Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SA 520 VPN access Linux client

Has anyone successfully gotten a Linux client (particularly Ubunut 10.04 64-bit) to connect to the SA 520 with either IPSec or SSL?

I have the latest firmware (1.1.65) on the box right now.

1. I followed the nice Shrewsoft documentation by Steve Smith...to the letter.  In this scenario, it looks like I connect, but cannot get anywhere on the local LAN (192.168.x.x) network.  This also kills my Internet connection (no split tunnel?) and I end up needing to reboot to get connectivity back.  I do find that when I look at the status window, under Security Assocations, the "failed" counter slowly increases.  I don't know if/where the logs are that might provide better detail.

2. When I try SSL access, I can log into the VPN portal just fine in Firefox (run via sudo), and I get a Firefox sub-window that gives me a "connect" and "disconnect" button, both of which are grey, and I can't do anything further.  Note: I've installed the sun-java6 and removed the icedt java to make me more standard/supported.


3. I quickly tried vpnc, but that configuration seemed to want group names and group passwords, I gave up on that pretty quick.

*Should* linux clients work?  Or, am I beating my head against the wall.

Thank you.

Chris

7 REPLIES
Cisco Employee

Re: SA 520 VPN access Linux client

Hi Chris,

I have gotten Shrew Soft VPN Client on Ubuntu 10.4 64-bit to connect to a SA 520.  I too followed the Shrew Soft guide, however, I made a couple of changes both to the Shrew Client and the SA 520.  On the SA 520, I just changed encryption to 3des.  See screenshots for ike and vpn policy setup.  On the Linux Client, I made chanegs to the Phase 1 and Phase 2 Tabs to match SA configuration (see screenshots).

To help debug IPSec VPN connections, navigate to the IPSev VPN Logs page (Status Tab --> View Logs --> IPSec VPn Logs)  The logs will display if there are problems during negotiations,  and connection messages.

Another detail you may have missed, as I did my first time around, on the Shrew general Tab, make sure the address method is to Use existing Adapter and Current Address.

Hope this helps you out.

Best regards,

Julio

New Member

Re: SA 520 VPN access Linux client

Thank you Julio.

Unfortunately, I get the same bad results even after making the changes you suggest.

The tunnel looks like it establishes correctly, but I cannot navigate anywhere.  I end up in a position where I need to reboot my machine before I get any local connectivity back again.

I will check the logs on the SA when I'm back in the office (can't access admin from the outside).

What I don't understand is that I'm using the "use existing adapter and address" selection, how does the routing to the Corp LAN work?  For example, when I'm at home, my IP address ends up with a 192.168.1.x address.  My Corp LAN is 10.0.1.x.

When I do an ifconfig, I don't see any "tunnel" adapter created.  And when I do a netstat-r I don't see a route to the 10.0.1.x network.  How would I get to the Corp LAN?

Thank you.

Cisco Employee

Re: SA 520 VPN access Linux client

Hi Chris,

On the Shrew Soft VPN Site Configuration, make sure that your Policy Tab contains the remote Network resource you need to access (in this case 10.0.1.0 / 255.255.255.0).  See attached screenshot as to how your policy tab should look like.


Running Netstat -r should list the route to the 10.0.1.0 network.  See screenshot of my setup's netstat output where i am going from the 192.168.15.0 network to the "corporate" LAN of 192.168.75.0.

Are you getting any error messages on the SA's IPSec VPN Logs?

Are you trying to connect to the LAN specified on the SA's VPN Policy "Local Traffic Selection"? If not, can you give me a description of your corporate topology.

If you still have problems, can you send me your config file, so that I can take a look and see what can be preventing you to connect?  Remove passwords and other sensitive information from the file, and you can send it to me as a private message.

Good luck,

Julio

New Member

Re: SA 520 VPN access Linux client

Would like to "bump" this.  Julio, I haven't heard from you since I PM'd the logs and configs to you.  Are you still out there?  Thank you.

Cisco Employee

Re: SA 520 VPN access Linux client

Hi Chris, i sent you my Linux Shrew Soft config file for you to import and test out with your SA.  I sent it to you via PM on 11/22.  Did you get it?   Here is message again:

"Hi Chris,

Sorry  for not getting back to you sooner...

I  did load your config file on my test box, and created a vpn file for  you to try out...create a file with .vpn extension with below config,  Inport with Shrew Soft, then just modify the Pre-shared key to match  your SA520W.  Connect logging in using Standard IPSec Xauth account,  presto... access to 192.168.40.0/24.

AFAIK,  you do not need sudo/su level permission to run Shrew Soft.  However, I  just installed the version that shows when running the Ubuntu Software  Center and "Get Software" Shrew Soft.  My local admin account is  sufficient to run the Shrew Soft VPN Access Manager just fine.  The  version that installs is 2.1.5 which is a little old, but worked for  me..."

Let me know if the config file attached below helps, and the result...

Best regards,

Julio

New Member

Re: SA 520 VPN access Linux client

My apologies, Julio.

I didn't get a notification of your PM, so I didn't know it was there.  I will try this config.  Thank you again for your help.

New Member

Re: SA 520 VPN access Linux client

Thank you, Julio.

I can now connect just fine to our internal LAN.  I can ping our server and I can RDP to the server.  The only thing that doesn't work is mounting shares.  As I ran an IPTraf on the interfaces, I'm seeing broadcasts on the local NIC IP address over port 137 (NetBIOS), so, obviously, my server would not see that since the broadcast doesn't go over the tunnel to reach our server.

BUT...this feels like it's now an issue for the Ubuntu forums...not here

Thanks again!

1336
Views
0
Helpful
7
Replies