Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
VPNC connects and sets routes, but no traffic through tunnel
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
quezak
n00b
n00b


Joined: 11 Jan 2011
Posts: 13

PostPosted: Fri Jan 09, 2015 3:08 pm    Post subject: VPNC connects and sets routes, but no traffic through tunnel Reply with quote

I have two Cisco VPNs at my company, one is IPSec (the one for 'vpnclient') and the other through SSL (for 'anyconnect'). I just recently installed gentoo directly on my laptop, previously I ran it through vmware on windows, and connected both VPNs on windows.
Now, when I try to connect from gentoo to any of them using the exact same configuration, it connects properly, shows the welcome banner, sets up all routes, but does not tunnel any traffic -- if I try to ping, telnet or ssh any IP from the VPN, it just hangs indefinitely.

For the second VPN I use openconnect with configuration copied from another computer (where it works), it stays "connected" and doesn't show any errors.
For the first VPN I use vpnc with configuration converted from vpnclient's .pfc file, after connecting it stays open for 30 seconds and then exits with message "no response from target"...

My router allows VPN traffic and I didn't install any firewalls yet. Routes set by the clients are exactly the same as on other computers where the VPNs do work. I've enabled in kernel all options mentioned in VPN howtos on gentoo wiki (and much more). After hours of digging I ran out of ideas. Could anyone tell me what's happening or point me where to look next? :)
Should I post some more logs/configs to help?

VPNC config -- I tried adding the Vendor, DH_group, NATT and local port options to the file generated by pcf2vpnc, but nothing changed:
Code:
## generated by pcf2vpnc
IPSec ID ****
IPSec secret ****

Vendor cisco
IPSec gateway ****
IKE Authmode psk
IKE DH Group dh2
NAT Traversal Mode cisco-udp
Local Port 10000

Xauth username ****
Xauth password ****


VPNC log:
Code:

   0[root@...]/etc/vpnc>: vpnc --debug=2 frompcf.conf
   
vpnc version 0.5.3

S1 init_sockaddr
 [2015-01-09 15:47:21]

S2 make_socket
 [2015-01-09 15:47:21]

S3 setup_tunnel
 [2015-01-09 15:47:21]
   using interface tun0

S4 do_phase1_am
 [2015-01-09 15:47:21]

S4.1 create_nonce
 [2015-01-09 15:47:21]

S4.2 dh setup
 [2015-01-09 15:47:21]

S4.3 AM packet_1
 [2015-01-09 15:47:21]

S4.4 AM_packet2
 [2015-01-09 15:47:21]
   (Cisco Unity)
   (Xauth)
   (unknown)
   (unknown)
   got ike lifetime attributes: 2147483 seconds
   IKE SA selected psk+xauth-3des-sha1
   peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)
   NAT status: no NAT-T VID seen

S4.5 AM_packet3
 [2015-01-09 15:47:21]

S4.6 cleanup
 [2015-01-09 15:47:21]

S5 do_phase2_xauth
 [2015-01-09 15:47:21]

S5.1 xauth_request
 [2015-01-09 15:47:21]

S5.2 notice_check
 [2015-01-09 15:47:21]

S5.3 type-is-xauth check
 [2015-01-09 15:47:21]

S5.4 xauth type check
 [2015-01-09 15:47:21]

S5.5 do xauth reply
 [2015-01-09 15:47:21]

S5.2 notice_check
 [2015-01-09 15:47:21]

S5.3 type-is-xauth check
 [2015-01-09 15:47:21]

S5.6 process xauth set
 [2015-01-09 15:47:21]

S5.7 send xauth ack
 [2015-01-09 15:47:21]

S5.8 xauth done
 [2015-01-09 15:47:21]

S6 do_phase2_config
 [2015-01-09 15:47:21]

S6.1 phase2_config send modecfg
 [2015-01-09 15:47:21]

