| View previous topic :: View next topic |
| Author |
Message |
nizmot
n00b
Joined: 28 Jan 2006
Posts: 1
|
 Posted: Sun Jan 29, 2006 3:33 am Post subject: Cisco VPN Client not connecting |
 |
|
Any help appreciated!
Kernel: 2.6.14-gentoo-r4
Cisco VPN Client Version: cisco-vpnclient-3des 4.7.00.0640
Background: Previously working Cisco VPN client (version 4.7.00.0640) stopped connecting after one of many system package upgrades. Unfortunately, I don't know which package broke it. The connection uses certificate authentication and the default Cisco certificate store on the client. Connection fails regardless of which user (root or otherwise) executes the vpnclient connect process.
I've tried nearly everything I can think of with no luck, but I'm no guru. I suspect a permission or other security issue, probably something simple that escapes me.
Result from /usr/bin/vpnclient connect <correct profile blanked>:
| Code: |
Cisco Systems VPN Client Version 4.7.00 (0640)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.14-gentoo-r4 #2 SMP PREEMPT Sun Dec 11 15:11:59 EST 2005 i686
Config file directory: /etc/opt/cisco-vpnclient
Enter Certificate password: <correct password entered>
Initializing the VPN connection.
Secure VPN Connection terminated locally by the Client
Reason: Failed to establish a VPN connection.
There are no new notification messages at this time.
|
Result from /opt/cisco-vpnclient/bin/ipseclog:
| Code: |
Cisco Systems VPN Client Version 4.7.00 (0640)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.14-gentoo-r4 #2 SMP PREEMPT Sun Dec 11 15:11:59 EST 2005 i686
Config file directory: /etc/opt/cisco-vpnclient
1 02:43:32.102 01/27/2006 Sev=Warning/3 CLI
Unable to purge old log files. Function returned -1.
2 02:43:32.129 01/27/2006 Sev=Info/4 CVPND
Privilege Separation: restoring MTU on primary interface.
3 02:43:32.129 01/27/2006 Sev=Info/4 CVPND
Started cvpnd:
Cisco Systems VPN Client Version 4.7.00 (0640)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.14-gentoo-r4 #2 SMP PREEMPT Sun Dec 11 15:11:59 EST 2005 i686
4 02:43:33.108 01/27/2006 Sev=Info/4 IPSEC
Deleted all keys
5 02:43:33.108 01/27/2006 Sev=Info/4 IPSEC
IPSec driver successfully started
6 02:43:33.108 01/27/2006 Sev=Info/4 IPSEC
Deleted all keys
7 02:43:33.108 01/27/2006 Sev=Info/4 IPSEC
Deleted all keys
8 02:43:33.108 01/27/2006 Sev=Info/4 IPSEC
IPSec driver successfully stopped
9 02:43:33.108 01/27/2006 Sev=Info/4 CLI
Started vpnclient:
Cisco Systems VPN Client Version 4.7.00 (0640)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.14-gentoo-r4 #2 SMP PREEMPT Sun Dec 11 15:11:59 EST 2005 i686
10 02:43:37.870 01/27/2006 Sev=Info/4 CM
Begin connection process
11 02:43:37.870 01/27/2006 Sev=Info/4 CM
Establish secure connection using Ethernet
12 02:43:37.870 01/27/2006 Sev=Info/4 CM
Attempt connection with server "<correct server ip blanked>"
13 02:43:37.870 01/27/2006 Sev=Info/4 CVPND
Privilege Separation: binding to port: (500).
14 02:43:37.871 01/27/2006 Sev=Info/4 CVPND
Privilege Separation: binding to port: (4500).
15 02:43:37.871 01/27/2006 Sev=Info/6 IKE
Attempting to establish a connection with <correct server ip blanked>.
16 02:43:37.871 01/27/2006 Sev=Debug/9 IKE
Unable to acquire local IP address after 0 attempts (over 12 seconds), probably
due to network socket failure.
17 02:43:41.144 01/27/2006 Sev=Warning/2 CERT
Could not load certificate <correct certificate blanked> from store Cisco User
Certificate. Reason: store open failed
18 02:43:41.144 01/27/2006 Sev=Warning/2 IKE
Unable to open certificate (<correct certificate blanked>).
If you are using a smartcard or token containing a certificate, verify the
correct one is plugged in and try again.
19 02:43:41.144 01/27/2006 Sev=Warning/2 IKE
Failed to open my certificate (Connection:240)
20 02:43:41.145 01/27/2006 Sev=Warning/2 IKE
Failed to set up connection data
21 02:43:41.145 01/27/2006 Sev=Info/4 CM
Unable to contact server "<correct server ip blanked>"
22 02:43:41.145 01/27/2006 Sev=Info/5 CM
Initializing CVPNDrv
23 02:43:41.145 01/27/2006 Sev=Info/4 CVPND
Privilege Separation: restoring MTU on primary interface.
