[Users] RE: Cisco 3000 Concentrator

Thanks Ken,

We added the rightid=10.190.180.10 and established the connection. Totally forgot that one. We have yet to check packets and routing but that did the trick. The question now becomes, how can I still blame the other company ;)

Thanks again,
David

-----Original Message-----
From: Ken Bantoft [mailto:ken@freeswan.ca] Sent: Thursday, February 27, 2003 1:58 PM To: David Prestwich
Cc: users@lists.freeswan.org
Subject: Re: Cisco 3000 Concentrator

-----BEGIN PGP SIGNED MESSAGE----- Admin Note: Post to users@lists.freeswan.org for a larger audience - sfs-users is a virus/spam filtered sublist.

And now onto the problem at hand:

On Wed, 26 Feb 2003, David Prestwich wrote:

> According to the company, the Cisco Concentrator is behind the firewall in
a
> DMZ. When we try to bring up the connection we get the following:
3000
> Concentrator before. We were supposed to be their first. They do however
configuration
> was incorrect ( it seems obvious to us that their endpoint is declaring
its
> internal IP) with either the PIX or the Concentrator, they decided to open
a
> task with Cisco.
packet
> than it needs to for some reason. I can't seem to find anything that

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

NAT does things like this all the time. Things to try:

On your end, try setting forcing the ID:

rightid=10.190.180.10 or
rightid=@10.190.180.10

On the PIX side - they appear to be mangling IPSec packets somehow, which is inherently evil and gives problems like this. If they play to do IPSec connections to other devices, they will run into issues like this every time... giving a *real* ip to the 3000 is recommended for future sanity :)

I have a PIX stuffed in my desk here, perhaps I'll finally break it out. Anyone know how to crack the password of it? (Came from one of our now-closed/laid-off offices)

• -- Ken Bantoft The Unoffical FreeS/WAN Site: ken(at)freeswan.ca http://www.freeswan.ca PGP Key: finger ken@bantoft.org I'd rather run Unix than Windows or MacOS any day, because Unix sucks less. -- jwz

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPl6J01iWUusaxGxpAQH2kQP/U7YhN6ucCJcd+D16XvF/DnDgE0WBtOho pPQAPBbyL6q6JePUQeeXttFPSCpUfBGS2Ahfjv5lH+Bc5qmwV2ZoNpp4qqzg1Z79 QGgLrBcERatfFgb6jpVIjzzOz9choAbZvuEj8kKAtQKFNMBgvEs9c4J8GmlXDqD3 9/Wb1B0NMAo=
=QgYV
-----END PGP SIGNATURE-----