VPN Connection Failed

[Louisda16th]

I've seen a few threads on this before but I couldn't find a solution yet. Basically I need to connect to my company through a Cisco VPN. The Cisco client fails to build so I thought of using vpnc. I used Network manager (NetworkManager-vpnc is installed). However after setting everything up and then logging in, I get the 'VPN Connection Failed' message. Any clue as to what I could be missing? Thanks in advance.

[smr54]

The only suggestion I can make is to not use NetworkManager. Companies do things differently than other companies, but for what it's worth, I've never had any trouble using vpnc without NetworkManager.

Now, I don't use NM at all, so I'm not sure what happens if you're running it for your normal network connections and also try to use vpnc. I have a page on vpnc, but it deals with using it without NM. If it helps at all, the page is at

http://home.roadrunner.com/~computertaijutsu/vpnc.html

(There's another page on taking NM out of the equation at
http://home.roadrunner.com/~computer.../wireless.html in case you decide to go that route.)

[Louisda16th]

Thanks. I wrote a conf file and it connected after running this line:

Code:

sudo vpnc <conf-filename> --local-port 0 --enable-1des

When I ran just sudo vpnc conf-file, it asked me to put those options so I did.
Now I found another problem. Once vpnc starts running, I managed to open my email. After that, I couldn't browse any other sites and also my company connection stopped working (i.e. email stopped too). What could I be doing wrong here?

[smr54]

That part isn't that unusual. I'm not sure about those options you mention, I have a conf file. I put it in /etc, as vpnc will first read /etc/vpnc.conf if no file is specified--if that doesn't exist, it will look for /etc/vpnc/whatever.conf--as I'm lazy, if I use that, I just copy defaults.conf to defaults.conf.orig and then move mine (made with pcf2vpnc) to /etc/vpnc/defaults.conf.

However, once it connects, it might (or might not, depending upon the switch's setup) mess up your other connections. The reason is that vpnc temporarily backs up your current /etc/rc.conf
and puts in its own, supplied by your switch, which will then use your company's name servers.

Not sure how you wrote your conf file, but I find the easiest way, at least with my company's setup, is to use the pcf2vpnc program.

As for your connection to your company's email server breaking down after that, not sure. See if one of the IT people use Linux and ask them. As there are various ways to setup the switch, it sounds like an issue on the company's side.

I repeat, however, that I don't use NM, which, if running, might break other things. I also never found it necessary to add the options of local-port and 1des. My vpnc.conf is quite simple

IPSec ID <my group>
IPSec obfuscated secret <long number>, the group password which the users are not given.
IPSec gateway <our switch's IP>
xauth interactive <I use that rather than having my user name there, just a bit of security by obscurity, especially as the Cisco password is easily broken by a freely available perl-script if you have the decrypt library>
IKE Authmode <type of authentication mode>

[Louisda16th]

I used pcf2vpnc too. And I did check - the file (/etc/resolv.conf) does change. And it changes when I access my email (or any page on the intranet or VNC). Then my net connection doesn't work which causes my VPN stop working too

My conf is the same as yours with one difference. The Group password is plain text since we've been told what it is.
Also what does <type of authentication mode> mean? pcf2vpnc just put "IKE Authmode" in my conf file.

And yes, NM is running (it always has been since I started using Fedora). Are you saying I should stop this from running and use some other network configuration service instead? What should I use?

[Vespa]

This may not be an option for your company, but Cisco's AnyConnect works flawlessly for us. I switched us to the AnyConnect SSL VPN as we needed to support 64bit Windows 7 PCs. Just by going to the ASA Server's web page and logging in, it installs the client. I have tested it on 64bit and 32 bit versions of Fedora, Ubuntu, and Windows 7 as well as Macs, Windows XP, iPhones and iPads. There aren't any config files for the end user and as the administrator, I can enforce stronger encryption. I am using it now on Fedora 14 64bit with NetworkManager, but I have also used it on machines just using the network service.

Obviously it does not help your current issue, but it could eliminate some future grief for you and others.

[smr54]

I dislike telling people not to use NM, which apparently does some things well enough. To me, it was a newcomer, and generally, I don't like it. From what I see, if you're running the default desktop, it can be difficult to move it out of the equation too.

@Vespa. thanks for that mention--some of our users now have 64 bit Win 7, though Cisco's latest client seems to support it.

So, to the OP, not sure what to suggest. You might try the link I mentioned before (for wireless) to take NM out of the equation, then get your IP address as you usually do (in most cases, from a home router--in which case just bring up eth0, then run dhclient eth0, or the corresponding steps for wireless, then try vpnc as you have been doing and see if you get better results.

