Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. vpnc>
  3. devel
Re: [SOLVED] changes to VPN profile, result: no IP traffic after VPN comes up
guru at unixarea
Jul 31, 2018, 9:38 PM
Post #1 of 2 (1496 views)
Permalink
I have solved the problem with the config value 'NAT Traversal Mode' set
to 'force-natt' instead of 'cisco-udp'. This gives now on TCPDUMP level:

06:26:31.534700 IP 192.168.2.100.4500 > 132.174.XXX.XX.4500: UDP-encap: ESP(spi=0x52562da2,seq=0x404), length 84
06:26:31.586589 IP 132.174.XXX.XX.4500 > 192.168.2.100.4500: UDP-encap: ESP(spi=0x63abc09b,seq=0xa9e), length 92
06:26:31.604083 IP 132.174.XXX.XX.4500 > 192.168.2.100.4500: UDP-encap: ESP(spi=0x63abc09b,seq=0xa9f), length 84
06:26:32.581545 IP 192.168.2.100.4500 > 132.174.XXX.XX.4500: UDP-encap: ESP(spi=0x52562da2,seq=0x405), length 84
06:26:32.593565 IP 192.168.2.100.4500 > 132.174.XXX.XX.4500: UDP-encap: ESP(spi=0x52562da2,seq=0x406), length 84
06:26:32.631505 IP 132.174.XXX.XX.4500 > 192.168.2.100.4500: UDP-encap: ESP(spi=0x63abc09b,seq=0xaa0), length 92

with 'cisco-udp' only ESP(spi=0x52562da2,seq=0x405) was sent, without any answers.

Der Wolf ist tot! Der Wolf ist tot! :-)
(this is from an old German fairy tale)

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
May, 9: ???????? ????????????! Thank you very much, Russian liberators!

Attached Files:

Re: [SOLVED] changes to VPN profile, result: no IP traffic after VPN comes up [ In reply to ]
dlenski at gmail
Jul 31, 2018, 10:05 PM
Post #2 of 2 (1496 views)
Permalink
On Jul 31, 2018 9:38 PM, "Matthias Apitz" <guru@unixarea.de> wrote:


I have solved the problem with the config value 'NAT Traversal Mode' set
to 'force-natt' instead of 'cisco-udp'. This gives now on TCPDUMP level:

06:26:31.534700 IP 192.168.2.100.4500 > 132.174.XXX.XX.4500: UDP-encap:
ESP(spi=0x52562da2,seq=0x404), length 84
06:26:31.586589 IP 132.174.XXX.XX.4500 > 192.168.2.100.4500: UDP-encap:
ESP(spi=0x63abc09b,seq=0xa9e), length 92
06:26:31.604083 IP 132.174.XXX.XX.4500 > 192.168.2.100.4500: UDP-encap:
ESP(spi=0x63abc09b,seq=0xa9f), length 84
06:26:32.581545 IP 192.168.2.100.4500 > 132.174.XXX.XX.4500: UDP-encap:
ESP(spi=0x52562da2,seq=0x405), length 84
06:26:32.593565 IP 192.168.2.100.4500 > 132.174.XXX.XX.4500: UDP-encap:
ESP(spi=0x52562da2,seq=0x406), length 84
06:26:32.631505 IP 132.174.XXX.XX.4500 > 192.168.2.100.4500: UDP-encap:
ESP(spi=0x63abc09b,seq=0xaa0), length 92

with 'cisco-udp' only ESP(spi=0x52562da2,seq=0x405) was sent, without any
answers.

Der Wolf ist tot! Der Wolf ist tot! :-)
(this is from an old German fairy tale)

matthias


Armer Wolf! :-p

That makes sense. The cisco-udp mode is ancient and it's not surprising
that a new gateway doesn't support it.

Dan

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal