firewall policy mismatch error

Discussion in 'Cisco' started by David Carson, Jan 29, 2004.

  1. David Carson

    David Carson Guest

    I am trying to connect to a VPN using Cisco's VPN client, 4.0.3.B on
    Linux. I am getting the error message in the Subject: line.

    What does this mean? I have tried running the client with and without
    iptables running on my home system. When I have iptables running, I
    can poke holes for UDP 500 and 10000, explicitly for my IP and the
    Cisco device's IP, both directions, and get the Cisco to respond to my
    client. However, it still gives the policy mismatch error.

    What kind of information should I be asking of the sysadmins? I can
    capture a log and post it here if it would help. What level of
    logging would be useful?

    Thanks,
    David

    P.S. Please post your answers here if possible, rather than responding
    to me directly.
    David Carson, Jan 29, 2004
    #1
    1. Advertising

  2. In article <>,
    David Carson <> wrote:
    :I am trying to connect to a VPN using Cisco's VPN client, 4.0.3.B on
    :Linux. I am getting the error message in the Subject: line.

    What's the endpoint?


    :What does this mean?

    Your VPN client could not agree on a transform set and 'group'
    with the remote end.

    : I have tried running the client with and without
    :iptables running on my home system. When I have iptables running, I
    :can poke holes for UDP 500 and 10000, explicitly for my IP and the
    :Cisco device's IP, both directions, and get the Cisco to respond to my
    :client. However, it still gives the policy mismatch error.

    10000 is not that common. UDP 4500 is what you need if you are trying
    to do NAT-T to a remote system that knows about NAT-T. IP protocols
    (not udp or tcp ports!) 50 (ESP) and 51 (AH) are what are expected
    unless NAT-T is in use.
    --
    Entropy is the logarithm of probability -- Boltzmann
    Walter Roberson, Jan 29, 2004
    #2
    1. Advertising

  3. David Carson

    Rik Bain Guest

    On Thu, 29 Jan 2004 08:39:00 -0600, David Carson wrote:

    > I am trying to connect to a VPN using Cisco's VPN client, 4.0.3.B on
    > Linux. I am getting the error message in the Subject: line.
    >
    > What does this mean? I have tried running the client with and without
    > iptables running on my home system. When I have iptables running, I can
    > poke holes for UDP 500 and 10000, explicitly for my IP and the Cisco
    > device's IP, both directions, and get the Cisco to respond to my client.
    > However, it still gives the policy mismatch error.
    >
    > What kind of information should I be asking of the sysadmins? I can
    > capture a log and post it here if it would help. What level of logging
    > would be useful?
    >
    > Thanks,
    > David
    >
    > P.S. Please post your answers here if possible, rather than responding
    > to me directly.


    Do your admins support other users with linux client? I have seen this
    in the past on VPN Concentrator, when the group policy requires the
    integrated firewall. The linux client software does not have this
    functionality, so the error is produced and the connection dropped.

    Just one scenario.....

    Rik Bain
    Rik Bain, Jan 29, 2004
    #3
  4. David Carson

    David Carson Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bvbs2r$ejj$>...
    > In article <>,
    > David Carson <> wrote:
    > :I am trying to connect to a VPN using Cisco's VPN client, 4.0.3.B on
    > :Linux. I am getting the error message in the Subject: line.
    >
    > What's the endpoint?
    >


    A Cisco VPN concentrator 3000.

    >
    > :What does this mean?
    >
    > Your VPN client could not agree on a transform set and 'group'
    > with the remote end.
    >
    > : I have tried running the client with and without
    > :iptables running on my home system. When I have iptables running, I
    > :can poke holes for UDP 500 and 10000, explicitly for my IP and the
    > :Cisco device's IP, both directions, and get the Cisco to respond to my
    > :client. However, it still gives the policy mismatch error.
    >
    > 10000 is not that common. UDP 4500 is what you need if you are trying
    > to do NAT-T to a remote system that knows about NAT-T. IP protocols
    > (not udp or tcp ports!) 50 (ESP) and 51 (AH) are what are expected
    > unless NAT-T is in use.


    I could not figure out how to specify ESP or AH to iptables. The '-m'
    option lists these as valid arguments, but I'm not sure what the whole
    command should look like. I keep getting "invalid argument" which is
    less than revealing.

    Also, I tried connecting to the 3000 without iptables running, to
    eliminate the possibility that I was filtering a port I should not
    have been. The result is the same. It seems that Rik's response
    about requiring an integrated firewall may have some validity. Is
    this something that can be changed on the 3000?

    Thanks,
    David
    David Carson, Jan 31, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tyler Cobb
    Replies:
    6
    Views:
    18,576
    Tyler Cobb
    Oct 19, 2005
  2. frodo
    Replies:
    0
    Views:
    4,066
    frodo
    May 20, 2004
  3. Bruce
    Replies:
    1
    Views:
    290
    Joseph Meehan
    Nov 11, 2004
  4. =?Utf-8?B?Q2hhZCBHYXJiZXIgKG5vIGxvbmdlciBkaXNndXN0

    When I run this, I get a machine mismatch error?

    =?Utf-8?B?Q2hhZCBHYXJiZXIgKG5vIGxvbmdlciBkaXNndXN0, Feb 17, 2006, in forum: Windows 64bit
    Replies:
    3
    Views:
    422
    Andre Da Costa [Extended64]
    Feb 17, 2006
  5. Someone

    Native Vlan Mismatch error

    Someone, Jan 20, 2008, in forum: Cisco
    Replies:
    4
    Views:
    17,572
    notaccie
    Jan 21, 2008
Loading...

Share This Page