mpd PPTP to Cisco 3000 VPN Concentrator routing problem

Joe Marcus Clarke marcus at marcuscom.com
Thu Jan 8 00:42:55 PST 2004


On Thu, 2004-01-08 at 03:34, Chris Jones wrote:
> Oh. :(  I thought it negotiated the encryption ok because I see this:
> 
> [ciscovpn] CCP: LayerUp
>   Compress using: MPPE, 128 bit, stateless
>   Decompress using: MPPE, 128 bit, stateless

This is fine.  I get this, too.  However, when trying to send data, I
get decryption errors (the concentrator reports invalid packets).

> 
> And capturing on the interface, I see echo req's coming in from the
> concentrator, but I encounter a routing loop when I try to send across
> the tunnel.

I was able to get past the routing loop by readdressing the interface as
soon as it came up.  This is a good starter howto on that procedure:

http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/fbsd-cisco-vpn.pdf

> 
> Disabling encryption isn't an option, even for testing, I'm afraid.

Then you're probably not going have any luck getting this to work.  You
might also consider trying out security/vpnc if the concentrator also
allows for IPSec clients using the Cisco VPN client.

Joe

> 
> 
> Original message from Joe Marcus Clarke:
> 
> > On Thu, 2004-01-08 at 02:49, Chris Jones wrote:
> > > Hi.  I've gone over list archives and seen this issue discussed before,
> > > but the sugggested solutions aren't working for me.  I am using
> > > mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN
> > > Concentrator.  I have negotiated CHAP and MPPE and the ng0 interface
> > > comes up, but when I try to do anything I get this:
> > > 
> > > $ ping 10.10.58.7 
> > > PING 10.10.58.7 (10.10.58.7): 56 data bytes       
> > > ping: sendto: Resource deadlock avoided           
> > > ping: sendto: No buffer space available           
> > > 
> > > A little investigation showed that this is a known routing issue and
> > > that it is possible to work around by re-addressing the ng0 interface
> > > with the VPN concentrator's private IP and set a default route to it.  I
> > > did this, but I still have the same problem.  :(
> > > 
> > > Does anyone see what I am doing wrong here?  Below are my routing table
> > > and ifconfig before running mpd, after running mpd, and after running
> > > the "fix".  Below that is my mpd.conf and its output (verbose).
> > > 
> > > I appreciate any help on this, I've been going crazy trying to figure
> > > out what I'm doing wrong.  I can get it to work using the OSX PPTP
> > > client, but not mpd.
> > 
> > Good luck.  I have tried to get this working, but have never been able
> > to get mpd encryption to work with the Concentrator's encryption
> > (neither has anyone else to my knowledge).  If you disable encryption on
> > the concentrator, the tunnel will come up, and you will be able to pass
> > traffic across it.  Any other combination does not work.  I haven't
> > tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this
> > problem.
> > 
> > Joe
> > 
> > -- 
> > PGP Key : http://www.marcuscom.com/pgp.asc
-- 
PGP Key : http://www.marcuscom.com/pgp.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040108/f6348787/attachment.bin


More information about the freebsd-questions mailing list