[vpnc-devel] A possible cause of vpnc disconnect

[Joerg Mayer]

On Thu, Jun 22, 2006 at 10:18:42PM +0200, Bruno Haible wrote:
> The reason, we found out, was that when one of us started his VPN
> connection, the other one was disconnected by the concentrator, and
> vice versa. This didn't happen with Cisco's proprietary driver.
> 
> The fix that we found is to launch vpnc with DIFFERENT --local-port
> numbers for each machine. (Instead of all machines using port 500.)
> 
> Question: Do you understand why this is happening? Does the
> network port translation done in the router not work properly when
> vpnc is used? (We didn't specify --disable-natt. When we did, it didn't
> change the symptom.) Does the Cisco concentrator identify clients only
> by the IP address of the router and a port number, not also by, say,
> the MAC address of the ethernet card of the underlying ethernet device?
> 
> Suggestions: Might it make sense for vpnc to choose random --local-port
> numbers by default? (Just a dumb question. I have not looked into the
> RFCs.) If not, could this scenario be added to an FAQ?

The following is pure speculation: Maybe the "connections" through your
NAT router time out after a short time without packets being sent in
both directions and maybe the cisco client send keepalives or some other
stuff often enough to avoid this timeout? 

 ciao
     Joerg
-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.