[Vpn-help] Traffic to Cisco VPN 3000 goes only in one direction

Matthew Grooms mgrooms at shrew.net
Mon Sep 28 22:57:21 CDT 2009


Martin Emrich wrote:
> Hello!
> 
> Matthew Grooms schrieb:
>> -> : send ESP packet x.x.x.x -> y.y.y.y ( 112 bytes )
>> <- : recv ESP packet y.y.y.y -> x.x.x.x ( 112 bytes )
>>
>> If you don't see the return packet, I would try to investigate why the 
>> return packets don't reach your host. Sometime older NAT routers have 
>> problems with NAT-T. You could try disabling this and give it another 
>> shot.
>>   
> Indeed, I do not see any incoming ESP traffic in the log. After a little 
> investigation, I noticed that the original Cisco client does not work in 
> this WLAN either. So I switched to another network, there the Cisco 
> client works. But the Shrew Soft client does no longer connect (it fails 
> with "session terminated by gateway"). The log on the Cisco 3005 is not 
> very helpful. Attached is the client IPSec log. I imported the Cisco PCF 
> file, so I assume it's a setting that is not contained in the PCF...
> 

Martin,

First off, sorry for the delayed response. I was out of town for a week 
on business, then took ill and now I am closing on a new home purchase. 
My mailing list time has been very tight.

 From the looks of your log output, the client isn't passing Xauth. I'm 
not exactly sure why but if you are using 2.1.4 this may be the cause. 
With that release I updated the version of the Cisco client vendor ID 
string which caused problems during Xauth/modecfg with some gateways. 
During the 2.1.5 development cycle, I reverted it to the older version.

-Matthew



More information about the vpn-help mailing list