Novell VPN Client for Linux User and Administrator Guide
Novell
VPN Client for Linux
novdocx (ENU) 01 February 2006
1.0
July 17, 2006
www.novell.com
USER AND ADMINISTRATOR GUIDE
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
You may not use, export, or re-export this product in violation of any applicable laws or regulations including,
without limitation, U.S. export regulations or the laws of the country in which you reside.
Copyright © 2005 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent
applications in the U.S. and in other countries.
novdocx (ENU) 01 February 2006
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the online documentation for other Novell products, and to get updates,
see www.novell.com/documentation.
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (ENU) 01 February 2006
novdocx (ENU) 01 February 2006
About This Guide
This guide provides the information that you need to install and use Novell® VPN Client for Linux
software.
The guide is divided into the following sections:
• Chapter 1, “Understanding Novell VPN Client for Linux,” on page 7
• Chapter 2, “Installing Novell VPN Client for Linux,” on page 9
• Chapter 3, “Using the VPN Client for Linux,” on page 11
• Appendix A, “Troubleshooting Novell VPN Client for Linux,” on page 21
• Appendix B, “Error Codes,” on page 27
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
®
A trademark symbol (
trademark.
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
novdocx (ENU) 01 February 2006
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
Documentation Updates
For the most recent version of the Novell VPN Client for Linux User and Administrator Guide, visit
the Novell documentation Web site (http://www.novell.com/documentation).
User Comments
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comment feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
5
novdocx (ENU) 01 February 2006
6 Novell VPN Client for Linux User and Administrator Guide
1
Understanding Novell VPN Client
novdocx (ENU) 01 February 2006
for Linux
This chapter provides an introduction to Novell® VPN Client for Linux by explaining the following:
• Section 1.1, “Introduction,” on page 7
• Section 1.2, “Features,” on page 7
• Section 1.3, “Requirements,” on page 8
1.1 Introduction
Novell VPN Client for Linux allows you to remotely access a corporate network. The virtual private
network created between the client and the gateway helps you to communicate securely over the
Internet using standard protocols. From your Linux workstation, you can connect to a network
protected by
• Standard IPsec Gateway (supporting X.509)
• Nortel* Contivity Server
• Novell Security Manager powered by Astaro*
1.2 Features
1
• Section 1.2.1, “General Features,” on page 7
• Section 1.2.2, “Standard IPsec Gateway-Related Features,” on page 7
• Section 1.2.3, “Nortel Contivity-Related Features,” on page 8
1.2.1 General Features
The following are the general features of the Novell VPN Client for Linux:
• Interface Options: Provides both graphical user interface (GUI) and command line interface
(CLI) options for connection.
• Support for Network Address Translation (NAT) Traversal: Allows the VPN client to
work from behind a NAT device.
•Profile Manager: An interactive feature that helps in creating, modifying, and deleting userbased profiles specific to the gateways.
• Non-root access: Users without root privileges can also use the VPN Client. For details, see
Section 3.1.2, “Non-Root Access,” on page 11.
1.2.2 Standard IPsec Gateway-Related Features
• Certificate Mode of Authentication: Lets you authenticate using x.509 certificates (.pfx
format).
Understanding Novell VPN Client for Linux
7
1.2.3 Nortel Contivity-Related Features
• Radius Authentication: Lets you authenticate based on the credentials stored in the Radius
server.
• IP Address Assignment: Assigns an IP address to the VPN client connecting to the gateway.
• Dead Peer Detection: Detects and informs if the Nortel gateway is not responding.
1.3 Requirements
The following are the minimum system requirements needed for the VPN Client for Linux to
operate:
PC with Pentium* III or higher processor
SUSE
10 MB in /opt and 10 MB in /usr
128 MB RAM
Monitor resolution of 1024 x 768 pixels
®
Linux Enterprise (SLED) Desktop 10
novdocx (ENU) 01 February 2006
8 Novell VPN Client for Linux User and Administrator Guide
2
Installing Novell VPN Client for
novdocx (ENU) 01 February 2006
Linux
This chapter provides the following information on how to install the Novell® VPN Client for
Linux:
• Section 2.1, “Installing the Novell VPN Client for Linux,” on page 9
• Section 2.2, “Uninstalling Novell VPN Client for Linux,” on page 10
• Section 2.3, “Package Description,” on page 10
2.1 Installing the Novell VPN Client for Linux
• Section 2.1.1, “Prerequisites,” on page 9
• Section 2.1.2, “Installation,” on page 9
• Section 2.1.3, “Checking the Installation,” on page 10
2.1.1 Prerequisites
All IPsec packages (for example FreeS/WAN or IPsec-tools) on your system are uninstalled.
