Re: FIXED: vpnc connects, but does not work
... I do have a Linux OS that I have access to that strangely does use vpnc successfully. That may help quite a bit. You can use something like tcpdump or wireshark on the FreeBSD system to monitor the traffic between the Linux system and the Cisco while connecting and doing something simple like pinging the inside nameserver, then reverse roles and use the Linux system to monitor the traffic between FreeBSD and the Cisco while connecting and attempting to do the same simple thing. You won't be able to see what's inside the IPSEC-encrypted packets, but you can at least see how many of what size are sent in each direction. This may provide some clues as to what is going wrong. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FIXED: vpnc connects, but does not work
Hi perryh! On Mon, 12 Jan 2009, per...@pluto.rain.com wrote: ... I do have a Linux OS that I have access to that strangely does use vpnc successfully. That may help quite a bit. You can use something like tcpdump or wireshark on the FreeBSD system to monitor the traffic between the Linux system and the Cisco while connecting and doing something simple like pinging the inside nameserver, then reverse roles and use the Linux system to monitor the traffic between FreeBSD and the Cisco while connecting and attempting to do the same simple thing. You won't be able to see what's inside the IPSEC-encrypted packets, but you can at least see how many of what size are sent in each direction. This may provide some clues as to what is going wrong. Alas, this is a multi-boot system where the Linux OS is installed - so no chance of that :-( I've just determined that it might not be a problem with vpnc..,as such. I got an ethernet connection to work just now, so it looks as if its just down to now vpnc is handling my wifi interface, for some reason. As I said originally, this **was** working, and now its stopped for some reason. I'm now fairly certain that its not got anything to do with vpnc natively, as I used the same vpnc conf file to successfully access the office over ethernet. I'll keep at it.., Thanks for your assistance! Regards, S Roberts ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FIXED: vpnc connects, but does not work
Hi perryh! Glad to hear that you managed to get your problem fixed.., I also have this problem, the difference being that mine **USED to** work, but now it suddenly stoped working. I tried adding the line to my conf file as you did, but for me, the problem remains: Appears to connect and authenticate successfully to my office's VPN concentrator Once (apparently) connected, I can't access any resources on the company network (mail / servers, etc), nor can I ping anything.., Wondering if you can point me to where you found the info on the various options I can try to continue debugging this problem, please. The FW guys at the office aren't exactly forthcoming where non-MS windows is concerned, you see.., Thanks. Regards, S Roberts On Sun, 04 Jan 2009, per...@pluto.rain.com wrote: I have installed vpnc to connect to an employer's Cisco VPN system, and it seems to make the connection, but after connecting I can't ping the gateway nor anything beyond it ... It turned out the only problem was the absence of NAT Traversal Mode cisco-udp in vpnc.conf. (Presumably not all configurations of the Cisco 3000 will need that, else it would be the default, but it seems to be correct for the one involved here.) I never did figure out why that kept the interface from responding to a ping of its own address :( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FIXED: vpnc connects, but does not work
I also have this problem, the difference being that mine **USED to** work, but now it suddenly stoped working. I tried adding the line to my conf file as you did, but for me, the problem remains: Appears to connect and authenticate successfully to my office's VPN concentrator Once (apparently) connected, I can't access any resources on the company network (mail / servers, etc), nor can I ping anything.., Including the IP address of your tun0 interface? (If you can ping that, but nothing beyond, you have a different problem than I had.) Wondering if you can point me to where you found the info on the various options I can try to continue debugging this problem, please. That line came from the output of vpnc --long-help. Other things to look at are the vpnc(8) manpage, the /usr/local/share/doc/vpnc/README file, and the TODO file in /usr/ports/security/vpnc/work/vpnc-0.4.0. There's more detail of what I think is going on in this thread: http://lists.freebsd.org/pipermail/freebsd-net/2009-January/020638.html By the time you get it working again, you will probably have learned more about the workings of vpnc than you really cared to know :) The FW guys at the office aren't exactly forthcoming where non-MS windows is concerned, you see.., Not surprising :( Too many security types act as if obscurity helped security, not realizing that it inconveniences only their customers and not their enemies. Any chance they would be willing to say what config change they made on their end about the time it stopped working, without reference to what is running on your end? Another thing to check is whether your ISP changed something. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FIXED: vpnc connects, but does not work
