# VPNC connects and sets routes, but no traffic through tunnel

## quezak

I have two Cisco VPNs at my company, one is IPSec (the one for 'vpnclient') and the other through SSL (for 'anyconnect'). I just recently installed gentoo directly on my laptop, previously I ran it through vmware on windows, and connected both VPNs on windows.

Now, when I try to connect from gentoo to any of them using the exact same configuration, it connects properly, shows the welcome banner, sets up all routes, but does not tunnel any traffic -- if I try to ping, telnet or ssh any IP from the VPN, it just hangs indefinitely.

For the second VPN I use openconnect with configuration copied from another computer (where it works), it stays "connected" and doesn't show any errors.

For the first VPN I use vpnc with configuration converted from vpnclient's .pfc file, after connecting it stays open for 30 seconds and then exits with message "no response from target"...

My router allows VPN traffic and I didn't install any firewalls yet. Routes set by the clients are exactly the same as on other computers where the VPNs do work. I've enabled in kernel all options mentioned in VPN howtos on gentoo wiki (and much more). After hours of digging I ran out of ideas. Could anyone tell me what's happening or point me where to look next?  :Smile: 

Should I post some more logs/configs to help?

VPNC config -- I tried adding the Vendor, DH_group, NATT and local port options to the file generated by pcf2vpnc, but nothing changed:

```
## generated by pcf2vpnc

IPSec ID ****

IPSec secret ****

Vendor cisco

IPSec gateway ****

IKE Authmode psk

IKE DH Group dh2

NAT Traversal Mode cisco-udp

Local Port 10000

Xauth username ****

Xauth password ****
```

VPNC log:

```

   0[root@...]/etc/vpnc>: vpnc --debug=2 frompcf.conf 

   

vpnc version 0.5.3

S1 init_sockaddr

 [2015-01-09 15:47:21]

S2 make_socket

 [2015-01-09 15:47:21]

S3 setup_tunnel

 [2015-01-09 15:47:21]

   using interface tun0

S4 do_phase1_am

 [2015-01-09 15:47:21]

S4.1 create_nonce

 [2015-01-09 15:47:21]

S4.2 dh setup

 [2015-01-09 15:47:21]

S4.3 AM packet_1

 [2015-01-09 15:47:21]

S4.4 AM_packet2

 [2015-01-09 15:47:21]

   (Cisco Unity)

   (Xauth)

   (unknown)

   (unknown)

   got ike lifetime attributes: 2147483 seconds

   IKE SA selected psk+xauth-3des-sha1

   peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)

   NAT status: no NAT-T VID seen

S4.5 AM_packet3

 [2015-01-09 15:47:21]

S4.6 cleanup

 [2015-01-09 15:47:21]

S5 do_phase2_xauth

 [2015-01-09 15:47:21]

S5.1 xauth_request

 [2015-01-09 15:47:21]

S5.2 notice_check

 [2015-01-09 15:47:21]

S5.3 type-is-xauth check

 [2015-01-09 15:47:21]

S5.4 xauth type check

 [2015-01-09 15:47:21]

S5.5 do xauth reply

 [2015-01-09 15:47:21]

S5.2 notice_check

 [2015-01-09 15:47:21]

S5.3 type-is-xauth check

 [2015-01-09 15:47:21]

S5.6 process xauth set

 [2015-01-09 15:47:21]

S5.7 send xauth ack

 [2015-01-09 15:47:21]

S5.8 xauth done

 [2015-01-09 15:47:21]

S6 do_phase2_config

 [2015-01-09 15:47:21]

S6.1 phase2_config send modecfg

 [2015-01-09 15:47:21]

S6.2 phase2_config receive modecfg

 [2015-01-09 15:47:21]

   Banner:    <my company's welcome banner>

   

   got save password setting: 0

   got 3 acls for split include

   acl 0:    addr: ****   255.255.255.255    (32),    protocol: 0,    sport: 0,    dport: 0

   acl 1:    addr: ****   255.255.252.0    (22),    protocol: 0,    sport: 0,    dport: 0

   acl 2:    addr: ****   255.255.255.255    (32),    protocol: 0,    sport: 0,    dport: 0

   got pfs setting: 0

   Remote Application Version:    Cisco Systems, Inc ASA5505 Version 8.2(1) built by builders on Tue 05-May-09 22:45   

   got address 10.1.0.15

S7 setup_link (phase 2 + main_loop)

 [2015-01-09 15:47:21]

S7.0 run interface setup script

 [2015-01-09 15:47:21]

Connect Banner:

|  <my company's welcome banner>

| 

S7.1 QM_packet1

 [2015-01-09 15:47:21]

S7.2 QM_packet2 send_receive

 [2015-01-09 15:47:21]

<30 seconds pass>

vpnc: no response from target

```

openconnect config and log:

```

   0[root@...]/etc/openconnect>: openconnect -c <CERT>.p12 -k <CERT>.p12 -s /etc/openconnect/openconnect.sh -p **** -u **** --authgroup=*** -v <SERVER_IP> 

POST https://<SERVER_IP>/

Attempting to connect to server <SERVER_IP>:443

Using certificate file <CERT>.p12

Using client certificate ....

SSL negotiation with <SERVER_IP>

Server certificate verify failed: signer not found

Connected to HTTPS on <SERVER_IP>

Got HTTP response: HTTP/1.0 302 Object Moved

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Cache-Control: no-cache

Pragma: no-cache

Connection: Keep-Alive

Date: Fri, 09 Jan 2015 14:37:16 GMT

Location: /+webvpn+/index.html

Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure

HTTP body length:  (0)

GET https://<SERVER_IP>/

Attempting to connect to server <SERVER_IP>:443

SSL negotiation with <SERVER_IP>

Server certificate verify failed: signer not found

Connected to HTTPS on <SERVER_IP>

Got HTTP response: HTTP/1.0 302 Object Moved

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Cache-Control: no-cache

Pragma: no-cache

Connection: Keep-Alive

Date: Fri, 09 Jan 2015 14:37:16 GMT

Location: /+webvpn+/index.html

Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure

HTTP body length:  (0)

GET https://<SERVER_IP>/+webvpn+/index.html

SSL negotiation with <SERVER_IP>

Server certificate verify failed: signer not found

Connected to HTTPS on <SERVER_IP>

Got HTTP response: HTTP/1.1 200 OK

Server: Virata-EmWeb/R6_2_0

Transfer-Encoding: chunked

Content-Type: text/xml

Cache-Control: max-age=0

Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure

Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure

Set-Cookie: webvpnlogin=1; secure

X-Transcend-Version: 1

HTTP body chunked (-2)

Please enter your username and password.

Please enter your username and password.

Password:

POST https://<SERVER_IP>/+webvpn+/index.html

SSL negotiation with <SERVER_IP>

Server certificate verify failed: signer not found

Connected to HTTPS on <SERVER_IP>

Got HTTP response: HTTP/1.1 200 OK

Server: Virata-EmWeb/R6_2_0

Transfer-Encoding: chunked

Content-Type: text/xml

Cache-Control: max-age=0

Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure

Set-Cookie: webvpn=<elided>; path=/; secure

Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&ch:A17FAE552D31FC5D5B37BAFCA613766C035B4044&sh:934133809298F5518FEA21E0CE5EDD25DF82653C&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure

X-Transcend-Version: 1

HTTP body chunked (-2)

Got CONNECT response: HTTP/1.1 200 OK

X-CSTP-Version: 1

X-CSTP-Address: ****

X-CSTP-Netmask: 255.255.255.0

X-CSTP-DNS: 10.10****

X-CSTP-Lease-Duration: 1209600

X-CSTP-Session-Timeout: none

X-CSTP-Idle-Timeout: 1800

X-CSTP-Disconnected-Timeout: 1800

X-CSTP-Default-Domain: mpay

X-CSTP-Split-Include: 192.168.****/255.255.255.0

X-CSTP-Split-Include: 192.168.****/255.255.255.0

X-CSTP-Split-Include: 10.10****/255.255.0.0

X-CSTP-Split-Include: 10.10****/255.255.0.0

X-CSTP-Split-Include: 10.10****/255.255.0.0

X-CSTP-Split-Include: 217.1****/255.255.255.255

X-CSTP-Split-Include: 217.1****/255.255.255.255

X-CSTP-Split-Include: 10.10****/255.255.255.0

X-CSTP-Keep: true

X-CSTP-DPD: 30

X-CSTP-Keepalive: 20

X-CSTP-Banner: <WELCOME_BANNER>

X-CSTP-Smartcard-Removal-Disconnect: true

X-DTLS-Session-ID: 36677ADDB904BFC1AADDE3864817046D74F72132FADBAD24B4064CED4C68B2FD

X-DTLS-Port: 443

X-DTLS-Keepalive: 20

X-DTLS-DPD: 30

X-CSTP-MTU: 1406

X-DTLS-CipherSuite: AES128-SHA

CSTP connected. DPD 30, Keepalive 20

CSTP Ciphersuite: (TLS1.0)-(RSA)-(ARCFOUR-128)-(SHA1)

Connect Banner:

| <WELCOME_BANNER>

| 

DTLS option X-DTLS-Session-ID : 36677ADDB904BFC1AADDE3864817046D74F72132FADBAD24B4064CED4C68B2FD

DTLS option X-DTLS-Port : 443

DTLS option X-DTLS-Keepalive : 20

DTLS option X-DTLS-DPD : 30

DTLS option X-DTLS-CipherSuite : AES128-SHA

DTLS initialised. DPD 30, Keepalive 20

Connected tun0 as 172.1****, using SSL

Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).

Send DTLS Keepalive

Send CSTP Keepalive

Send DTLS DPD

Send CSTP DPD

Got DTLS DPD response

Got CSTP DPD response

Send CSTP Keepalive

Send DTLS DPD

Send CSTP DPD

Got DTLS DPD response

Got CSTP DPD response

<keepalives repeat>

^CSend BYE packet: Aborted by caller

User cancelled (SIGINT); exiting.

```

----------

