Hi Vene, Would appreciate any help you can give as I am not sure which NAT you are talking about.
A little more background. I am replacing a Windows 2000 routing and remote access machine that was acting as the gateway and performing NAT for Internet access for our local clients. In this setup the cisco VPN clients had no problem connecting to the vpn concentrator. The only difference in any setup is the replacement of the 2000 machine with the Ubuntu gateway machine. I am really confused why this isn't working as all local clients have full internet access using the public IP of the gateway server. In the cisco vpn client log I have noticed entries such as: 3604 13:43:54.925 04/18/07 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 203.110.142.69 3605 13:43:54.925 04/18/07 Sev=Info/4 IKE/0xE3000033 Invalid payload: length stated is smaller than length of header alone. 3606 13:43:54.925 04/18/07 Sev=Warning/3 IKE/0xA3000058 Received malformed message or negotiation no longer active (message id: 0x321FFD92) And a lot of messages such as: 3599 13:43:46.925 04/18/07 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 203.110.142.69 3600 13:43:46.925 04/18/07 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK AG (Retransmission) from 203.110.142.69 3601 13:43:46.925 04/18/07 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 3602 13:43:46.925 04/18/07 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG *(Retransmission) to 203.110.142.69 Any ideas? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Benito Venegas Sent: Wednesday, 18 April 2007 9:38 AM To: Shorewall Users Subject: Re: [Shorewall-users] IPSec Passthrough fails when using CiscoVPNclient Peter: We had to deal with this some weeks ago. I think the only part you have missed is the NAT. Cisco VPN requires the desktop has a valid IP. So just create a NAT, and you'll be OK. If you still has problems, don't hesitate to contact me and we can do some test together. Cheers, -- Vene.- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Wilson Sent: Monday, April 16, 2007 10:21 PM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] IPSec Passthrough fails when using Cisco VPNclient I have Shorewall running as an office gateway performing NAT for local clients to access Internet. There is a policy allowing full access from loc -> net. Problem arrises when trying to connect a Cisco VPN client to a VPN server on the Internet from a local workstation. The cisco client log shows: Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end IS behind a NAT device If I bypass the Linux Shorewall gateway the connection works perfectly. This is the only type of connection to the Internet that seems to have any problems - www, https, ftp, MSN etc all connect no problem. I have tried to remove shorewall from the equation by doing the following with no luck. sudo shorewall clear sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j MASQUERADE I have searched high and low but have not been able to find anything that will help with this problem. Has anyone else had a similar experience? Can anyone point me in the right direction as this problem is completely beyond my knowledge and experience. Attached is the status.txt file as created by shorewall dump. For this example I attempted to connect between 192.168.118.118 and 203.110.142.69. If I have missed anything or you need further information please let me know. Thankyou in advance, Peter ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. BlackList requests should be sent to [EMAIL PROTECTED], WhiteList requests should be sent to [EMAIL PROTECTED] Contact the Global Operations Team ([EMAIL PROTECTED]) if you need additional support. ________________________________________________________________________ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
