info at arkansassoftball
Jan 4, 2009, 8:13 PM
Post #6 of 10
(2236 views)
Permalink
|
I connect routing IS working correctly. I can do ICMP trace and packets are reaching the ASA on the remote network and the server is replying to ping. I am getting encaps and decaps on ASA; however, am not getting the unencrypted data on the client PC.
From ASA
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 57, #pkts decrypt: 57, #pkts verify: 57
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
-----Original Message-----
From: vpnc-devel-bounces [at] unix-ag [mailto:vpnc-devel-bounces [at] unix-ag] On Behalf Of Tilman Schröder
Sent: Sunday, January 04, 2009 5:08 PM
To: vpnc list to send bug reports and discussions with developers
Subject: Re: [vpnc-devel] VPNC connects but no traffice
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gary Davis wrote:
> I have been trying for a couple weeks to get this working without
> success, though I think I am close.
>
>
>
> I have downloaded Cygwin (plus libgcrypt, make, perl and gcc), vpnc
> 0.5.3, openvpn 2.1.rc15 (installing only the Tap selection).
>
>
>
> I compiled vpnc; edited the vpnc-script-win.js file to fix the
> recognition of the default gateway (for Vista and Win Server 2008, see
> below). I created the vpnc.conf file based on my Cisco pcf file and
> ran make install.
>
>
>
> I renamed the network connection from openvpn to be “Tap”.
>
>
>
> I then started the Cygwin terminal by running as admin and typed vpnc
> (some numbers have been altered for security).
>
>
>
> $ vpnc
>
>> route print 0.0.0.0
>
> Default Gateway :192.168.0.1
>
> VPN Gateway: 12.0.173.37
>
> Internal Address: 10.243.56.75
>
> Internal Netmask: 255.255.254.0
>
> Interface: "Tap"
>
> Configuring "Tap" interface...
>
>> netsh interface ip set address "Tap" static 10.243.56.75
>> 255.255.254.0
>
>> route add 12.0.173.37 mask 255.255.255.255 192.168.0.1
>
>> netsh interface ip add wins "Tap" 10.243.32.72 index=1
>
>> netsh interface ip add wins "Tap" 10.243.32.113 index=2
>
>> netsh interface ip add dns "Tap" 10.243.32.25 index=1
>
>> netsh interface ip add dns "Tap" 10.243.32.26 index=2
>
> done.
>
> Configuring networks:
>
> Gateway did not provide network configuration.
>
> Route configuration done.
>
> VPNC started in foreground...
>
>
>
> The lines below starting with “>” are from an echo I added to the run
> function as shown below (also note the replaced line in getDefaultGateway():
>
>
>
>
>
> function run(cmd)
>
> {
>
> *echo("> " + cmd);*
>
> return (ws.Exec(cmd).StdOut.ReadAll());
>
> }
>
>
>
> function getDefaultGateway()
>
> {
>
> if *(run("route print 0.0.0.0").match(/0\.0\.0\.0 *0\.0\.0\.0
> *([^ ]*)/)) {*
>
> return (RegExp.$1);
>
> }
>
> return ("");
>
> }
>
>
>
> This is output from route print after the vpnc was set up:
>
>
>
> ======================================================================
> =====
>
> Active Routes:
>
> Network Destination Netmask Gateway Interface Metric
>
> 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 10
>
> 10.243.56.0 255.255.254.0 On-link 10.243.56.75 286
>
> 10.243.56.75 255.255.255.255 On-link 10.243.56.75 286
>
> 10.243.57.255 255.255.255.255 On-link 10.243.56.75 286
>
> 12.0.173.37 255.255.255.255 192.168.0.1 192.168.0.2 11
>
> 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
>
> 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
>
> 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
>
> 192.168.0.0 255.255.255.0 On-link 192.168.0.2 266
>
> 192.168.0.2 255.255.255.255 On-link 192.168.0.2 266
>
> 192.168.0.255 255.255.255.255 On-link 192.168.0.2 266
>
> 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
>
> 224.0.0.0 240.0.0.0 On-link 192.168.0.2 266
>
> 224.0.0.0 240.0.0.0 On-link 10.243.56.75 286
>
> 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
>
> 255.255.255.255 255.255.255.255 On-link 192.168.0.2 266
>
> 255.255.255.255 255.255.255.255 On-link 10.243.56.75 286
>
> ======================================================================
> =====
>
> Persistent Routes:
>
> None
>
>
>
> Ipconfig /all (Why no Default Gateway?? Does it need a Primary DNS
> Suffix??):
>
>
>
> Windows IP Configuration
>
>
>
> Host Name . . . . . . . . . . . . : Server
>
> Primary Dns Suffix . . . . . . . :
>
> Node Type . . . . . . . . . . . . : Hybrid
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
>
>
> Ethernet adapter Tap:
>
>
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : TAP-Win32 Adapter V9
>
> Physical Address. . . . . . . . . : 00-FF-68-3C-63-DB
>
> DHCP Enabled. . . . . . . . . . . : No
>
> Autoconfiguration Enabled . . . . : Yes
>
> Link-local IPv6 Address . . . . . :
> fe80::c8a5:b17a:30b4:9b17%25(Preferred)
>
> IPv4 Address. . . . . . . . . . . : 10.243.56.75(Preferred)
>
> Subnet Mask . . . . . . . . . . . : 255.255.254.0
>
> Default Gateway . . . . . . . . . :
>
> DNS Servers . . . . . . . . . . . : 10.243.32.25
>
> 10.243.32.26
>
> Primary WINS Server . . . . . . . : 10.243.32.72
>
> Secondary WINS Server . . . . . . : 10.243.32.113
>
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
>
>
> My vpnc.conf
>
>
>
> ## generated by pcf2vpnc
>
> IPSec ID TunnelGroup
>
> IPSec gateway 12.0.173.37
>
> IPSec secret [decrypted secret]
>
>
>
> Xauth username gary
>
> Domain ABCFL
>
> IKE Authmode psk
>
> Xauth password [password]
>
> Interface name Tap
>
> Interface mode tap
>
> Local Port 0
>
> No detach
>
>
>
> The properties of the network connections for the Tap interface have
> Status showing as *Unidentified network*, Device Name as *Tap-Win32
> Adapter V9* and Connectivity as *Access to Local only*, though I have
> also seen *Limited connectivity*.