S6.2 phase2_config receive modecfg
 [2015-01-09 15:47:21]
   Banner:    <my company's welcome banner>
   
   got save password setting: 0
   got 3 acls for split include
   acl 0:    addr: ****   255.255.255.255    (32),    protocol: 0,    sport: 0,    dport: 0
   acl 1:    addr: ****   255.255.252.0    (22),    protocol: 0,    sport: 0,    dport: 0
   acl 2:    addr: ****   255.255.255.255    (32),    protocol: 0,    sport: 0,    dport: 0
   got pfs setting: 0
   Remote Application Version:    Cisco Systems, Inc ASA5505 Version 8.2(1) built by builders on Tue 05-May-09 22:45   
   got address 10.1.0.15

S7 setup_link (phase 2 + main_loop)
 [2015-01-09 15:47:21]

S7.0 run interface setup script
 [2015-01-09 15:47:21]
Connect Banner:
|  <my company's welcome banner>
|


S7.1 QM_packet1
 [2015-01-09 15:47:21]

S7.2 QM_packet2 send_receive
 [2015-01-09 15:47:21]
<30 seconds pass>
vpnc: no response from target


openconnect config and log:
Code:

   0[root@...]/etc/openconnect>: openconnect -c <CERT>.p12 -k <CERT>.p12 -s /etc/openconnect/openconnect.sh -p **** -u **** --authgroup=*** -v <SERVER_IP>
POST https://<SERVER_IP>/
Attempting to connect to server <SERVER_IP>:443
Using certificate file <CERT>.p12
Using client certificate ....
SSL negotiation with <SERVER_IP>
Server certificate verify failed: signer not found
Connected to HTTPS on <SERVER_IP>
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 09 Jan 2015 14:37:16 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://<SERVER_IP>/
Attempting to connect to server <SERVER_IP>:443
SSL negotiation with <SERVER_IP>
Server certificate verify failed: signer not found
Connected to HTTPS on <SERVER_IP>
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 09 Jan 2015 14:37:16 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://<SERVER_IP>/+webvpn+/index.html
SSL negotiation with <SERVER_IP>
Server certificate verify failed: signer not found
Connected to HTTPS on <SERVER_IP>
Got HTTP response: HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Please enter your username and password.
Please enter your username and password.
Password:
POST https://<SERVER_IP>/+webvpn+/index.html
SSL negotiation with <SERVER_IP>
Server certificate verify failed: signer not found
Connected to HTTPS on <SERVER_IP>
Got HTTP response: HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&ch:A17FAE552D31FC5D5B37BAFCA613766C035B4044&sh:934133809298F5518FEA21E0CE5EDD25DF82653C&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: ****
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 10.10****
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: mpay
X-CSTP-Split-Include: 192.168.****/255.255.255.0
X-CSTP-Split-Include: 192.168.****/255.255.255.0
X-CSTP-Split-Include: 10.10****/255.255.0.0
X-CSTP-Split-Include: 10.10****/255.255.0.0
X-CSTP-Split-Include: 10.10****/255.255.0.0
X-CSTP-Split-Include: 217.1****/255.255.255.255
X-CSTP-Split-Include: 217.1****/255.255.255.255
X-CSTP-Split-Include: 10.10****/255.255.255.0
X-CSTP-Keep: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-Banner: <WELCOME_BANNER>
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 36677ADDB904BFC1AADDE3864817046D74F72132FADBAD24B4064CED4C68B2FD
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES128-SHA
CSTP connected. DPD 30, Keepalive 20
CSTP Ciphersuite: (TLS1.0)-(RSA)-(ARCFOUR-128)-(SHA1)
Connect Banner:
| <WELCOME_BANNER>
|

DTLS option X-DTLS-Session-ID : 36677ADDB904BFC1AADDE3864817046D74F72132FADBAD24B4064CED4C68B2FD
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS initialised. DPD 30, Keepalive 20
Connected tun0 as 172.1****, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Send DTLS Keepalive
Send CSTP Keepalive
Send DTLS DPD
Send CSTP DPD
Got DTLS DPD response
Got CSTP DPD response
Send CSTP Keepalive
Send DTLS DPD
Send CSTP DPD
Got DTLS DPD response
Got CSTP DPD response
<keepalives repeat>
^CSend BYE packet: Aborted by caller
User cancelled (SIGINT); exiting.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum