[vpn-help] Centos 6 to SSG5 Issues Solved

[Jim Yates]

I solved my Centos 6 issues.  

I did a standard build of the 2.2.1 Client for Linux. 

My biggest problem was trying to use a path name in the ikec command.   The -r option wants the name of a config file in $HOME/.ike/sites not a path name.

I did have to change the packet filtering.   

Temp solution:
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

Perm Solution:

Add  the following to /etc/sysctl.conf  as described in https://access.redhat.com/site/solutions/53031
net.ipv4.conf.default.rp_filter = 2

Sanitized VPN Config:

n:version:2
s:network-host: FIREWALL_IP_ADDRESS
n:network-ike-port:500
s:client-auto-mode:push
n:network-mtu-size:1380
s:client-iface:virtual
n:client-addr-auto:1
s:network-natt-mode:enable
n:network-natt-port:4500
n:network-natt-rate:15
s:network-frag-mode:enable
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:0
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:any
s:ident-client-data:vpn at mydomain.com
b:auth-mutual-psk:PSK_VALUE
s:phase1-exchange:aggressive
n:phase1-dhgroup:2
s:phase1-cipher:3des
s:phase1-hash:sha1
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
s:policy-level:auto
n:policy-nailed:0
n:policy-list-auto:0
s:policy-list-include:BEHIND_THE_FIREWALL_NETWORK/ 255.255.255.0



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20140514/aa495f6c/attachment.html>