IPsec-tools on your system cannot coexist with the IPsec-tools RPM that gets installed during
the VPN Client installation.
2
• To check for any previously installed IPsec tools, enter
rpm -qa ipsec-tools
• To uninstall IPsec tools, enter
rpm -e ipsec-tools
You have root privileges.
VPN Client RPM can be installed only with root privileges.
If firewall rules are already configured on the VPN Client machine, ensure that the you have
the following ports open:
UDP-500
UDP-4500
This is necessary because the VPN connection goes through these ports. For more information,
see Section A.3.6, “Firewall Issues,” on page 24.
2.1.2 Installation
The VPN Client for Linux can be installed using the Novell Applications pattern in YaST. The VPN
Client is not installed by default with SUSE
1 Launch the YaST Control Center.
®
Linux Enterprise Desktop.
Installing Novell VPN Client for Linux
9
GNOME: Click Computer > More Applications > System > YaST.
KDE: Click the menu button > System > YaST.
2 If you are not logged in as root, type the root password, then click Continue.
3 Click Software in the left column, then click Software Management in the right column.
4 Click Patterns in the Filter drop-down list.
5 Select Novell Applications in the left column, then select turnpike in the right column.
6 Click Accept to install the selected packages.
YaST displays the progress of the package installation.
7 (Conditional) If a message informs you that other package selection have been made to resolve
dependencies, click Continue.
8 (Conditional) If a message prompts you to insert a SUSE Linux CD, put the CD in the CD-
ROM drive, then click OK.
9 After all the packages have been installed, click Close to close the YaST Control Center.
2.1.3 Checking the Installation
novdocx (ENU) 01 February 2006
When the VPN Client for Linux is installed on your system, the IKE starts running and the VPN
Login icon appears in the SLED menu.
GNOME: Click Computer > More Applications > System > VPN Login.
KDE: Click the menu button > System > VPN Login.
If you are a CLI user, enter the following command to determine if the VPN Client for Linux is
installed on your system:
rpm -qi turnpike
NOTE: Currently GNOME and KDE are the supported desktops.
2.2 Uninstalling Novell VPN Client for Linux
1 Enter the following to uninstall the Nortel plug-ins:
rpm -e nortelplugins
2 Enter the following to uninstall the IPsec-tools:
rpm -e ipsec-tools
3 Enter the following to uninstall VPN Client:
rpm -e turnpike
2.3 Package Description
The package description provides the detailed information about the files that are installed as part of
VPN Client installation. Run the following command to view the package description:
rpm -qlp rpm
10 Novell VPN Client for Linux User and Administrator Guide
3
Using the VPN Client for Linux
This chapter provides the following information to help you effectively set up and use Novell® VPN
Client for Linux:
• Section 3.1, “Access Information: Who Can Use the VPN Client,” on page 11
• Section 3.2, “Connection Profiles,” on page 12
• Section 3.3, “Establishing a VPN Connection,” on page 16
3.1 Access Information: Who Can Use the VPN Client
• Section 3.1.1, “Root Access,” on page 11
• Section 3.1.2, “Non-Root Access,” on page 11
novdocx (ENU) 01 February 2006
3
3.1.1 Root Access
Super user can directly access VPN.
3.1.2 Non-Root Access
• “users Group Users” on page 11
• “Non-users group Users” on page 11
users Group Users
All users belonging to the primary group users created by root can use VPN client. By default, all
users belong to this group.
