Semi-OT: Cisco PIX VPN - Linux Boxes left out.

Ansar Mohammed ansarm-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Sat Aug 6 02:54:44 UTC 2005


Broadcast icmp is a really really bad thing. It was never a feature of the
Windows IP stack and FreeBSD has it disabled by default years ago. 

I would guess that your remote vpn clients are getting an ip address on a
separate subnet. 

You have two possible issues.
1. Your ipchains ruleset is most probably configured for "Local Area
Network" access. i.e. only incoming requests from your local subnet are
allowed otherwise all outbound allowed
2. Your IP configurations on linux are off.. could be subnet mask or dg.

Either way the only way to be sure is to run tcpdump on your Linux box.


-----Original Message-----
From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug-lxSQFCZeNF4 at public.gmane.org] On Behalf Of Lennart
Sorensen
Sent: August 5, 2005 4:49 PM
To: tlug-lxSQFCZeNF4 at public.gmane.org
Subject: Re: [TLUG]: Semi-OT: Cisco PIX VPN - Linux Boxes left out.

On Fri, Aug 05, 2005 at 04:38:50PM -0400, psema4 wrote:
> On the internal network, yes - with the exception of the VPN clients. 
> When a vpn client connects, it uses it's internal network ip for it's
> gateway (which is on the same subnet as the windows/linux boxes we're
> trying to reach.)

So the clients are given an internal ip.  does the VPN box do proper arp
responses for those clients?  I know windows seems to follow different
rules on how to respond to ping requests than linux does.  I find a
broadcast ping on a subnet will get a response from all linux machines
but very few windows machines.

> Inside the network (and without using the vpn connection) all boxes
> can ping each other.  The problem only shows up when connecting
> through the VPN client.

How about ssh or anything else that isn't ICMP based?  Does that work?

Lennart Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list