[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cisco VPN500 Client: states not cleared on disconnect



hi all-

I manage a small network at home where several users connect to a VPN server using the Cisco VPN5000 client with NAT transparency enabled (i.e. connecting over port 80). Initial connections work just fine, but is a user disconnects from the VPN and attempts to reconnect, they can't get past the Shared password prompt.

I did a little investigating and realized that pf isn't clearing out the state table for the connection after the user terminates it.

'pfctl -s state | grep vpn.server.ip' shows:

self tcp 10.0.1.100:500 -> my.external.ip:57153 -> vpn.gateway.ip:80 ESTABLISHED:ESTABLISHED
self tcp vpn.gateway.ip:80 <- 10.0.1.100:500 ESTABLISHED:ESTABLISHED


after disconnect. I have no specific rules in pf.conf to control VPN connections.

it is worth noting that if the user turns off NAT transparency (which will of course use port 500/esp), they can connect and disconnect successfully without consequence, however, proper packet routing does not occur and they are unable to access the resources on the remote network (samba shares, etc.).

I figure I've got two possible courses of action here with pf:

add rules to ensure that closed VPN connections via port 80 get cleared properly

-OR-

add rules to ensure that VPN connections using esp and port 500 are correctly routed between the client machine and the remote network.

Which is all well and good, but VPN configuration is a little over my head. If there are any easy answers, they would be greatly appreciated, otherwise i will post my current pf.conf for review. Some basic background: I have 3 NICs: 2 private LANs and one external IP, routed through pf on FreeBSD 5.3-STABLE (tho i was having this same problem on OpenBSD 3.5-CURRENT)

thanks in advance for any and all help.

regards,
darren david