>
>
>
> This home network is connected through a Trendnet router and cable
> modem to Comcast.
>
>
>
> Everything looks set up pretty much OK but I get no connectivity to
> the servers at the other side of the VPN.
>
>
>
> I have tried this on two Vista-64 systems and one Win Server 2008
> (32-bit) system all with the same problem.
>
>
>
> Thanks,
>
> Gary
>
>
>
> *From:* vpnc-devel-bounces [at] unix-ag
> [mailto:vpnc-devel-bounces [at] unix-ag] *On Behalf Of
> *info [at] arkansassoftball
> *Sent:* Friday, January 02, 2009 9:22 AM
> *To:* 'vpnc list to send bug reports and discussions with developers'
> *Subject:* Re: [vpnc-devel] VPNC connects but no traffice
>
>
>
>
>
> When I do a route print the routes appear correct.
>
> IE
>
> 10.x.x.x mask 255.0.0.0 via 192.168.x.x (tap interface).
>
>
>
> I know traffic is routing through tap because I can do an extended
> ping when I disconnect the interface I get “hardware error” instead of
> request time out on a few packets. The hardware error is when the TAP
>
> interface gets disconnected.
>
>
>
> *From:* vpnc-devel-bounces [at] unix-ag
> [mailto:vpnc-devel-bounces [at] unix-ag] *On Behalf Of *Nick
> *Sent:* Wednesday, December 31, 2008 6:51 PM
> *To:* vpnc-devel [at] unix-ag
> *Subject:* Re: [vpnc-devel] VPNC connects but no traffice
>
>
>
> I am experiencing a similar problem. I'm sure it's just not routes
> being setup correctly. I need all of my traffic to go through TAP
> interface.
>
Heyho,
I did some more testing and I observed this:
After a clean boot, I was *always* able to connect. After the first connection no new connection was successful.
I compared the routes on my vista-64 machine to the ones vpnc
0.3.3+SVN20051028-3 (debian etch) established on my linux machine. The difference was that on my linux machine, there was a direct route to the vpn gateway which was *not* on my vista-64 machine, at least not at the point where vpnc *always* stopped (S4.5 AM_packet3).
Then I added the following line to my vpnc-script-win-modified.js (which is executed from vpnc-script, I edited vpnc-script accordingly) at the "pre-init" stage:
run("route add xxx.xxx.xxx.xxx mask 255.255.255.255 "+gw);
I had to hardcode the vpn gateway ip address here because
env("VPNGATEWAY") returns an empty string at the pre-init stage.
I also did the following modification in order to have a more verbose
script:
function run(cmd)
{
echo(cmd);
var cmd_return=ws.Exec(cmd).StdOut.ReadAll();
echo(cmd_return);
return(cmd_return);
}
Gary, thanks for fixing the regex - Now it works.
Try to add "Debug 2" to your configuration file.
Some suggestions for future releases:
Make VPNGATEWAY available at the pre-init stage.
Make the debug level available to the script - it would be possible to switch extended messages on and off depending on the debug level.
I attached my vpnc-script-win-modified.js (UTF-8) if somebody is interested in it.
Have a good sleep,
Tilman Schröder
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJYUFPxWHJ8ml5laIRAptYAKCEI5xXFZkRKFkgGrwgGXB4Wo4K+gCeK/CC
UH+244nWObXM40m4Vq/BNKU=
=LWqM
-----END PGP SIGNATURE-----
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
|
vpnc-script-win-modified.js
