cisco linux vpn client 4.7 fail on some cities, but succeed on shanghai

rickhuang123 · ‎08-25-2006

I installed Fedora Core 5 , tried linux cisco vpn client 4.7 and 4.8

The main problem is:

When I am in Shanghai, I can use "vpnclient connect s-us-east-u_Linux"

to connect internal network from home with fttb.

But when I am in the hotel of other city, I use "vpnclient connect

s-us-east-u_Linux" and failed

[root@rhuang Profiles]# vpn

Cisco Systems VPN Client Version 4.8.00 (0490)

Client Type(s): Linux

Running on: Linux 2.6.17-1.2157_FC5 #1 SMP Tue Jul 11 23:24:16 EDT

2006 i686

Config file directory: /etc/opt/cisco-vpnclient

Initializing the VPN connection.

Initiating TCP to xx.xx.131.50, port 10000

Contacting the gateway at xx.xx.131.50

Secure VPN Connection terminated locally by the Client

Reason: Remote peer is no longer responding.

There are no new notification messages at this time.

If I changed EnableNat=0, vpnclient connect is OK. DNS translation is OK. "Ping internal_ip" is OK.But I could not access internal network with http,ftp...

If I changed TunnelingMode=0,vpnclient connect is OK. DNS translation is OK. "Ping internal_ip" is OK.But I could not access

internal network with http,ftp...

I did not enable SELinux and iptables list is empty.

I have used ethereal to analyze packet and find a [TCP Previous segment lost" everytime.

The attachment is my ipseclog logfile.

Much appreciate your help.

rickhuang123 · ‎08-27-2006

One my collegue used UDP and succeed. So I tried it, but I found following error in ipseclog log:

8 20:31:11.546 08/27/2006 Sev=Info/6 IKE/0x43000053

Sent a keepalive on the IKE SA

9 20:31:11.546 08/27/2006 Sev=Info/6 IKE/0x43000055

Sent a keepalive on the IPSec SA

10 20:31:26.559 08/27/2006 Sev=Warning/3 IKE/0x83000056

Driver says we received a packet with invalid SPI (495625681), sending INVALID-SPI notify.

11 20:31:26.559 08/27/2006 Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SPI) to xxx.xxx.131.50