mpd PPTP to Cisco 3000 VPN Concentrator routing problem
Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the fix. Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. - Chris VPN External IP: C.O.R.P VPN Interal IP: 10.10.58.7 *** before running mpd DestinationGatewayFlagsRefs Use Netif Expire default192.168.131.254UGS 00de0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW10de0 36 *** after running mpd ng0: flags=88d1UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST mtu 1494 inet 10.10.58.156 -- C.O.R.P netmask 0x inet6 fe80::203::fe73:504c%ng0 prefixlen 64 scopeid 0x3 DestinationGatewayFlagsRefs Use Netif Expire default192.168.131.254UGS 0 30de0 10.10.58.156 lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW10de0 4 C.O.R.P10.10.58.156 UH 00ng0 *** run fix from iface up-script ifconfig ng0 inet 10.10.58.156 10.10.58.7 netmask 0x route delete default route add default -interface ng0 *** after running fix ng0: flags=88d1UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST mtu 1494 inet6 fe80::203::fe73:504c%ng0 prefixlen 64 scopeid 0x3 inet 10.10.58.156 -- 10.10.58.7 netmask 0x DestinationGatewayFlagsRefs Use Netif Expire defaultng0US 00ng0 10.10.58.7 10.10.58.156 UH 00ng0 10.10.58.156 lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW00de0 ciscovpn: new -i ng0 ciscovpn work set bundle authname user set bundle password password set ipcp ranges 10.10.58.0/23 C.O.R.P/32 set link max-redial -1 set link keep-alive 0 0 set link disable acfcomp protocomp set bundle no crypt-reqd set bundle enable compression encryption set ccp yes mppc set ccp yes mpp-e128 set ccp no mpp-e40 set ccp yes mpp-stateless set link disable pap chap set link no chap-md5 set link no chap-msv2 set link no pap set link accept chap-msv1 set iface idle 0 set ipcp disable vjcomp set ipcp enable req-pri-dns req-sec-dns set iface up-script /usr/local/etc/mpd/ciscovpn-iface-up.sh open *** mpd.links work: set link type pptp set pptp peer C.O.R.P set pptp enable originate outcall *** mpd output # mpd Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 1033, version 3.15 ([EMAIL PROTECTED] 00:39 7-Jan-2004) [ciscovpn] ppp node is mpd1033-ciscovpn [ciscovpn] using interface ng0 [ciscovpn] IFACE: Open event [ciscovpn] IPCP: Open event [ciscovpn] IPCP: state change Initial -- Starting [ciscovpn] IPCP: LayerStart [ciscovpn:work] [ciscovpn] bundle: OPEN event in state CLOSED [ciscovpn] opening link work... [work] link: OPEN event [work] LCP: Open event [work] LCP: state change Initial -- Starting [work] LCP: LayerStart [work] device: OPEN event in state DOWN pptp0: connecting to C.O.R.P:1723 [work] device is now in state OPENING pptp0: connected to C.O.R.P:1723 pptp0: attached to connection with C.O.R.P:1723 pptp0-0: outgoing call connected at 1000 bps [work] PPTP call successful [work] device: UP event in state OPENING [work] device is now in
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 2004-01-08 at 02:49, Chris Jones wrote: Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the fix. Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. Joe -- PGP Key : http://www.marcuscom.com/pgp.asc signature.asc Description: This is a digitally signed message part
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
Oh. :( I thought it negotiated the encryption ok because I see this: [ciscovpn] CCP: LayerUp Compress using: MPPE, 128 bit, stateless Decompress using: MPPE, 128 bit, stateless And capturing on the interface, I see echo req's coming in from the concentrator, but I encounter a routing loop when I try to send across the tunnel. Disabling encryption isn't an option, even for testing, I'm afraid. Original message from Joe Marcus Clarke: On Thu, 2004-01-08 at 02:49, Chris Jones wrote: Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the fix. Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. Joe -- PGP Key : http://www.marcuscom.com/pgp.asc -- Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 2004-01-08 at 03:34, Chris Jones wrote: Oh. :( I thought it negotiated the encryption ok because I see this: [ciscovpn] CCP: LayerUp Compress using: MPPE, 128 bit, stateless Decompress using: MPPE, 128 bit, stateless This is fine. I get this, too. However, when trying to send data, I get decryption errors (the concentrator reports invalid packets). And capturing on the interface, I see echo req's coming in from the concentrator, but I encounter a routing loop when I try to send across the tunnel. I was able to get past the routing loop by readdressing the interface as soon as it came up. This is a good starter howto on that procedure: http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/fbsd-cisco-vpn.pdf Disabling encryption isn't an option, even for testing, I'm afraid. Then you're probably not going have any luck getting this to work. You might also consider trying out security/vpnc if the concentrator also allows for IPSec clients using the Cisco VPN client. Joe Original message from Joe Marcus Clarke: On Thu, 2004-01-08 at 02:49, Chris Jones wrote: Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the fix. Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. Joe -- PGP Key : http://www.marcuscom.com/pgp.asc -- PGP Key : http://www.marcuscom.com/pgp.asc signature.asc Description: This is a digitally signed message part
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 8 Jan 2004, Joe Marcus Clarke wrote: Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. This is a know issue. I've been in touch with Archie, I sent him some tcpdump traces, logs and the same stuff from a linux client with works OK. The bad news is Archie is horribly busy at this time and won't be able to look at it for some time. Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
