Hello. I have a big problem with vpnc. -------- My environment: [b]uname -a: [/b] Linux dragon 3.0.1-pf #3 SMP PREEMPT Tue Aug 16 01:03:41 MSD 2011 x86_64 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz GenuineIntel GNU/Linux Vpnc version: 0.5.3 ------- when I run: vpnc, it try connect to remote server, but without success: ---------- vpnc --debug 1 vpnc version 0.5.3 IKE SA selected psk+xauth-3des-md5 NAT status: this end behind NAT? YES -- remote end behind NAT? YES Enter Username and Password. --------- My vpnc.conf: --------- ## generated by pcf2vpnc IPSec ID XXX IPSec gateway vpn.xxx.net IPSec secret cisco_vpn_1357 IKE Authmode psk ------------ Q1: What I do wrong ? Q2: Why vpnc hungs ? P.S. I attached full debug 99 log and tcpdump. Reproducible: Always Steps to Reproduce: 1.run vpnc 2.it hungs 3. Expected Results: Vpnc must connect very quickly
Created attachment 284379 [details] vpnc --debug 99 log vpnc --debug 99 log
Created attachment 284381 [details] Vpnc tcpdump for wireshark Vpnc tcpdump for wireshark
grep "TUN" /usr/src/linux/.config CONFIG_YENTA_ENE_TUNE=y CONFIG_INET_XFRM_TUNNEL=m CONFIG_INET_TUNNEL=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_TUN=m CONFIG_MEDIA_TUNER=m CONFIG_MEDIA_TUNER_CUSTOMISE=y CONFIG_MEDIA_TUNER_SIMPLE=m CONFIG_MEDIA_TUNER_TDA8290=m CONFIG_MEDIA_TUNER_TDA827X=m CONFIG_MEDIA_TUNER_TDA18271=m CONFIG_MEDIA_TUNER_TDA9887=m CONFIG_MEDIA_TUNER_TEA5761=m CONFIG_MEDIA_TUNER_TEA5767=m CONFIG_MEDIA_TUNER_MT20XX=m CONFIG_MEDIA_TUNER_MT2060=m CONFIG_MEDIA_TUNER_MT2266=m CONFIG_MEDIA_TUNER_MT2131=m CONFIG_MEDIA_TUNER_QT1010=m CONFIG_MEDIA_TUNER_XC2028=m CONFIG_MEDIA_TUNER_XC5000=m CONFIG_MEDIA_TUNER_MXL5005S=m CONFIG_MEDIA_TUNER_MXL5007T=m CONFIG_MEDIA_TUNER_MC44S803=m CONFIG_MEDIA_TUNER_MAX2165=m CONFIG_MEDIA_TUNER_TDA18218=m CONFIG_MEDIA_TUNER_TDA18212=m # dmesg | grep TUN tun: Universal TUN/TAP device driver, 1.6
Created attachment 284509 [details] My kernel config
Hello I tried to connect to the server, but to no avail I checkout last vpnc : It hungs: --- vpnc version 0.5.3-464 IKE SA selected psk+xauth-3des-md5 NAT status: this end behind NAT? YES -- remote end behind NAT? YES Enter Username and Password. ---- iptables don't install at my computer. I attach my kernel config. What can it mean?
Have you tried adding your username and password to the config file? IKE Authmode psk Xauth username user Xauth password pass Should make any difference, but just in case. Another option would be to try forcing Cisco-UDP NAT traversal mode: NAT Traversal Mode cisco-udp The vpnc log you attached is cut in the middle at some point. This is what stays on disc? In that case, you should try running vpnc in the foreground, because the exact point where it crashes is not visible in the log (write buffer is not flushed).
Created attachment 285173 [details] new vpnc.conf but don't work too :(
Created attachment 285175 [details] new vpnc debug for new vpnc.conf
I have added 2 files. I have tried use your recommendations, but without success. :(
Why vpnc write: NAT status: no NAT-T VID seen ??
