Cisco VPN over IOL Broadband?

byrnefm

Hi,

my folks recently got broadband in and I decided to install the Cisco VPN 3000 software (v4.0.2) that work requires me to have to connect in. It worked fine over dial-up (if slow) and also via ISDN but no matter what I try, I haven't been able to connect over broadband. The log file from Cisco says:

14 20:55:22.593 04/30/05 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.xx.xx.xx.

15 20:55:22.593 04/30/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to 62.221.7.126

16 20:55:23.593 04/30/05 Sev=Info/6 IPSEC/0x6370001D
TCP RST received from xx.xx.xx.xx, src port 10000, dst port 1069

17 20:55:27.593 04/30/05 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=F6867A2B213EB70E R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING


19 20:55:28.093 04/30/05 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"

So it does seem to contact the work server but can't connect. My folks have IOL Broadband (1Mbit connection). Does IOL Broadband allow Cisco VPN connections? (My brother enabled all ports, in case the firewall was at issue - no luck).

Thanks in advance!

tomk

Get your sysadmin to check the logs at the company end.

vibe666

it might well be that your modem is blocking whatever ports the vpn sftware is trying to use.

chances are if it's a decent sized company you won't be the first to have the problem, and as tomk said, someone there will know how to fix it.

The problem is more than likely with NAT.

VPN and NAT do not play well at all. This would explain why ISDN and dialup work and yer broadband doesn't.

Check if your router supports VPN passthrough. Its a problem we are trying to solve in work and it seems there is no quick and easy solution.

flangeman

I have to support a few users with the same product. The main problem is the reply traffic, due to the type of connection Cisco IPSec makes it replies back to the 'sender' ipaddress on a different port. If there is nothing there the client will just timeout.

I can't remember if port number changes, but one thing you can do is configure your laptop/workstation as the DMZ device (most routers support this even home ones) so that all replies go back to it.

95% of newer home routers support VPN passthrough and this takes out the headache, but don't forget only one user at a time can use it. You probably better off just buying a new router.

One way to be sure is to attach the modem directly to your PC (make sure your firewall is on!!) and try a connection.

I've had problems in the pass with Airport and 'computer shared internet connections'.

What type of firewall are you running locally? what type of router do you have? and is the firewall on another machine?

Don't forget NOT to use the same addressing space that you have at work, other wise it won't work (wee problem here!), if they have 192.168.x.x switch the local LAN DHCP and router address to something in the 10.0.x.x addressing range (or anything so long as its different.

flangeman

flangeman wrote:

I can't remember if port number changes, but one thing you can do is configure your laptop/workstation as the DMZ device (most routers support this even home ones) so that all replies go back to it.

This will not help as the machine in the DMZ still has a private non routable address. The problem is that the private source address has a checksum in the encrypted payload. When nat changes this it breaks.
VPN problems are unrelated to ports mostly.

95% of newer home routers support VPN passthrough and this takes out the headache, but don't forget only one user at a time can use it. You probably better off just buying a new router.

One way to be sure is to attach the modem directly to your PC (make sure
your firewall is on!!) and try a connection.

If multiple users are not required on the network a good solution is to set it up as a PPPoE connection to the router. This way your machine will get the external wan address rather than the router and eliminate most of the problems with NAT and ports.

Don't forget NOT to use the same addressing space that you have at work, other wise it won't work (wee problem here!), if they have 192.168.x.x switch the local LAN DHCP and router address to something in the 10.0.x.x addressing range (or anything so long as its different.

God the joys of NAT. :rolleyes:

Roll on IP6..

bk

Hi byrnefm, I also use the Cisco 3000 VPN software for work and I have often seen your problem with other users.

You need to enable the "NAT Transparency" option:

1) Right click on the connection entry you use and select "Modify..."
2) Select the "Transport" tab.
3) Check "Enable Transport Transparency"
4) Select "IPSec over UDP" (or try IPSecover TCP if that doesn't work).

byrnefm

bk wrote:

Hi byrnefm, I also use the Cisco 3000 VPN software for work and I have often seen your problem with other users.

You need to enable the "NAT Transparency" option:

1) Right click on the connection entry you use and select "Modify..."
2) Select the "Transport" tab.
3) Check "Enable Transport Transparency"
4) Select "IPSec over UDP" (or try IPSecover TCP if that doesn't work).

Hiya,

thanks for your replies to date! I also suspect it's NAT somehow or another. I must find a modem now to try it the 'old-fashioned' way, which I suspect will work. I'm looking into the NAT tunnelling and what not at the moment now. As it's a bank holiday today, I'll check up with my company's IS dept tomorrow to see what they have to say...

Bk - the above is set on my PC - I tried both methods but no joy so far.

I'll check with another colleague at work whom I think uses broadband too, in a similar manner and if / when I get the solution, I'll post it here!

Cheers!
..byrnefm

byrnefm

.. turned out to be that I was entering the wrong username for Cisco VPN's connection to work - I entered my work logon id instead of the one needed to access the VPN... d'oh! Still, its error reporting is cryptic, since it gives the impression that the server isn't being contacted/responding!