24 02:43:41.145 01/27/2006 Sev=Info/4 IKE
IKE received signal to terminate VPN connection
25 02:43:41.145 01/27/2006 Sev=Info/4 IPSEC
IPSec driver successfully started
26 02:43:41.145 01/27/2006 Sev=Info/4 IPSEC
Deleted all keys
27 02:43:41.145 01/27/2006 Sev=Debug/7 IPSEC
Filter table modified, set new size
28 02:43:41.146 01/27/2006 Sev=Info/4 IPSEC
Deleted all keys
29 02:43:41.146 01/27/2006 Sev=Info/4 IPSEC
Deleted all keys
30 02:43:41.146 01/27/2006 Sev=Info/4 IPSEC
Deleted all keys
31 02:43:41.146 01/27/2006 Sev=Info/4 IPSEC
IPSec driver successfully stopped
32 02:43:44.144 01/27/2006 Sev=Info/4 CVPND
Stopped service:
33 02:43:44.144 01/27/2006 Sev=Info/4 CVPND
Privilege Separation: restoring MTU on primary interface.
|
Result from /etc/init.d/vpnclient status:
| Code: |
Auto-initiation Configuration Information.
* status: started
cisco_ipsec 565900 0
cipsec0 Link encap:Ethernet HWaddr <hex ip blanked>
NOARP MTU:1356 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
|
Result from /usr/bin/vpnclient verify:
| Code: |
Auto-initiation Configuration Information.
Enable: 0
Retry Interval: 1 minutes
|
Relevant result from ifconfig -a:
| Code: |
cipsec0 Link encap:Ethernet HWaddr <correct hex ip blanked>
NOARP MTU:1356 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
|
Packet Capture:
On non-working machine connection attempt, Ethereal captures one UDP packet sent
from client to server (the dropped packet). On a working machine on the same
subnet, Ethereal captures the same initial UDP packet, but then reports ISAKMP
(IKE) communication between the client and server - packets which are not sent
or responded to on the non-working machine.
Things I've tried without success:
- Reinstallation
- Modification to fix the "stamp" variable issue in linuxcniapi.c
- Downgrading to cisco-vpnclient-3des-4.6.03.0190-r1
- Downgrading all packages upgraded after vpnclient breakage
- Making sure udev configuration doesn't screw up the interface
- Looking at everything in /etc to see if anything would have an effect on the connection (though since I didn't know what I was looking for, I wasn't likely to find it, thus didn't change anything)
- Attempting to connect from different locations, and as different users
- Certificate reinstallation |
|
| Back to top |
|
 |
Saidinknight
n00b
Joined: 01 Feb 2005
Posts: 21
Location: RPI
|
| Posted: Tue Mar 07, 2006 5:54 pm Post subject: |
|
|
I'm having an identical problem, if anyone can help with this it would be greatly appreciated.
_________________
I am the opiate of the masses!
--Captain Murphy (sealab 2021)
http://blog.kralizec.org |
|
| Back to top |
|
|
chryso
n00b
Joined: 05 Dec 2003
Posts: 5
|
| Posted: Fri Mar 10, 2006 12:09 am Post subject: |
|
|
I too am having the same problem. It was working at one point, but no longer.
I am running 2.6.15-gentoo-r5 and cisco-vpnclient-3des-4.8.00.0490.
Not sure what could be relevant for this problem, I am woefully inexperienced with VPN. |
|
| Back to top |
|
|
chryso
n00b
Joined: 05 Dec 2003
Posts: 5
|
| Posted: Fri Mar 10, 2006 4:13 pm Post subject: Nevermind |
|
|
Ok, I mentioned I was inexperienced with VPN right? 
Turns out that my company changed the group password since the last time I VPN'd. For the others, I would check to make sure that you are typing your group password correctly.
Cheers,
-C. |
|
| Back to top |
|
|
bekkra
n00b
Joined: 13 Sep 2004
Posts: 57
|
| Posted: Sun Mar 12, 2006 1:15 am Post subject: |
|
|
Actually, upgrading packages seem to be a kind of "package hell" 
I still don't know what broke my setup, but on gentoo-2.6.15-r1, and cisco-vpnclient-3des-4.8.00.0490, I succeeded to break a working solution. :/ The connection fails, with lots of messages in the system logs with this kind of entries:
bad hh len 209788895
unknown mac header length (14)
Interesting... I suspect that the kernel is not configured to support networking in a way that this software needs. As far as I can see, there are no conditions in the documentation - the VPN software should simply be able to connect, once there is a working Internet connection in place.
The most frustrating detail is that I see no more information anywhere; "unknown mac header length" is just not telling enough. For one thing; what piece of software says this ?
A movie and a cup of tea later I ended up comparing the kernel configuration from the running ( and failing, at least seen from the VPN connection's viewpoint ) and the previous kernels, and I realized that I had indeen added some networking features: iptables. However, nothing of the new stuff was used, so it should not have been the problem.
Rebuilding the kernel means automatically that kernel modules may need to be rebuilt, so that I did and I was immediately rewarded with a working Cisco VPN.
The rationale is of course "if it works, don't fix it", but you wouldn't be running Gentoo if upgrading packages were somebody else's melody.... But yes, despite module versioning, some changes in the kernel's configuration may result in a broken kernel module with a considerably more cryptic error message than "module xxxx failed to load".
Time to work over the VPN connection 
//
//
_________________
Bugs don't "go away" ( Steve McGuire ) |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
