(Walter Roberson) wrote in message news:<bvbs2r$ejj$>...
> In article < >,
> David Carson <> wrote:
> :I am trying to connect to a VPN using Cisco's VPN client, 4.0.3.B on
> :Linux. I am getting the error message in the Subject: line.
>
> What's the endpoint?
>
A Cisco VPN concentrator 3000.
>
> :What does this mean?
>
> Your VPN client could not agree on a transform set and 'group'
> with the remote end.
>
> : I have tried running the client with and without
> :iptables running on my home system. When I have iptables running, I
> :can poke holes for UDP 500 and 10000, explicitly for my IP and the
> :Cisco device's IP, both directions, and get the Cisco to respond to my
> :client. However, it still gives the policy mismatch error.
>
> 10000 is not that common. UDP 4500 is what you need if you are trying
> to do NAT-T to a remote system that knows about NAT-T. IP protocols
> (not udp or tcp ports!) 50 (ESP) and 51 (AH) are what are expected
> unless NAT-T is in use.
I could not figure out how to specify ESP or AH to iptables. The '-m'
option lists these as valid arguments, but I'm not sure what the whole
command should look like. I keep getting "invalid argument" which is
less than revealing.
Also, I tried connecting to the 3000 without iptables running, to
eliminate the possibility that I was filtering a port I should not
have been. The result is the same. It seems that Rik's response
about requiring an integrated firewall may have some validity. Is
this something that can be changed on the 3000?
Thanks,
David
Similar Threads
