
Posts: 116

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by spectra
Mate are you just trying to connect your linux desktop/server to a Cisco 3000 series VPN concentrator? Same as the Cisco VPN client GUI on a Mac/Windows box?
Exactly, my linux client trying to connect to the CISCO VPN.
 
Old 11-24-2006, 01:13 PM   #4
sal_paradise42
Member
 
Registered: Jul 2003
Location: Utah
Distribution: Gentoo FreeBSD 5.4
Posts: 150

Rep: Reputation: 16
from your Linux client, is there a gateway device? Lynksys,netlink? and is it doing NAT? and are you running iptables on the Linux box? iptables -nL -t filter
 
Old 11-27-2006, 08:52 AM   #5
spectra
Member
 
Registered: Nov 2006
Location: UK
Distribution: Debian(s) / Gentoo
Posts: 30

Rep: Reputation: 15
Quote:
Originally Posted by Nigel_Tufnel
# Firewall configuration written by Cisco Systems
# Designed for the Linux VPN Client 4.8.00.0490 Virtual Adapter
# Blocks ALL traffic on eth0 except for tunneled traffic
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow all traffic in both directions through the VA adapter
-A INPUT -i cipsec0 -j ACCEPT
-A OUTPUT -o cipsec0 -j ACCEPT

# Accept all encrypted VPN Client traffic in either direction on eth0
-A INPUT -i eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT

-A INPUT -i eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT

-A OUTPUT -o eth0 -p udp -s 0/0 --sport 1024: -d 0/0 --dport 29747 -j ACCEPT

# Block all other traffic in either direction on eth0
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT
COMMIT[/I]

It's not clear where this should go. Anyone have some tips?


I'll follow up with unix guys at work to see if they're running iptables or something comparable. Anyone else run into this?
Thanks in advance.
This is a firewall ruleset that can be used in iptables which blocks all traffic on an interface (in this case eth0), except IPsec and the VPN concentrator ports.

You don't need to do anything with the firewall to connect to the VPN concentrator in Linux, you just need the right drivers compiled into the kernel and this program called vpnc.

Download, compile & install the vpn client. After the install a directory should have been created /etc/vpnc

Browse this directory, and look for a file, default.conf. If it doesn't exist, create it with the following lines:

IPSec gateway <ip addr> ; Hostname
IPSec ID <username> ; IPsec Group Auth Name
IPSec secret <password> ; IPsec Group Auth Password
Xauth username <username> ; IPsec User Auth Name
Xauth password <password> ; IPsec User Auth Password

The Xauth username and password is the one you are presented with when you double click the Connection Entry with the Win/Mac client.

You may not have the IPsec secret password for the VPN, but this doesn't matter as you can use a program to instantly decrypt the hash stored in Windows.

Browse your VPN Client directory in Windows, i.e - C:\Program Files\Cisco Systems\VPN Client\Profiles

Use WinSCP or another means to send the .pcf files to your Linux system, and put them in the /etc/vpnc/ directory. Edit the file and look for the line which begins "enc_GroupPwd" followed by the hash. This hash is what you will need to get the IPsec secret needed for the .conf file you created.

Run the hash through a decrypter (you should be able to find one on google), if not then you could e-mail me just the hash. It will present you with a password you can use as the IPsec secret

Finish the default.conf file and at your shell type vpnc. This will parse the /etc/vpnc directory, find the default.conf and automatically try to create the VPN with the credentials in the default.conf.

If all works it should create the VPN and the PID should be running in the background. If you then type ip route and check the routes, or ifconfig etc.

If there are problems with creating the VPN, you may have to recompile your kernel. Hope that helps.
 
Old 11-27-2006, 05:29 PM   #6
Nigel_Tufnel
Member
 
Registered: Jul 2002
Location: Easton, PA
Distribution: Debian, Kubuntu, Arch
Posts: 116

Original Poster
Rep: Reputation: 15
I got vpnc running and configured and get the following when trying to connect:
vpnc: quick mode response rejected: ISAKMP_N_INVALID_PAYLOAD_TYPE(1)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall this locks out even Cisco clients on any platform expect windows which is an obvious security improvment. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using compression, expect on low-bandwith (read: ISDN) links, because it uses much CPU-resources on the concentrator

Sound like the same issue when using the ciscovpn. It requires I run some kind of firewall software on my end.
 
