You tried
Let's take a look at the debug messages from vpnc:
Where are this response packets? Let's take a look at wireshark:
Hmmm
Dst Port 500...
Let's try the following:
Why?
Read this link:
If your VPN disconnects after some minutes, try some of the cli-options of vpnc. Or ask your administrator, which Diffie-Hellman group is configured...
Here the cli-option (via vpnc --long-help)
- Network Manager (s. this posting)
- vpnc
- rekeying problem (not implemented for Linux)
- missing open ports in your firewall (500 UDP, 4500 UDP, 10000 UDP)
- write a automatic restart script
- set MTU size on tun0 below 1300
- disable dead pear detection (--dpd-idle 0)
this is done via port 500 - ...
Let's take a look at the debug messages from vpnc:
vpnc -no-detach --debug 2 profile0after 10 minutes:
S7.2 QM_packet2 send_receiveAnything learned? The connection is dead again with no response from target...
S7.3 QM_packet2 validate type
vpnc: no response from target
Where are this response packets? Let's take a look at wireshark:
Hmmm
Dst Port 500...
Let's try the following:
vpnc --no-detach --debug 2 --dh dh5 gip2and voila: no disconnects anymore...
Why?
Read this link:
The Diffie-Hellman Group 5 feature enables group 5So my advise:
on all platforms that support crypto images. Group 5 specifies the
1536-bit Diffie-Hellman group, which is a method of establishing a
shared key over an insecure medium.
If your VPN disconnects after some minutes, try some of the cli-options of vpnc. Or ask your administrator, which Diffie-Hellman group is configured...
Here the cli-option (via vpnc --long-help)
Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files]
Options:
--gateway <ip/hostname>
IP/name of your IPSec gateway
conf-variable: IPSec gateway <ip/hostname>
--id <ASCII string>
your group name
conf-variable: IPSec ID <ASCII string>
(configfile only option)
your group password (cleartext)
conf-variable: IPSec secret <ASCII string>
(configfile only option)
your group password (obfuscated)
conf-variable: IPSec obfuscated secret <hex string>
--username <ASCII string>
your username
conf-variable: Xauth username <ASCII string>
(configfile only option)
your password (cleartext)
conf-variable: Xauth password <ASCII string>
(configfile only option)
your password (obfuscated)
conf-variable: Xauth obfuscated password <hex string>
--domain <ASCII string>
(NT-) Domain name for authentication
conf-variable: Domain <ASCII string>
--xauth-inter
enable interactive extended authentication (for challenge response auth)
--dpd-idle
conf-variable: Xauth interactive
--vendor <cisco/netscreen>
vendor of your IPSec gateway
Default: cisco
conf-variable: Vendor <cisco/netscreen>
--natt-mode <natt/none/force-natt/cisco-udp>
Which NAT-Traversal Method to use:
* natt -- NAT-T as defined in RFC3947
* none -- disable use of any NAT-T method
* force-natt -- always use NAT-T encapsulation even
without presence of a NAT device
(useful if the OS captures all ESP traffic)
* cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000
Note: cisco-tcp encapsulation is not yet supported
Default: natt
conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>
--script <command>
command is executed using system() to configure the interface,
routing and so on. Device name, IP, etc. are passed using enviroment
variables, see README. This script is executed right after ISAKMP is
done, but before tunneling is enabled. It is called when vpnc
terminates, too
Default: /etc/vpnc/vpnc-script
conf-variable: Script <command>
--dh <dh1/dh2/dh5>
name of the IKE DH Group
Default: dh2
conf-variable: IKE DH Group <dh1/dh2/dh5>
--pfs <nopfs/dh1/dh2/dh5/server>
Diffie-Hellman group to use for PFS
Default: server
conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>
--enable-1des
enables weak single DES encryption
conf-variable: Enable Single DES
--enable-no-encryption
enables using no encryption for data traffic (key exchanged must be encrypted)
conf-variable: Enable no encryption
--application-version <ASCII string>
Application Version to report. Note: Default string is generated at runtime.
Default: Cisco Systems VPN Client 0.5.3:Linux
conf-variable: Application version <ASCII string>
--ifname <ASCII string>
visible name of the TUN/TAP interface
conf-variable: Interface name <ASCII string>
--ifmode <tun/tap>
mode of TUN/TAP interface:
* tun: virtual point to point interface (default)
* tap: virtual ethernet interface
Default: tun
conf-variable: Interface mode <tun/tap>
--debug <0/1/2/3/99>
Show verbose debug messages
* 0: Do not print debug information.
* 1: Print minimal debug information.
* 2: Show statemachine and packet/payload type information.
* 3: Dump everything exluding authentication data.
* 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
conf-variable: Debug <0/1/2/3/99>
--no-detach
Don't detach from the console after login
conf-variable: No Detach
Report bugs to vpnc@unix-ag.uni-kl.de
Hey there, I think your website might be having browser compatibility
ReplyDeleteissues. When I look at your blog site in Ie, it looks fine but when opening
in Internet Explorer, it has some overlapping. I just wantrd to give you a qjick heads up!
Other then that, wonderful blog!