Cisco VPN blocking LINUX Cisco client on firewall policy. 1

[russellfowden]

Obviously there's only so much I can post in terms of logs because my place of work won't appreciate me giving full details of their VPN gateway on a public forum - but on my LINUX box I can't connect, it says:

"Authenticating user.
Negotiating security policies.
Securing communication channel.
Secure VPN Connection terminated by Peer.
Reason: Firewall Policy Mismatch."

The windows installation on the same machine connects fine, I've tried this with the firewalls on the router and the machine (IPTABLES) enabled and disabled, always get the same problem. The log says this (obviously this is just the salient errors, I've had to strip out all the IP info and so on) :

"PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH"

IKE received signal to terminate VPN connection"

The log from the windows install (where it works) says this which might be relevant:

"Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy). "

So - I've heard Cisco VPN concentrators have a strange IPSEC implementation, and I also heard that UDP traffic may be on different ports for Windows and Linux (even though the client installation is from the same vendor) so I'm drawing a bit of a blank. Can anyone help or suggest a solution?

 

[lgarner]

Actually, it looks like a policy in effect requiring the Cisco integrated firewall to be running before you are allowed to connect.

We do something similar (different vendor) where you have to run the firewall and approved antivirus programs on your PC before you can connect via VPN. Maybe you need to change the configuration of your concentrator.

 

[russellfowden]

Ah - and that comes only with the windows version of the VPN client, doesn't it? They won't change any settings on the concentrator - I work for a windows shop unfortunately. Never mind, looks like I'll have to keep dual booting :-(

 

[burtsbees]

Do you have the VPN Client software for Linux on the Linux box? If you do, this usually includes the Stateful Firewall running in the backround when it connects. Please post a config from the concentrator. Also, what client software are you using for the Windows box? If they are both running Cisco VPN Client, then do you have the native Linux firewall or any other firewall running on the Linux box itself?

Burt

 

[russellfowden]

The box is physically the same machine, just dual booting two OS'es. The standard LINUX firewall (IPTABLES) is enabled and there's a firewall built into my domestic broadband router. I've set it up in such a way that the machine is fixed IP regardless of OS. I tried temporarily disabling both firewalls as a test, and it still won't connect, so I don't think it's a port blocking issue.

I'm using the Windows and Linux versions of the Cisco VPN client. I'm pretty sure the concentrator is a 3000 series, but I have no access to it so cannot post a config unfortunately. I've read elsewhere that the Linux version of the VPN client does not include the Cisco integrated firewall, but this might be wrong. I don't think it forces checks on AV software, but it might validate firewall, in which case IPTABLES may not be on the list. Changing the config of the concentrator isn't an option, but I'd be surprised if there wasn't a way I could hack around it :-(

 

[burtsbees]

Without the stateful firewall built into the Linux version, I know of no other way to help you myself. Hopefully someone else can---sorry bro.

Burt

 

[lgarner]

That is correct- it does not include the Cisco firewall. The policy on the concentrator must be changed to allow Linux clients. As I recall, there are options for certain software to be required with certain OS's, but it's been a while and I don't remember the details.

 

[burtsbees]

I just looked at SDM, and there is an option in there to configure VPN's so they don't look for the Cisco firewall.

Burt