[Vespa]

Quote:

Originally Posted by Louisda16th

My conf is the same as yours with one difference. The Group password is plain text since we've been told what it is.
Also what does <type of authentication mode> mean? pcf2vpnc just put "IKE Authmode" in my conf file.

For kicks I tried to connect using both vpnc and the KNetworkManager-vpnc applet (I use KDE). I used pcf2vpn to convert our pcf file as well - and as you mentioned it spit out out group password as plain text. As for IKE Authmode, you are most likely the default which is 'psk' or Pre-Shared Key.

My /etc/vpnc/default.conf

Code:

## generated by pcf2vpnc
IPSec ID <Our VPN Group Name>
IPSec gateway <Our IP Address>
IPSec secret <Our Group Pre-Shared Key - Plain text as well>

Xauth username <My username>
Domain <My Windows Domain - you may not need this>
IKE Authmode psk

vpnc connected fine for me and I was able to connect to my applications normally. On the other hand, I could not get the KNetworkManager applet to work. It just created a connection entitled "No such object path '/org/kde/networkm...'" Weird. You may need to play around with the --natt-mode . I hadmuch better luck with '--natt-mode natt' then cisco-udp which was what KNetworkManager wanted to set by default.

[smr54]

As for the plain password, if you move or rename the cisco-decrypt perl script, it should give you an obfuscated password (with the words obfuscated secret in front of it).

[Louisda16th]

Alright. I'll try to get NM out then. Thanks

---------- Post added at 08:05 AM ---------- Previous post was at 07:52 AM ----------

@Vespa I tried all the natt-mode options. nat and force-nat didn't work at all. cisco udp did. But then the usual happened again.

[Vespa]

maybe try:
vpnc --debug 2 --no-detach


This way it will keep spitting out messages until the problems happen. That may shed some light on what happens to your connection when problems start.

I had to set my konsole to an unlimited scrollback, but I am sure you could >> to a file.


---
Maybe start with --debug 1
Debug 2 shows ALOT of stuff. if debug 1 doesn't help you could move to 2

[smr54]

@Louis (one is tempted to say, Don't lose your head over this, but it's kind of gallows humor, due to the name.)
As I said, I'm not necessarily recommending removing NetworkManager. If you do, you'll have to manually configure your network. This isn't hard to do, but you have to know how to do it. (To help, we'd need to know if you're using wired or wireless and what sort of connection you're using, e.g., wired to a router, static IP, etc.)

So, just keep that in mind. In other words I don't want to take the blame if something goes wrong. Also, of course, there's no guarantee that that is the problem--I dislike it (NM) but many others think it's wonderful.

[Louisda16th]

It is a wired connection. I won't disable NM till I speak to my company's IT first just to see if its an issue from their end.
I'll take precautions before trying anything so no problem. I've messed around a lot before (graphics drivers mainly) and had to reinstall the OS now and then. And I'll learn to use the command line for my network config in the process

As far as the debug messages of vpnc is concerned, after some initial messages, whenever I open a page (I'm guessing a page from the intranet/email), I get these messages:

Code:

   lifetime status: 11 of 28800 seconds used, 0|1 of 0 kbytes used
   lifetime status: 11 of 28800 seconds used, 0|1 of 0 kbytes used
   lifetime status: 12 of 28800 seconds used, 0|1 of 0 kbytes used
   lifetime status: 13 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 13 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 14 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 15 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 15 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 15 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 15 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 15 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 15 of 28800 seconds used, 0|2 of 0 kbytes used
   lifetime status: 15 of 28800 seconds used, 0|3 of 0 kbytes used

Then that stops, and my internet doesn't work, etc.

[Vespa]

Well that is not helpful! I just looked to see if Cisco still supported Linux with their proprietary IPSEC client, but it looks like they stopped in 2008.

I wonder if it is the concentrator's dead peer detection. I was reading the first Q & A here http://www.cisco.com/en/US/products/...80094cf4.shtml

you can add " --dpd-idle 0 " to the command line or " DPD idle timeout (our side) 0 " to your default.conf.

Worth a shot? Otherwise it may be time to yank out wireshark!

[Louisda16th]

That gave similar results too.
Not sure if this will help. But this is my resolv.conf

Code:

# Generated by NetworkManager
search home
nameserver <my IP address>

With vpnc running, it changes to

Code:

search home <some name related to my workplace. has a format asdf.asdf.asdf>
nameserver <A different IP address. I'm guessing it's my workplace's.>

I can confirm if that IP address is of my workplace. Either way, my home IP adress is taken out of that list. Could this be a reason?