Non-users group Users
If users is not the primary group of those users who require VPN access, non-root access can be
allowed by doing the following:
1 Log in as root.
2 Open the /etc/racoon/racoon.conf file.
3 Replace users with the name of the group that requires VPN access.
Using the VPN Client for Linux
11
4 Restart IKE by entering the following command:
/etc/init.d/racoon restart
The root cannot allow multiple groups to use VPN client. So, if a new group is permitted by
modifying racoon.conf, only users belonging to that group can access VPN.
3.2 Connection Profiles
Connection profiles comprise a unique configuration of the parameters used for making a successful
VPN connection. Each profile in XML format is saved as a .prf file. VPN Client provides a
Profile Manager to help you with the connection profiles.
The Profile Manager helps you create, edit, or delete profiles. While editing profiles, you are not
allowed to change the profile names.
NOTE: You cannot create profiles using CLI. Therefore, use the Profile Manager to create and
modify profiles.
• Section 3.2.1, “Creating a Profile for Connecting to the Standard IPsec Gateway,” on page 12
• Section 3.2.2, “Creating a Profile for Connecting to the Nortel Contivity Server,” on page 14
• Section 3.2.3, “Editing a Profile,” on page 15
novdocx (ENU) 01 February 2006
• Section 3.2.4, “Deleting a Profile,” on page 15
3.2.1 Creating a Profile for Connecting to the Standard IPsec Gateway
1 Open the VPN Client for Linux dialog.
GNOME: Click Computer > More Applications > System > VPN Login.
KDE: Click the main menu > System > VPN Login.
2 In the Profile name drop-down list, select Profile manager.
3 Click Add to create a profile.
4 In the Profile name field, specify a name for the profile.
12 Novell VPN Client for Linux User and Administrator Guide
5 Select Standard IPsec gateway from the Gateway type.drop-down list.
novdocx (ENU) 01 February 2006
TIP: If you have not copied the user certificate in .pfx format, the error No .pfx files
appears. For details, refer to “Copying the User Certificate” on page 16.
6 Specify the following details:
• Gateway: Specify the gateway IP address or gateway name.
• User certificate: Select the user certificate.
7 Click the Additional tab to configure the exchange mode, DH group, PFS group, network, and
mask.
Using the VPN Client for Linux 13
IMPORTANT: Ensure that the VPN Client configuration matches the configuration on the
gateway you are connecting to.
8 Click Save to save the profile.
9 Click Done to return to the VPN Client dialog.
3.2.2 Creating a Profile for Connecting to the Nortel Contivity Server
1 Open the VPN Client for Linux dialog.
GNOME: Click Computer > More Applications > System > VPN Login.
KDE: Click the main menu > System > VPN Login.
2 In the Profile name drop-down list, select Profile manager.
3 Click Add to create a profile.
4 In the Profile name field, specify a name for the profile.
5 Select Nortel from the Gateway type.drop-down list.
novdocx (ENU) 01 February 2006
6 Specify the following details:
• Gateway: Specify the gateway IP address or gateway name.
• Groupname: Specify the user group name.
• Group Password: Specify the group password.
14 Novell VPN Client for Linux User and Administrator Guide
7 Click the Additional tab to configure the exchange mode, DH group, PFS group, network, and
mask.
novdocx (ENU) 01 February 2006
IMPORTANT: Ensure that the VPN Client configuration matches the configuration on the
gateway you are connecting to.
8 Click Save to save the profile.
9 Click Done to return to the VPN Client dialog.
3.2.3 Editing a Profile
1 Open the VPN Client for Linux dialog.
GNOME: Click Computer > More Applications > System > VPN Login.
KDE: Click the main menu > System > VPN Login.
2 In the Profile name drop-down list, select Profile manager.
3 Click Choose profile, then select the name of the profile you want to edit.
You can edit all the parameters except the profile name.
3.2.4 Deleting a Profile
1 Open the VPN Client for Linux dialog.
GNOME: Click Computer > More Applications > System > VPN Login.
KDE: Click the main menu > System > VPN Login.
2 In the Profile name drop-down list, select Profile manager.
Using the VPN Client for Linux 15
3 Click Choose profile, then select the name of the profile you want to delete..
4 Click Remove.
3.3 Establishing a VPN Connection
VPN Client for Linux lets you establish a connection with a Nortel Contivity server or Standard
IPsec gateway. You can do this using either the Graphical User Interface (GUI) or the Command
Line Interface (CLI).
