[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Cisco VPN500 Client: states not cleared on disconnect
I manage a small network at home where several users connect to a VPN
server using the Cisco VPN5000 client with NAT transparency enabled
(i.e. connecting over port 80). Initial connections work just fine, but
is a user disconnects from the VPN and attempts to reconnect, they can't
get past the Shared password prompt.
I did a little investigating and realized that pf isn't clearing out the
state table for the connection after the user terminates it.
'pfctl -s state | grep vpn.server.ip' shows:
self tcp 10.0.1.100:500 -> my.external.ip:57153 -> vpn.gateway.ip:80
self tcp vpn.gateway.ip:80 <- 10.0.1.100:500 ESTABLISHED:ESTABLISHED
after disconnect. I have no specific rules in pf.conf to control VPN
it is worth noting that if the user turns off NAT transparency (which
will of course use port 500/esp), they can connect and disconnect
successfully without consequence, however, proper packet routing does
not occur and they are unable to access the resources on the remote
network (samba shares, etc.).
I figure I've got two possible courses of action here with pf:
add rules to ensure that closed VPN connections via port 80 get cleared
add rules to ensure that VPN connections using esp and port 500 are
correctly routed between the client machine and the remote network.
Which is all well and good, but VPN configuration is a little over my
head. If there are any easy answers, they would be greatly appreciated,
otherwise i will post my current pf.conf for review. Some basic
background: I have 3 NICs: 2 private LANs and one external IP, routed
through pf on FreeBSD 5.3-STABLE (tho i was having this same problem on
thanks in advance for any and all help.