(In reply to comment #10) > Why vpnc write: > NAT status: no NAT-T VID seen > ?? Please ask for help at the vpnc email list. We are subscribed to it. https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
(In reply to comment #10) > Why vpnc write: > NAT status: no NAT-T VID seen > ?? And BTW, I am getting against my remote Cisco same message so I do not think it is a problem for you. Try maybe another cipher (no 3des but a different one)? Ask remote administrator. PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE) PARSE_OK got ike lifetime attributes: 3600 seconds IKE SA selected psk+xauth-3des-sha1 unknown ISAKMP_PAYLOAD_VID: 12f5f28c 457168a9 702d9fe2 74cc0100 ignoring that peer is DPD capable (RFC3706) unknown ISAKMP_PAYLOAD_VID: 4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000 unknown ISAKMP_PAYLOAD_VID: 1f07f70e aa6514d3 b0fa9654 2a500100 dh_shared_secret: 40e6efc2 f87e8ade 0710f126 fb4c0558 afde0b92 525d2af8 9270f270 e3d28598 38a2912a 1a4ccae6 831e5a0b f97fd968 14ff6587 13aa1fc2 4ad0a43d 20f7845b 34bf5803 8faafac9 288ce8ba f416fe86 a536d2c4 9084e65e 638ad045 0ce9190a 73420a7b beab1eec eaa7fd6e 19e74246 ea0bef25 5bdda3f8 76254d44 7d067182 (not dumping psk hash) skeyid: 789546fb 818f5c69 d09c1da0 4346f243 603edad5 expected hash: fdb13154 421282d0 4b4df23a 2d3cf5ad 31074800 received hash: fdb13154 421282d0 4b4df23a 2d3cf5ad 31074800 returned_hash: dd2fea76 32e3befc a2a2dd30 24add70c 77bb88d7 psk_hash: b61f1721 6b3292f0 7668b376 ac5781d1 29a7f6a2 dh_shared_secret: 40e6efc2 f87e8ade 0710f126 fb4c0558 afde0b92 525d2af8 9270f270 e3d28598 38a2912a 1a4ccae6 831e5a0b f97fd968 14ff6587 13aa1fc2 4ad0a43d 20f7845b 34bf5803 8faafac9 288ce8ba f416fe86 a536d2c4 9084e65e 638ad045 0ce9190a 73420a7b beab1eec eaa7fd6e 19e74246 ea0bef25 5bdda3f8 76254d44 7d067182 skeyid_d: 4ac71a0f 96ff6db2 ca4e22b3 2804d322 29beacbb skeyid_a: d4bf979d 9bbed70b 50224726 71e9a376 a271b6fa skeyid_e: 776e53c6 61c48cec cf4e4ce2 b27fd339 e4fed010 enc-key: c0ab26e5 625f931f 8c74e3c5 6bca9c1a b59f7075 65f6f609 current_iv: 0661e19a cad64e43 NAT status: no NAT-T VID seen And repeating previous advice from comment #6: post a full log and describe where it fails. I have "Debug 3", btw.
Hello again. I want to fresh state ofthis problem. 1. vpnc hungs at phase: S6.1 phase2_config send modecfg ------------------- 2. tcpdump during connect to vpn... tcpdump host vpn.cti.ru -vv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 23:46:53.264150 IP (tos 0x0, ttl 64, id 53785, offset 0, flags [DF], proto UDP (17), length 1207) 192.168.1.26.40961 > vpn.cti.ru.isakmp: isakmp 1.0 msgid cookie ->: phase 1 I agg: [|sa] 23:46:53.618668 IP (tos 0x0, ttl 111, id 62662, offset 0, flags [none], proto UDP (17), length 416) vpn.cti.ru.isakmp > 192.168.1.26.40961: isakmp 1.0 msgid cookie ->: phase 1 R agg: [|sa] 23:46:53.639534 IP (tos 0x0, ttl 64, id 53786, offset 0, flags [DF], proto UDP (17), length 144) 192.168.1.26.40961 > vpn.cti.ru.isakmp: isakmp 1.0 msgid cookie ->: phase 1 I agg[E]: [encrypted hash] 23:46:53.655068 IP (tos 0x0, ttl 111, id 50792, offset 0, flags [none], proto UDP (17), length 128) vpn.cti.ru.isakmp > 192.168.1.26.40961: isakmp 1.0 msgid cookie ->: phase 2/others R #6[E]: [encrypted hash] 23:46:53.655409 IP (tos 0x0, ttl 64, id 53787, offset 0, flags [DF], proto UDP (17), length 120) 192.168.1.26.40961 > vpn.cti.ru.isakmp: isakmp 