IMPORTANT: The CLI and GUI options might not interact properly. We do not recommend using
them at the same time.
• Section 3.3.1, “Connecting to a Standard IPsec Gateway,” on page 16
• Section 3.3.2, “Connecting to a Nortel Contivity Server,” on page 17
• Section 3.3.3, “Using the Command Line Utility,” on page 18
3.3.1 Connecting to a Standard IPsec Gateway
novdocx (ENU) 01 February 2006
• “Copying the User Certificate” on page 16
• “Connecting to the Gateway” on page 16
Copying the User Certificate
Copy your user certificate in .pfx format to the following path:
/user's home directory/.turnpike/usercerts
Connecting to the Gateway
1 Open the VPN Client for Linux dialog.
GNOME: Click Computer > More Applications > System > VPN Login.
KDE: Click the main menu > System > VPN Login.
16 Novell VPN Client for Linux User and Administrator Guide
2 Select a Standard IPsec Gateway profile from the Profile name drop-down list.
novdocx (ENU) 01 February 2006
All the fields in the upper section of the dialog are automatically displayed.
3 In the Password field, specify the certificate password.
4 Click Connect.
The Connection Details tabbed page displays the progress of the connection.
5 Click Disconnect if you want to end the connection.
NOTE: In the case of the VPN connection to a Standard IPsec gateway, after Phase 1 is established,
any data going to the network is encrypted.
3.3.2 Connecting to a Nortel Contivity Server
1 Open the VPN Client for Linux dialog.
GNOME: Click Computer > More Applications > System > VPN Login.
KDE: Click the main menu > System > VPN Login.
Using the VPN Client for Linux 17
2 Select a Nortel Contivity Server profile from the Profile name drop-down list.
novdocx (ENU) 01 February 2006
The Gateway information is automatically displayed.
3 In the Nortel Contivity section, specify the following details:
• Username: The name of the user who requires the connection.
• User Password: The user password.
4 Click Connect.
The Connection Details tabbed page displays the progress of the connection.
5 Click Disconnect if you want to end the connection.
3.3.3 Using the Command Line Utility
VPN Client fo Linux provides a command line utility (vpnc) to carry out the major VPN functions.
After installing VPN Client for Linux, you can access vpnc help by entering the following in a
terminal. You must have root privilidges to run this command.
vpnc -h
This lists all the CLI commands and the available options, described in the following table:
Option Description
vpnc -c Connects to the VPN gateway in the PROFILENAME.
vpnc -d Disconnects from the VPN gateway.
vpnc -h Displays the VPN Client help.
vpnc -l Lists the available profiles along with their gateway types.
vpnc -v Displays a detailed log when used with the connect option as follows: vpnc -v -c
18 Novell VPN Client for Linux User and Administrator Guide
Creating Profiles Using a CLI
You cannot create connection profiles using the CLI feature. Profiles must be created and edited
using the GUI. See Section 3.2, “Connection Profiles,” on page 12 for more information.
Connecting to the Gateway Using a CLI
IMPORTANT: VPN Client for Linux allows only one connection at a time.
To connect to the gateway, enter any of the following commands:
vpnc -c profile
vpnc --connect profile
vpnc -v -c profile
vpnc --verbose --connect profile
TIP: Use the command vpnc -l for the list of all available profiles along with their gateway
types.
novdocx (ENU) 01 February 2006
Disconnecting from the Server
To disconnect from the server, enter the following command:
vpnc -d
Using the VPN Client for Linux 19
novdocx (ENU) 01 February 2006
20 Novell VPN Client for Linux User and Administrator Guide
A
Troubleshooting Novell VPN Client
novdocx (ENU) 01 February 2006
for Linux
This appendix provides troubleshooting scenarios that you might encounter while working with the
®
Novell
A.1 Guidelines for the User
A.1.1 General Guidelines
VPN Client for Linux:
• Section A.1, “Guidelines for the User,” on page 21
• Section A.2, “Application Errors,” on page 22
• Section A.3, “Scenarios,” on page 22
• Section A.4, “FAQs,” on page 24
• Section A.1.1, “General Guidelines,” on page 21
• Section A.1.2, “IKE Status,” on page 21
• Section A.1.3, “IKE Log,” on page 22
• Do not to modify the IKE configuration file (/etc/racoon/racoon.conf).