Old 11-28-2006, 07:18 AM   #7
spectra
Member
 
Registered: Nov 2006
Location: UK
Distribution: Debian(s) / Gentoo
Posts: 30

Rep: Reputation: 15
Hmmm, its possible you don't have the required encryption algorithms compiled in the Kernel. Are you using 3DES or AES as the transmission cipher?

I would recommend you rebuild your current kernel or compile the latest, and go through the Cryptographic options & Networking options in the Kernel and flag the required.

Make sure you have the majority (I have all) of the algorithms in Cryptographic options, the IPsec stuff and the ESP/AH transformation for IKE in Networking options and recompile, then try running vpnc.

This should sort it out. If not post here!
 
Old 11-29-2006, 06:13 AM   #8
Nigel_Tufnel
Member
 
Registered: Jul 2002
Location: Easton, PA
Distribution: Debian, Kubuntu, Arch
Posts: 116

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by spectra
Hmmm, its possible you don't have the required encryption algorithms compiled in the Kernel. Are you using 3DES or AES as the transmission cipher?
I have the same issue with a machine running Suse 10.1 and my AMD64 workstation running Kubuntu Edgy. It looks like all the modules you mentioned are in my current kernel on my machine with Suse. I wonder if I have to load the modules manually?

Last edited by Nigel_Tufnel; 11-29-2006 at 06:15 AM.
 
Old 12-11-2006, 07:00 AM   #9
spectra
Member
 
Registered: Nov 2006
Location: UK
Distribution: Debian(s) / Gentoo
Posts: 30

Rep: Reputation: 15
Do you still have the same problem Nigel?
 
Old 12-12-2006, 05:20 AM   #10
-=Graz=-
Member
 
Registered: Jan 2006
Location: Australia
Distribution: Fedora, Slackware, RHEL, AIX, HP-UX
Posts: 356

Rep: Reputation: 31
Unsure if anyone has a solution to this but i also have the same problem connecting into work.
I have tried using vpnc on both ubuntu dapper (2.6.15-26-386) and SuSE Enterprise 10.

I am running iptables as firewall but am unsure how to apply the configuration script listed below in this thread
 
Old 01-04-2007, 07:03 AM   #11
dr_barnowl
LQ Newbie
 
Registered: Jan 2007
Posts: 2

Rep: Reputation: 0
Unhappy I'm not sure fiddling with iptables will help.

If you read the logs of the Windows Cisco client, the client has a conversation with the concentrator about which firewall capabilities it supports.

The administrator of the concentrator has the ability to set which firewall abilities they want enforced on the client, such as forcing the client to be unable to communicate with its LAN for security purposes.

My office enforces such a policy to prevent laptops placed on the internet from becoming a gateway into a government network (which I find to be a giant pain in the ass because my home network is pretty secure and I'd like to be able to access internal services in the office whilst, for example, using my own printer, and my own bandwidth where possible instead of the incredibly clogged office link).

The solution with vpnc would be to allow it to give the responses about firewalls that the Cisco concentrator desires. The Cisco engineer mentioned is probably right - the Cisco client software for *nix and BSD does not (or cannot, because of the nature of the OS) enforce a local firewall. Hence the concentrator is telling you where to stick it. The same for vpnc.

The vpnc client can report any client identifier that it likes to the concentrator, but as yet it cannot report firewall capabilities.
 
Old 02-14-2007, 08:13 PM   #12
w.wilson
LQ Newbie
 
Registered: Feb 2007
Posts: 2

Rep: Reputation: 0
Lightbulb Bad error message

While I don't think this is the case for the OP on this thread, some others may find it useful. Occasionally the error message shown above (rather poorly) indicates that the cipher negotiation failed (http://lists.unix-ag.uni-kl.de/piper...st/000959.html). In some cases, you may be able to specify the --1des-enabled option or place 'Enable Single DES' in your config file to resolve this issue.
 
  


Reply

Tags
cisco, firewall, iptables, tunneling, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stateful Firewall/IDS/Filter/DDoS Mitigation - What Would You Advise? Xolo Linux - Security 17 07-27-2006 11:21 PM
Is iptables/netfilter stateful inspection firewall ? newbieA Linux - Security 3 02-11-2005 08:32 PM
Stateful Packet Inspection Firewall (How could I tell)?? wardialer Linux - Security 9 02-10-2005 09:11 PM
Is router plus stateful firewall enough? jxi Linux - Security 3 10-04-2003 08:22 AM
stateful packet inspection estranged0877 Linux - Security 1 01-28-2003 06:05 PM


All times are GMT -5. The time now is 02:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration