# Cisco VPN Client not connecting

## nizmot

Any help appreciated!

Kernel: 2.6.14-gentoo-r4

Cisco VPN Client Version: cisco-vpnclient-3des 4.7.00.0640

Background: Previously working Cisco VPN client (version 4.7.00.0640) stopped connecting after one of many system package upgrades. Unfortunately, I don't know which package broke it. The connection uses certificate authentication and the default Cisco certificate store on the client. Connection fails regardless of which user (root or otherwise) executes the vpnclient connect process.

I've tried nearly everything I can think of with no luck, but I'm no guru. I suspect a permission or other security issue, probably something simple that escapes me.

Result from /usr/bin/vpnclient connect <correct profile blanked>:

```

Cisco Systems VPN Client Version 4.7.00 (0640)

Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.6.14-gentoo-r4 #2 SMP PREEMPT Sun Dec 11 15:11:59 EST 2005 i686

Config file directory: /etc/opt/cisco-vpnclient

Enter Certificate password: <correct password entered>

Initializing the VPN connection.

Secure VPN Connection terminated locally by the Client

Reason: Failed to establish a VPN connection.

There are no new notification messages at this time.

```

Result from /opt/cisco-vpnclient/bin/ipseclog:

```

Cisco Systems VPN Client Version 4.7.00 (0640)

Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.6.14-gentoo-r4 #2 SMP PREEMPT Sun Dec 11 15:11:59 EST 2005 i686

Config file directory: /etc/opt/cisco-vpnclient

1      02:43:32.102  01/27/2006  Sev=Warning/3   CLI

Unable to purge old log files. Function returned -1.

2      02:43:32.129  01/27/2006  Sev=Info/4   CVPND

Privilege Separation: restoring MTU on primary interface.

3      02:43:32.129  01/27/2006  Sev=Info/4   CVPND

Started cvpnd:

Cisco Systems VPN Client Version 4.7.00 (0640)

Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.6.14-gentoo-r4 #2 SMP PREEMPT Sun Dec 11 15:11:59 EST 2005 i686

4      02:43:33.108  01/27/2006  Sev=Info/4   IPSEC

Deleted all keys

5      02:43:33.108  01/27/2006  Sev=Info/4   IPSEC

IPSec driver successfully started

6      02:43:33.108  01/27/2006  Sev=Info/4   IPSEC

Deleted all keys

7      02:43:33.108  01/27/2006  Sev=Info/4   IPSEC

Deleted all keys

8      02:43:33.108  01/27/2006  Sev=Info/4   IPSEC

IPSec driver successfully stopped

9      02:43:33.108  01/27/2006  Sev=Info/4   CLI

Started vpnclient:

Cisco Systems VPN Client Version 4.7.00 (0640)

Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Linux

Running on: Linux 2.6.14-gentoo-r4 #2 SMP PREEMPT Sun Dec 11 15:11:59 EST 2005 i686

10     02:43:37.870  01/27/2006  Sev=Info/4   CM

Begin connection process

11     02:43:37.870  01/27/2006  Sev=Info/4   CM

Establish secure connection using Ethernet

12     02:43:37.870  01/27/2006  Sev=Info/4   CM

Attempt connection with server "<correct server ip blanked>"

13     02:43:37.870  01/27/2006  Sev=Info/4   CVPND

Privilege Separation: binding to port: (500).

14     02:43:37.871  01/27/2006  Sev=Info/4   CVPND

Privilege Separation: binding to port: (4500).

15     02:43:37.871  01/27/2006  Sev=Info/6   IKE

Attempting to establish a connection with <correct server ip blanked>.

16     02:43:37.871  01/27/2006  Sev=Debug/9   IKE

Unable to acquire local IP address after 0 attempts (over 12 seconds), probably

due to network socket failure.

17     02:43:41.144  01/27/2006  Sev=Warning/2   CERT

Could not load certificate <correct certificate blanked> from store Cisco User

Certificate. Reason: store open failed

18     02:43:41.144  01/27/2006  Sev=Warning/2   IKE

Unable to open certificate (<correct certificate blanked>).

If you are using a smartcard or token containing a certificate, verify the

correct one is plugged in and try again.

19     02:43:41.144  01/27/2006  Sev=Warning/2   IKE

Failed to open my certificate (Connection:240)

20     02:43:41.145  01/27/2006  Sev=Warning/2   IKE

Failed to set up connection data

21     02:43:41.145  01/27/2006  Sev=Info/4   CM

Unable to contact server "<correct server ip blanked>"

22     02:43:41.145  01/27/2006  Sev=Info/5   CM

Initializing CVPNDrv

23     02:43:41.145  01/27/2006  Sev=Info/4   CVPND

Privilege Separation: restoring MTU on primary interface.

24     02:43:41.145  01/27/2006  Sev=Info/4   IKE

IKE received signal to terminate VPN connection

25     02:43:41.145  01/27/2006  Sev=Info/4   IPSEC

IPSec driver successfully started

26     02:43:41.145  01/27/2006  Sev=Info/4   IPSEC

Deleted all keys

27     02:43:41.145  01/27/2006  Sev=Debug/7   IPSEC

Filter table modified, set new size

28     02:43:41.146  01/27/2006  Sev=Info/4   IPSEC

Deleted all keys

29     02:43:41.146  01/27/2006  Sev=Info/4   IPSEC

Deleted all keys

30     02:43:41.146  01/27/2006  Sev=Info/4   IPSEC

Deleted all keys

31     02:43:41.146  01/27/2006  Sev=Info/4   IPSEC

IPSec driver successfully stopped

32     02:43:44.144  01/27/2006  Sev=Info/4   CVPND

Stopped service:

33     02:43:44.144  01/27/2006  Sev=Info/4   CVPND

Privilege Separation: restoring MTU on primary interface.

