Jul 30, 2011

Linux VPN Client: disconnect every 600s (10min)

You are trying to connect to a Cisco Pix or Cisco ASA with a Linux PC and the connection disconnects after 10 minutes?
You tried
You found after googling around the following hints:
  • rekeying problem (not implemented for Linux)
  • missing open ports in your firewall (500 UDP, 4500 UDP, 10000 UDP)
  • write a automatic restart script
  • set MTU size on tun0 below 1300
  • disable dead pear detection (--dpd-idle 0)
    this is done via port 500
  • ...
None of this tips worked. And now?
Let's take a look at the debug messages from vpnc:
vpnc -no-detach --debug 2 profile0
after 10 minutes:
S7.2 QM_packet2 send_receive
S7.3 QM_packet2 validate type
vpnc: no response from target
Anything learned? The connection is dead again with no response from target...
Where are this response packets? Let's take a look at wireshark:

Dst Port 500...
Let's try the following:
vpnc --no-detach --debug 2 --dh dh5 gip2
and voila: no disconnects anymore...

Read this link:
The Diffie-Hellman Group 5 feature enables group 5
on all platforms that support crypto images. Group 5 specifies the
1536-bit Diffie-Hellman group, which is a method of establishing a
shared key over an insecure medium.

So my advise:
If your VPN disconnects after some minutes, try some of the cli-options of vpnc. Or ask your administrator, which Diffie-Hellman group is configured...

Here the cli-option (via vpnc --long-help)
Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files]

--gateway <ip/hostname>
IP/name of your IPSec gateway
conf-variable: IPSec gateway <ip/hostname>

--id <ASCII string>
your group name
conf-variable: IPSec ID <ASCII string>

(configfile only option)
your group password (cleartext)
conf-variable: IPSec secret <ASCII string>

(configfile only option)
your group password (obfuscated)
conf-variable: IPSec obfuscated secret <hex string>

--username <ASCII string>
your username
conf-variable: Xauth username <ASCII string>

(configfile only option)
your password (cleartext)
conf-variable: Xauth password <ASCII string>

(configfile only option)
your password (obfuscated)
conf-variable: Xauth obfuscated password <hex string>

--domain <ASCII string>
(NT-) Domain name for authentication
conf-variable: Domain <ASCII string>

enable interactive extended authentication (for challenge response auth)

conf-variable: Xauth interactive

--vendor <cisco/netscreen>
vendor of your IPSec gateway
Default: cisco
conf-variable: Vendor <cisco/netscreen>

--natt-mode <natt/none/force-natt/cisco-udp>
Which NAT-Traversal Method to use:
* natt -- NAT-T as defined in RFC3947
* none -- disable use of any NAT-T method
* force-natt -- always use NAT-T encapsulation even
without presence of a NAT device
(useful if the OS captures all ESP traffic)
* cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000
Note: cisco-tcp encapsulation is not yet supported
Default: natt
conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>

--script <command>
command is executed using system() to configure the interface,
routing and so on. Device name, IP, etc. are passed using enviroment
variables, see README. This script is executed right after ISAKMP is
done, but before tunneling is enabled. It is called when vpnc
terminates, too
Default: /etc/vpnc/vpnc-script
conf-variable: Script <command>

--dh <dh1/dh2/dh5>
name of the IKE DH Group
Default: dh2
conf-variable: IKE DH Group <dh1/dh2/dh5>

--pfs <nopfs/dh1/dh2/dh5/server>
Diffie-Hellman group to use for PFS
Default: server
conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>

enables weak single DES encryption
conf-variable: Enable Single DES

enables using no encryption for data traffic (key exchanged must be encrypted)
conf-variable: Enable no encryption

--application-version <ASCII string>
Application Version to report. Note: Default string is generated at runtime.
Default: Cisco Systems VPN Client 0.5.3:Linux
conf-variable: Application version <ASCII string>

--ifname <ASCII string>
visible name of the TUN/TAP interface
conf-variable: Interface name <ASCII string>

--ifmode <tun/tap>
mode of TUN/TAP interface:
* tun: virtual point to point interface (default)
* tap: virtual ethernet interface
Default: tun
conf-variable: Interface mode <tun/tap>

--debug <0/1/2/3/99>
Show verbose debug messages
* 0: Do not print debug information.
* 1: Print minimal debug information.
* 2: Show statemachine and packet/payload type information.
* 3: Dump everything exluding authentication data.
* 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
conf-variable: Debug <0/1/2/3/99>

Don't detach from the console after login
conf-variable: No Detach

Report bugs to vpnc@unix-ag.uni-kl.de

1 comment:

  1. Hey there, I think your website might be having browser compatibility
    issues. When I look at your blog site in Ie, it looks fine but when opening
    in Internet Explorer, it has some overlapping. I just wantrd to give you a qjick heads up!
    Other then that, wonderful blog!