Hi perryh! Thanks for the reply.., On Sun, 11 Jan 2009, per...@pluto.rain.com wrote: I also have this problem, the difference being that mine **USED to** work, but now it suddenly stoped working. I tried adding the line to my conf file as you did, but for me, the problem remains: Appears to connect and authenticate successfully to my office's VPN concentrator Once (apparently) connected, I can't access any resources on the company network (mail / servers, etc), nor can I ping anything.., Including the IP address of your tun0 interface? (If you can ping that, but nothing beyond, you have a different problem than I had.) Nope - same as yours.., Wondering if you can point me to where you found the info on the various options I can try to continue debugging this problem, please. That line came from the output of vpnc --long-help. Other things to look at are the vpnc(8) manpage, the /usr/local/share/doc/vpnc/README file, and the TODO file in /usr/ports/security/vpnc/work/vpnc-0.4.0. There's more detail of what I think is going on in this thread: http://lists.freebsd.org/pipermail/freebsd-net/2009-January/020638.html By the time you get it working again, you will probably have learned more about the workings of vpnc than you really cared to know :) The FW guys at the office aren't exactly forthcoming where non-MS windows is concerned, you see.., This is great - I had a peek, so will pour over these and see how I get on with further debugging.., Its not TOO bad on my side, as I do have a Linux OS that I have access to that strangely does use vpnc successfully. Will press on with the pointers you've provided here. Thanks for the help! Regards, S Roberts Not surprising :( Too many security types act as if obscurity helped security, not realizing that it inconveniences only their customers and not their enemies. Any chance they would be willing to say what config change they made on their end about the time it stopped working, without reference to what is running on your end? Another thing to check is whether your ISP changed something. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FIXED: vpnc connects, but does not work
I have installed vpnc to connect to an employer's Cisco VPN system, and it seems to make the connection, but after connecting I can't ping the gateway nor anything beyond it ... It turned out the only problem was the absence of NAT Traversal Mode cisco-udp in vpnc.conf. (Presumably not all configurations of the Cisco 3000 will need that, else it would be the default, but it seems to be correct for the one involved here.) I never did figure out why that kept the interface from responding to a ping of its own address :( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
vpnc connects, but does not work
I have installed vpnc to connect to an employer's Cisco VPN system, and it seems to make the connection, but after connecting I can't ping the tun0 interface nor anything beyond it. The symptom seems to resemble what is described in the Routing section of http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn.pdf, but since that is using a completely different setup on the FreeBSD side I have no idea whether the remedy described there is applicable (nor, if it is, how to determine the addresses to use in this case). Does this look at all familiar, or does anyone have any ideas for how to go about debugging it? I didn't find anything that seemed applicable in recent ports@ or questions@ archives, and an earlier inquiry on ports@ did not produce a solution. (I have XX'd out potentially-sensitive material in the following.) # /usr/local/sbin/vpnc Enter password for x...@xxx.xxx.com: Connect Banner: | *** XXX, Inc. Authorized Use Only *** add host YYY.YYY.127.228: gateway 192.168.200.254 add net ZZZ.ZZZ.0.0: gateway ZZZ.ZZZ.233.42 snipped 56 other add net lines, all with the same gateway address, none to any ZZZ.ZZZ address until: add net ZZZ.ZZZ.57.128: gateway ZZZ.ZZZ.233.42 add net ZZZ.ZZZ.57.133: gateway ZZZ.ZZZ.233.42 VPNC started in background (pid: 24776)... The addresses in those last two add net lines seem to be the nameservers: $ cat /etc/resolv.conf #...@vpnc_generated@ -- this file is generated by vpnc # and will be overwritten by vpnc # as long as the above mark is intact nameserver ZZZ.ZZZ.57.128 nameserver ZZZ.ZZZ.57.133 search XXX.com which leads me to wonder whether they really ought to be add host -- for that matter it's not clear they're needed at all since they should be covered by the add net ZZZ.ZZZ.0.0 -- but I guess that may not make much difference when I can't even ping my own gateway (tun0) address :( $ ping ZZZ.ZZZ.233.42 PING ZZZ.ZZZ.233.42 (ZZZ.ZZZ.233.42): 56 data bytes ^C --- ZZZ.ZZZ.233.42 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss $ ping ZZZ.ZZZ.57.128 PING ZZZ.ZZZ.57.128 (ZZZ.ZZZ.57.128): 56 data bytes ^C --- ZZZ.ZZZ.57.128 ping statistics --- 10 packets transmitted, 0 packets received, 100% packet loss $ ping ZZZ.ZZZ.57.133 PING ZZZ.ZZZ.57.133 (ZZZ.ZZZ.57.133): 56 data bytes ^C --- ZZZ.ZZZ.57.133 ping statistics --- 27 packets transmitted, 0 packets received, 100% packet loss $ ifconfig -a xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=9RXCSUM,VLAN_MTU inet6 fe80::2b0:d0ff:fe28:ad4f%xl0 prefixlen 64 scopeid 0x1 inet 192.168.200.61 netmask 0xff00 broadcast 192.168.200.255 ether 00:b0:d0:28:ad:4f media: Ethernet autoselect (10baseT/UTP) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1412 inet6 fe80::2b0:d0ff:fe28:ad4f%tun0 prefixlen 64 scopeid 0x4 inet ZZZ.ZZZ.233.42 -- ZZZ.ZZZ.233.42 netmask 0x Opened by PID 24635 Meanwhile I _can_ ping YYY.YYY.127.228, which I guess is the concentrator's public IP address: $ ping YYY.YYY.127.228 PING YYY.YYY.127.228 (YYY.YYY.127.228): 56 data bytes 64 bytes from YYY.YYY.127.228: icmp_seq=0 ttl=116 time=53.226 ms 64 bytes from YYY.YYY.127.228: icmp_seq=1 ttl=116 time=52.982 ms 64 bytes from YYY.YYY.127.228: icmp_seq=2 ttl=116 time=53.130 ms ^C --- YYY.YYY.127.228 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 52.982/53.113/53.226/0.100 ms Traceroute to YYY.YYY.127.228 produces the same 14-hop result whether connected or disconnected (modulo the need to use traceroute -n while connected: since vpnc has replaced /etc/resolv.conf with one specifying only the corporate nameservers, and I can't reach them because the link doesn't work, there is no name service while connected). Just like ping, traceroute to the tun0 IP address, while connected, produced nothing: $ traceroute -n ZZZ.ZZZ.233.42 traceroute to ZZZ.ZZZ.233.42 (ZZZ.ZZZ.233.42), 64 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * ^C What seems truly bizarre is that, as noted above, I couldn't ping the tun0 interface while connected even though ifconfig reported it as up. Shouldn't a local interface, reported as up, *always* respond to a ping of its own IP address? $ netstat -r -n Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.200.254UGS 0 2209723xl0 snip lines corresponding to snipped add net lines above 127.0.0.1 127.0.0.1