1.0 msgid cookie ->: phase 2/others I #6[E]: [encrypted hash] 23:46:53.985314 IP (tos 0x0, ttl 111, id 56032, offset 0, flags [none], proto UDP (17), length 88) vpn.cti.ru.isakmp > 192.168.1.26.40961: isakmp 1.0 msgid cookie ->: phase 2/others R #6[E]: [encrypted hash] 23:46:53.985673 IP (tos 0x0, ttl 64, id 53788, offset 0, flags [DF], proto UDP (17), length 88) 192.168.1.26.40961 > vpn.cti.ru.isakmp: isakmp 1.0 msgid cookie ->: phase 2/others I #6[E]: [encrypted hash] 23:46:53.985834 IP (tos 0x0, ttl 64, id 53789, offset 0, flags [DF], proto UDP (17), length 192) 192.168.1.26.40961 > vpn.cti.ru.isakmp: isakmp 1.0 msgid cookie ->: phase 2/others I #6[E]: [encrypted hash] 23:46:55.987383 IP (tos 0x0, ttl 64, id 53790, offset 0, flags [DF], proto UDP (17), length 192) 192.168.1.26.40961 > vpn.cti.ru.isakmp: isakmp 1.0 msgid cookie ->: phase 2/others I #6[E]: [encrypted hash] 23:46:59.987708 IP (tos 0x0, ttl 64, id 53791, offset 0, flags [DF], proto UDP (17), length 192) 192.168.1.26.40961 > vpn.cti.ru.isakmp: isakmp 1.0 msgid cookie ->: phase 2/others I #6[E]: [encrypted hash] 23:47:07.995427 IP (tos 0x0, ttl 64, id 53792, offset 0, flags [DF], proto UDP (17), length 192) 192.168.1.26.40961 > vpn.cti.ru.isakmp: isakmp 1.0 msgid cookie ->: phase 2/others I #6[E]: [encrypted hash] 23:47:16.005475 IP (tos 0x0, ttl 111, id 44611, offset 0, flags [none], proto UDP (17), length 104) vpn.cti.ru.isakmp > 192.168.1.26.40961: isakmp 1.0 msgid cookie ->: phase 2/others R inf[E]: [encrypted hash]
Created attachment 287197 [details] vpnc --debug 3 log
In current time vpnc hungs with thiw messages: -- S6.2 phase2_config receive modecfg [2011-11-09 00:28:28] BEGIN_PARSE Recieved Packet Len: 76 i_cookie: 7dae628c 2079291c r_cookie: ed693287 14758e87 payload: 08 (ISAKMP_PAYLOAD_HASH) isakmp_version: 10 exchange_type: 05 (ISAKMP_EXCHANGE_INFORMATIONAL) flags: 01 message_id: ff92ac3b len: 0000004c PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH) next_type: 0c (ISAKMP_PAYLOAD_D) length: 0014 ke.data: 8b04b8cf 98b76ed9 0d97955a e0adc2b2 DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH) PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D) next_type: 00 (ISAKMP_PAYLOAD_NONE) length: 001c d.doi: 00000001 (ISAKMP_DOI_IPSEC) d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP) d.spi_length: 10 d.num_spi: 0001 d.spi: 7dae628c 2079291c ed693287 14758e87 DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D) PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE) PARSE_OK hashlen: 16 u.hash.length: 16 expected_hash: 8b04b8cf 98b76ed9 0d97955a e0adc2b2 h->u.hash.data: 8b04b8cf 98b76ed9 0d97955a e0adc2b2 got delete for old connection, ignoring.. -- I hope, this help with resolving this problem. I want to know that vpnc wait from remote server ?
Is this fixed in latest version?
I think you should really ask at vpnc-devel {{}} unix-ag.uni-kl.de. Maybe also test the other vpnc branches? Please refer to bug 444420#c18.
commit 2ae6a66dbaf6fc2440beefff98bc7f30a14128be Author: Justin Lecher <jlec@gentoo.org> Date: Wed Sep 23 14:59:52 2015 +0200 net-misc/vpnc: Drop old obsoletes: Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=380399 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=518254 Package-Manager: portage-2.2.21 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ae6a66dbaf6fc2440beefff98bc7f30a14128be
