Linux VPN tips Created 27.01.2007. http://www.gerzic.net/docs/vpnc-tips.txt Luka Gerzic Hello, This small text describes some problems you may encounter while using VPN conn's under linux (for this text I was using Ubuntu flavor). I do hope that these tips will save you some time. Problem: vpnc not able to establish connection with remote cisco device While I was trying to get my vpnc working with cisco vpn concentrator on one of my remote locations, I discovered that first NetworkManager from Gnome (ubuntu 7.10) is crashing and core dumping while trying to make connection to the remote host. After brief investigation, I got this type of error: vpnc: response was invalid [2]: (ISAKMP_N_INVALID_PAYLOAD_TYPE)(1) After some google'ing, it seems that vpnc client is sending specially crafted greeting to the remote host (in my case cisco vpn concentrator) who was refuesing my type of "hello" since it was modifyed version of official cisco winbl0ws client. The reason for this may be in the set of options that remote VPN concentrator is able to enforce on winbl0ws clients such as creating a special type of firewall rules on your pc station/notebook if the remote admin wanted to enforce that kind of rules. If I am not mistaked it's called: "Cisco Systems Integrated Client Firewall, Capability: (Centralized Protection Policy)". It is interesting actually that you are able to find out what type of Cisco VPN device is on remote side, for example this kind of output you could get: "Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)" Nevertheless, problem was as I allready stated in a "greeting" session. All you have to do to resolve this annoyance, is to first get source of vpnc: # wget http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.5.1.tar.gz you will also need libgcrypt11-dev package or sources depending on your flavor (if you are using ubuntu/debian just use our favorite package manager: apt-get install libgcrypt11-dev), after you install required libs, unpack vpnc source package and edit file: config.c Inside config.c you should look for the line: asprintf(&version, "Cisco Systems VPN Client %s:%s", VERSION, uts.sysname); comment that line and insert this one: asprintf(&version, "Cisco Systems VPN Client %s:%s", "4.8.00 (0490)", "Linux"); simple make && make install will do the trick. After that remember to remove/move local copy of vpnc if you allready had it, simple: # mv /usr/sbin/vpnc /usr/sbin/vpnc.old # mv /usr/sbin/vpnc-disconnect /usr/sbin/vpnc-disconnect.old # ln -s /usr/local/sbin/vpnc /usr/sbin/vpnc # ln -s /usr/local/sbin/vpnc-disconnect /usr/sbin/vpnc-disconnect will do the trick. To convert your official cisco pcf file to vpnc config file use script that you got (/usr/share/vpnc/pcf2vpnc youcompany.pcf yourcompany.conf) And place that config file inside /etc/vpnc/yourcompany.conf then use simple command: root@noc:/# vpnc yourcompany Enter password for admin@xxx.xxx.xxx.xxx: VPNC started in background (pid: 8444)... root@noc:/# Problem: MTU size missconfiguration After you finally establish connection with your remote site you could end up with successfull connection but as soon as you try to open some file, or issue simple # ps aux command you get session freeze and you are foced to close session. This is the MTU size missmatch. As you may notice after creating vpnc connection you will get new interface that is probably called tun0. Check out MTU size on that interface: root@noc:/# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:xxx.xxx.xxx.xxx P-t-P:xxx.xxx.xxx.xxx Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Try with default VPN MTU of 1300 by entering this line: root@noc:/# ifconfig tun0 mtu 1300 Now check the state of MTU value, should be changed to 1300: root@noc:/# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:xxx.xxx.xxx.xxx P-t-P:xxx.xxx.xxx.xxx Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1300 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:25 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:746 (746.0 b) TX bytes:4447 (4.3 KB) and you are ready to rock. If your company for what ever reason is using different MTU size, you could consult your cisco admin or some other person responsible for network configuration and administration. There are other options for discovery of remote MTU but they are out of the scope of this text. I must say I am not using winbl0ws anymore but my friend needed some help with MTU size on winbl0ws for official cisco VPN client, and after some looking inside regedit we found out the location of MTU size, so if you are looking for it it's located here: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ Interfaces\[Adapter ID] But remember you will need to enter decimal value. That's all, hope you find this text usefull. Best regards, LG --[ eof ]--