Thanks very much for the draft VPN Howto on vpnc. I had a problem with my vpnc that took me a considerable amount of time to solve. I had googled, and it looks like it is a fairly common problem (without any posted solutions that I could find), so it is probably worth adding some text in a trouble shooting section, or even in the main text. The symptom is that when I try to log onto my companies network, I got a "vpnc: no response from target". In my case, I was working with configuration information that I knew was correct - I could successfully log in using the CISCO vpn software. The problem ended up being that vpnc uses local port 500 by default. This was being blocked by a firewall - most likely my company's (my firewall is an off the shelf router with no configuration, I doubt it would be blocking port 500). The solution is to tell vpnc to use a different port. The CISCO software uses port 10000 for both the source and destination. Since the CISCO software had worked for me, that is the local port I used. You can add a line to your default.conf file "Local Port 10000" to configure this.
First, we need to know the full path to this defualt.conf file. Second, it is your job to determine if the router issue is on your end or the company's -- keep in mind that just because you have a problem doesn't mean that everyone else will. Need to find that out, not just guess at what the router is and is not blocking. I dunno, I'm not convinced that we should tell our users to change the default port just because one person's company has a firewall in place. Have I just misunderstood it? I'm not seeing any benefits to adding this. If you can add any comments or clarification it'd be appreciated.
(In reply to comment #1) > First, we need to know the full path to this defualt.conf file. Ah, sorry about that. This is the standard vpnc configuration file, /etc/vpnc/default.conf. The Howto recommends putting the configuration in /etc/vpnc.conf. Perhaps this should read "configuration file" instead of "default.conf" - this is just the file where all the other configuration information is. > Second, it is your job to determine if the router issue is on your end or the > company's -- keep in mind that just because you have a problem doesn't mean > that everyone else will. Need to find that out, not just guess at what the > router is and is not blocking. I dunno, I'm not convinced that we should tell > our users to change the default port just because one person's company has a > firewall in place. Have I just misunderstood it? I'm not seeing any benefits to > adding this. The problem is on my company's end. I work for NASA, which is constantly having people trying to hack into our computers. The firewall policy is to first block everything, and then second to turn on specific services as needed. Because port 500 isn't associated with a known service, it is shut off. Port 10000 is associated with vpn - it is what is used by the CISCO software - so it is turned on. I have no idea how common this is. I don't imagine it is uncommon, the "shut everything off and then turn on what is needed" seems like a common security policy, but I don't have hard numbers on how many firewalls are set up that way. A google search on 'vpnc "no response from target"' turns up 130 hits. I don't know how many of those problems are caused by firewall problems. The recommendation wasn't that everybody should change the port they are using, obviously port 500 works just fine for a lot of people. Rather the recommendation was adding something along the lines of "if you encounter the error 'no response from target' here is something you can try". In my particular case, this would have been very useful to me. It took me quite a while to even suspect the port was an issue, although once I figured that is might be the problem it didn't take long to figure out how to fix. If nobody else has run into this problem, then this doesn't need to be added to the documentation. It might just be a quirk of NASA. But my suspicion is that it is more common, based on the number of google hits and it being a natural consequence of "block all ports, and only turn on services that are needed".
(In reply to comment #2) > If nobody else has run into this problem, then this doesn't need to be added to > the documentation. It might just be a quirk of NASA. But my suspicion is that > it is more common, based on the number of google hits and it being a natural > consequence of "block all ports, and only turn on services that are needed". I should mention that the port 500 being blocked is for outgoing traffic from JPL/NASA only. Both the CISCO software and vpnc use port 10000 for incoming traffic to the vpn server and isn't blocked. The issue I ran into would only occur for companies with rules that block outgoing traffic to certain destination ports, which the JPL/NASA firewall does.
Well, after conferring with some of my fellow GDP members, we seem to agree that knowledge of ports and firewalls is a little more like basic general knowledge than anything in particular to vpnc. It'd be a little strange to put a fix for just one person's corner-case (?) issue into the doc. (Btw, you mention that you do NASA/JPL stuff; you should say hi to new Gentoo developer LavaJoe; he does JPL too! I think.)
