Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » KWF and Cisco VPN problem
  •  
Tinus

Messages: 3
Karma: 0
Send a private message to this user
Hello,

We are currently testing KWF.
Everything works execpt VPN.

We are trying to establish a VPN connection from a client machine which is behind a KWF. The VPN client that is used is 'Cisco VPN Client 4.0.3'.

In KWF we've setup the following NAT rule:
Source: Local Area Connection
Destination: Broadband Internet Connection (NIC that is connected to the ADSL Modem (Bridged))
Service: IKE (UDP 500); L2TP (UDP 1701); PPTP (TCP 1723); UDP 4500 and UDP 1000
Action: Permit
Translation: NAT (Default outgoing interface)

If we start Cisco VPN Client software and try to make the connection; following happens (Cennect history log):
Initializing the IPSec link...
Contacting the security gateway at 193.A.A.240.. (balancing)
Contacting the security gateway at 193.A.A.240.. (balancing)
Contacting the security gateway at 193.A.A.241.. (balancing)
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.
Not connected.

The problem is not our ISP because if we hook the ADSL modem directly to our client computer the VPN connection is setup without any problems.

IPSec is enabled in KWF (Advanced Options).

Can somebody help us setup KWF so that we can use VPN?
Or can somebody give us a clue what we are doing wrong?

Thanks in advance!
With regards,
Tinus
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Tinus wrote on Sat, 13 March 2004 18:40

Hello,

We are currently testing KWF.
Everything works execpt VPN.

We are trying to establish a VPN connection from a client machine which is behind a KWF. The VPN client that is used is 'Cisco VPN Client 4.0.3'.

In KWF we've setup the following NAT rule:
Source: Local Area Connection
Destination: Broadband Internet Connection (NIC that is connected to the ADSL Modem (Bridged))
Service: IKE (UDP 500); L2TP (UDP 1701); PPTP (TCP 1723); UDP 4500 and UDP 1000
Action: Permit
Translation: NAT (Default outgoing interface)

If we start Cisco VPN Client software and try to make the connection; following happens (Cennect history log):
Initializing the IPSec link...
Contacting the security gateway at 193.A.A.240.. (balancing)
Contacting the security gateway at 193.A.A.240.. (balancing)
Contacting the security gateway at 193.A.A.241.. (balancing)
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.
Not connected.

The problem is not our ISP because if we hook the ADSL modem directly to our client computer the VPN connection is setup without any problems.

IPSec is enabled in KWF (Advanced Options).

Can somebody help us setup KWF so that we can use VPN?
Or can somebody give us a clue what we are doing wrong?

Thanks in advance!
With regards,
Tinus


I guess you have to allow also IP protocol 50 in the NAT rule.

Define a new service:
Protocol: other
Protocol number: 50
and use it as a service in the NAT rule.

Also try to disable "IPSec pass-trough" option in Advanced Options -> IPSec screen.
This option should be disabled if your clients support IPSec NAT traversal standard. Then the firewall can handle several IPSec connections simultaneously. If the "IPSec pass-trough" option is enabled, it is possible to establish one IPSec VPN connection only.

This option should be checked only when the VPN client does not support IPSec NAT traversal.
  •  
Tinus

Messages: 3
Karma: 0
Send a private message to this user
Thank you!!

First of all: thank you for your very quick response.
Second: It worked. We did not know that the IPSec pass-through option only works for 1 connecion. After adding the 50 protocol (ESP) and disabling IPSec pass-through in KWF everything worked like a charm.

With regards,
Tinus
  •  
sagitar

Messages: 1
Karma: 0
Send a private message to this user
Pavel,

How I can resolve the same issue but with KPF. Thanks a lot

Dima
  •  
roadrun777

Messages: 12
Karma: 0
Send a private message to this user
I have been having issues with Cisco VPN and KWF 5.1.10 .
The VPN client keeps getting dropped at random intervals. I can ping the VPN server just fine. Tracert is good and under 100ms to the VPN server. When I go to reconnect, the client eventually times out saying that no connection could be established (remote peer no longer responding, while still being able to ping it).

I read the idea about disabling IPSec passthrough and just adding a service definition with IP protocol 50. I have done this and will post a follow up to see if this was the problem.

Just to clarify some, if when the problem has occured (VPN connection dropped) I stop and restart the Kerio service, the VPN client can reconnect as usual and all is speedy again.
Firewall settings are in place for the server (2 nics, one internet, one private lan) and private lan is set to allow any access. IPSec Passthrough was enabled with default timeout, I tried changing the timeout to 0, which only made it worse.


This problem has been a major irritation for me.
As my wife uses her laptop to access the company exchange server through the vpn. She is constantly ranting about the VPN connection dropping while she is in the middle of writing an email (and since she has outlook 2000 it just quits, not even allowing you to save any work). She snapped today and threw the keyboard around for awhile, so I have to find a solution soon otherwise she will destroy everything Very Happy !

[Updated on: Fri, 09 April 2004 23:07]

  •  
repo

Messages: 2
Karma: 0
Send a private message to this user
Hello

I have a very similar setup to that described by Tinus (i.e. Cisco VPN with balancing). I have to have "IPSec pass-through" enabled, due to restrictions on our VPN server.

What I noticed (using the example), is that the IPSec pass-through / NAT works for the connection (IKE - UDP 500) to the first server (193.A.A.240), but when trying to contact the second server (193.A.A.241), the NAT does not seem to work correctly -> during the NAT process, the source Port is set to 0 (instead of 500).

Note: I am not trying to connect simultaneously to the two servers.

A further test I performed:
1. Connect to 193.A.A.241 - works OK
2. Disconnect
3. Connect to 193.A.A.242 - fails (due to Source Port = 0)
4. Reboot Firewall
5. Connect to 193.A.A.242 - works OK
6. Disconnect
7. Connect to 193.A.A.241 - fails (due to Source Port = 0)

i.e. the first IPSec connection is always OK, but then I can't connect to any other VPN Server until I reboot the firewall.

Is this a bug, or a feature?

Thanks
Stephen
  •  
Tinus

Messages: 3
Karma: 0
Send a private message to this user
Like Pavel already said; You need to disable "IPSec pass-trough" option in Advanced Options -> IPSec screen.

If you enable "IPSec pass-trough" KWF will only allow 1 IPSec connection. In your case (and mine) VPN is trying to make 2 connections (balancing). Disable "IPSec pass-through" and allow IP protocol 50 in the NAT rule should do the trick.
  •  
repo

Messages: 2
Karma: 0
Send a private message to this user
Tinus: Thanks for the reply.

>> KWF will only allow 1 IPSec connection.
I understood from Pavel's post, that this meant "simultaneous connections", not "you can only connect to 1 specific VPN Server. If you want to connect to a different VPN Server at a later date, you need to reboot the firewall". The further test I performed (see previous post), was connecting directly to each VPN Server, without balancing. Even with balancing, it isn't making simultaneous connections!?

It seems KWF behaves strangely (i.e. setting Source Port = 0 for 2nd and subsequent VPN Server addresses) when translating the packet header with "IPSec pass-through" enabled. Of course, disabling this setting works, since you no longer encounter this strange behaviour.

Unfortunately, as I said, I can't disable "IPSec pass-through", since without this, the packets are dropped in the network before ever reaching the tunnel server.
Previous Topic: Anyone get Overnet to work?
Next Topic: Transparent Proxy Again
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 12:35:26 CET 2017

Total time taken to generate the page: 0.00598 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.