A
• Do not modify the XML files in /user's home directory/.turnpike/profiles.
• Do not tamper with IPsec policies or IPsec security association (SA) using the setkey
command.
• If you are exiting, a session (for instance GNOME or KDE), disconnect from the VPN before
logout. Otherwise the VPN connection continues.
• Use either the CLI or the GUI option at one time, because these features might not interact
properly.
A.1.2 IKE Status
NOTE: You have to log in as root to check the IKE status.
To check the IKE status, use the following command:
/etc/init.d/racoon status
Either of the following statuses is displayed
• Running: IKE is up and running.
•Unused/Dead: To make the IKE run, use the following command:
/etc/init.d/racoon start
To stop the IKE daemon, use the following command:
/etc/init.d/racoon stop
Troubleshooting Novell VPN Client for Linux
21
A.1.3 IKE Log
If IKE is running at the default log level, all information including the error messages gets logged.
The IKE log can be accessed at /var/log/messages.
A.2 Application Errors
Application errors are unidentified errors with the VPN Client application.
If you encounter any of the application errors referred to in Appendix B, “Error Codes,” on page 27,
try reinstalling the VPN Client. If the error repeats, try installing the latest version of VPN Client.
A.3 Scenarios
• Section A.3.1, “IKE Phase 1 Deleted,” on page 22
• Section A.3.2, “Failed to Connect to IKE,” on page 22
• Section A.3.3, “Non-Root User: Failed to Connect to IKE,” on page 23
• Section A.3.4, “Fragmentation of TCP Packets,” on page 23
• Section A.3.5, “Profile Creation Failed,” on page 24
novdocx (ENU) 01 February 2006
• Section A.3.6, “Firewall Issues,” on page 24
A.3.1 IKE Phase 1 Deleted
You might encounter the message IKE Phase 1 Deleted in the following scenarios.
At the Beginning of a Connection
If you get the message at the beginning of a VPN connection, ignore it.
While the Connection Is in Process
If your connection status shows Connecting for a relatively longer duration, and then you encounter
the status message, it means an error has occurred in the connection procedure.
Possible Cause: Connectivity issues with your machine.
Action: Rectify the connectivity issues and proceed.
Possible Cause: The gateway is down or VPN service is not running on the gateway.
Action: Ensure that the gateway is prepared for a VPN connection.
Possible Cause: Issues with the login credentials.
Action: In the case of a Standard IPsec gateway, ensure that the certificate password is valid. If you
are connecting to a Nortel Contivity server, ensure that the group credentials are valid.
A.3.2 Failed to Connect to IKE
• “Possible Cause” on page 23
22 Novell VPN Client for Linux User and Administrator Guide
• “Action” on page 23
Possible Cause
The IKE is not running.
Action
Check the status of the IKE using the following command:
/etc/init.d/racoon status
NOTE: You have to log in as root to check the IKE status.
If the status is Dead or Unused, use the following command to start IKE:
/etc/init.d/racoon start
A.3.3 Non-Root User: Failed to Connect to IKE
novdocx (ENU) 01 February 2006
If you are a non-root user and while attempting a VPN connection you receive the message Failed
to connect to the Racoon Daemon, do the following:
1 Ensure that IKE is running.
For details, refer to Section A.1.2, “IKE Status,” on page 21.
2 If IKE is not running, start it.
For details, refer to Section A.3.2, “Failed to Connect to IKE,” on page 22.
3 If IKE is running, check the IKE log.
For details, refer to Section A.1.3, “IKE Log,” on page 22.
4 If you see the message ERROR: File does not have correct permissions.
Expected : 432 Has : 384 in the IKE log, verify that you have the required user
privileges to use VPN Client.
For details, refer to Section 3.1.2, “Non-Root Access,” on page 11.
