[ previous ] [ next ] [ threads ]
 
 From:  Erik Anderson <erikerik at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  icmp unreach/admin_prohibit error message through IPsec tunnel
 Date:  Sat, 15 Oct 2005 16:41:27 -0500 
I have successfully established an IPsec tunnel between my mono box
and a Cisco VPN concentrator, however it's not passing any traffic. 
When I try and ping from the mono box through the tunnel, I'm getting
an "icmp unreach/admin_prohibit" error message in my syslog on the
mono box.

I've attached a text file w/ the full log message and a quick drawing
of what the network situation looks like.  The cisco router is doing
NAT w/ ports forwarded to the VPN box behind it.  I think that's where
the problem lies.

Does anyone have any ideas here?  When I check the traffic stats of
the tunnel from the vpn box, it shows that it has transmitted several
hundred bytes through the tunnel, but has received zero bytes.  If I
try and ping from the cisco vpn box through the tunnel, I can see the
Tx byte count go up, but nothing in the Rx count.

I hope I've provided enough information here to give you all a clue as
to how things are set up....

Thanks so much!
-Erik
Oct 15 16:31:01 192.168.0.1 ipmon[78]: 16:31:01.165080 xl1 @200:2 b 207.a.b.c -> 67.a.b.c PR icmp
len 20 56 icmp unreach/admin_prohibit for 67.a.b.c - 66.a.b.c PR esp len 20 (136) K-S IN


 
  | Cisco VPN |     | Cisco Router |                    | mono box |
  |           | --- |              | --- <internet> --- |          |
  | 66.a.b.c  |     | 207.a.b.c    |                    | 67.a.b.c |