```

Result from /etc/init.d/vpnclient status:

```

Auto-initiation Configuration Information.

* status:  started

cisco_ipsec           565900  0 

cipsec0   Link encap:Ethernet  HWaddr <hex ip blanked>

          NOARP  MTU:1356  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:1 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

```

Result from /usr/bin/vpnclient verify:

```

Auto-initiation Configuration Information.

Enable:         0

Retry Interval: 1 minutes

```

Relevant result from ifconfig -a:

```

cipsec0   Link encap:Ethernet  HWaddr <correct hex ip blanked>

          NOARP  MTU:1356  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:1 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

```

Packet Capture:

On non-working machine connection attempt, Ethereal captures one UDP packet sent

from client to server (the dropped packet).  On a working machine on the same

subnet, Ethereal captures the same initial UDP packet, but then reports ISAKMP

(IKE) communication between the client and server - packets which are not sent

or responded to on the non-working machine.

Things I've tried without success:

- Reinstallation

- Modification to fix the "stamp" variable issue in linuxcniapi.c

- Downgrading to cisco-vpnclient-3des-4.6.03.0190-r1

- Downgrading all packages upgraded after vpnclient breakage

- Making sure udev configuration doesn't screw up the interface

- Looking at everything in /etc to see if anything would have an effect on the connection (though since I didn't know what I was looking for, I wasn't likely to find it, thus didn't change anything)

- Attempting to connect from different locations, and as different users

- Certificate reinstallation

----------

## Saidinknight

I'm having an identical problem, if anyone can help with this it would be greatly appreciated.

----------

## chryso

I too am having the same problem. It was working at one point, but no longer.

I am running 2.6.15-gentoo-r5 and cisco-vpnclient-3des-4.8.00.0490.

Not sure what could be relevant for this problem, I am woefully inexperienced with VPN.

----------

## chryso

Ok, I mentioned I was inexperienced with VPN right?   :Embarassed: 

Turns out that my company changed the group password since the last time I VPN'd.  For the others, I would check to make sure that you are typing your group password correctly.

Cheers,

-C.

----------

## bekkra

Actually, upgrading packages seem to be a kind of "package hell"  :Very Happy: 

I still don't know what broke my setup, but on gentoo-2.6.15-r1, and cisco-vpnclient-3des-4.8.00.0490, I succeeded  to break a working solution. :/ The connection fails, with lots of messages in the system logs with this kind of entries:

bad hh len 209788895

unknown mac header length (14)

Interesting... I suspect that the kernel is not configured to support networking in a way that this software needs. As far as I can see, there are no conditions in the documentation - the VPN software should simply be able to connect, once there is a working Internet connection in place.

The most frustrating detail is that I see no more information anywhere; "unknown mac header length" is just not telling enough. For one thing; what piece of software says this ?

A movie and a cup of tea later I ended up comparing the kernel configuration from the running ( and failing, at least seen from the VPN connection's viewpoint ) and the previous kernels, and I realized that I had indeen added some networking features: iptables. However, nothing of the new stuff was used, so it should not have been the problem.

Rebuilding the kernel means automatically that kernel modules may need to be rebuilt, so that I did and I was immediately rewarded with a working Cisco VPN.

The rationale is of course "if it works, don't fix it", but you wouldn't be running Gentoo if upgrading packages were somebody else's melody.... But yes, despite module versioning, some changes in the kernel's configuration may result in a broken kernel module with a considerably more cryptic error message than "module xxxx failed to load".

Time to work over the VPN connection  :Smile: 

// 

//

----------