A.3.4 Fragmentation of TCP Packets
When connected to a Nortel server, encryption/decryption of IP fragmentation is not handled
effectively. Therefore, applications sending IP fragments might not work.
But in the case of TCP applications, you might use the workaround of setting the route MTU (to the
gateway server) to less than 1400 for Ethernet. The recommended MTU is 1350.
To do this, after a successful VPN connection, do the following:
1 At the command prompt, enter ip route.
The routing information to the VPN server is displayed in the following format:
VPNSERVERIPADDR via GATEWAYIPADDR dev NETWORKDEVICE
2 Delete the route using the following command:
Troubleshooting Novell VPN Client for Linux 23
route delete VPNSERVERIPADDR
3 Add the route with your mss value using the following command:
route add VPNSERVERIPADDR gw GATEWAYIPADDR NETWORKDEVICE mss
1350
TIP: For variable details, refer to the routing information (discussed in Step 1).
A.3.5 Profile Creation Failed
Causes
• The system runs out of memory
• Libxml2.so is missing
Actions
• Ensure that you have a minimum 128 RAM of memory.
novdocx (ENU) 01 February 2006
• Libxml2.so is provided along with the NLD installation. If for some reason it is missing, install
the library.
A.3.6 Firewall Issues
If you have an iptables firewall running on your machine with policies configured to deny outgoing
and incoming packets, configure the following rules to allow the packets:
Table A-1 Outgoing Packets
Port Configuration Command
UDP-500 iptables -A OUTPUT -p UDP -s 0/0 -d 0/0 --dport 500 -j ACCEPT
UDP-4500 iptables -A OUTPUT -p UDP -s 0/0 -d 0/0 --dport 4500 -j ACCEPT
Table A-2 Incoming Packets
Port Configuration Command
UDP-500 iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 500 -j ACCEPT
UDP-4500 iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 4500 -j ACCEPT
A.4 FAQs
This section lists some frequently asked questions and suggests appropriate actions.
• Section A.4.1, “Where can I get information on the error codes that I encounter while using
VPN Client?,” on page 25
24 Novell VPN Client for Linux User and Administrator Guide
• Section A.4.2, “I get a message explaining temporary unavailability of resources. What does
this mean?,” on page 25
• Section A.4.3, “What should I do to get IKE debug logs?,” on page 25
• Section A.4.4, “How can I ensure that VPN Client is installed on my system?,” on page 25
• Section A.4.5, “The VPN Client GUI does not fit in the monitor, causing reading difficulties.
What should I do?,” on page 25
A.4.1 Where can I get information on the error codes that I encounter while using VPN Client?
Refer to the Appendix B, “Error Codes,” on page 27.
A.4.2 I get a message explaining temporary unavailability of resources. What does this mean?
You get such messages when you send data to a protected network (for example when you use FTP,
Telnet, or ping). This is because a new security association is in the process of negotiation.
novdocx (ENU) 01 February 2006
Retry the application to resolve this issue.
A.4.3 What should I do to get IKE debug logs?
In /var/log/messages, go to /etc/racoon/racoon.conf and comment out the log
debug line.
A.4.4 How can I ensure that VPN Client is installed on my system?
Run the following command:
rpm -qi turnpike
A.4.5 The VPN Client GUI does not fit in the monitor, causing reading difficulties. What should I do?
Change your monitor resolution to 1024 x 768 pixels.
Troubleshooting Novell VPN Client for Linux 25
novdocx (ENU) 01 February 2006
26 Novell VPN Client for Linux User and Administrator Guide
B
Error Codes
This appendix contains the error codes for the Novell® VPN Client for Linux. For each error code,
the possible cause and action that you can take are provided.
Also refer to Appendix A, “Troubleshooting Novell VPN Client for Linux,” on page 21 for various
troubleshooting scenarios that you might encounter while working with Novell VPN Client for
Linux.
• Section B.1, “GUI Messages,” on page 27
• Section B.2, “CLI Messages,” on page 31
B.1 GUI Messages
• Section B.1.1, “VPNCLIENT-GUI-0000 Certificate not found. Ensure that the certificate is
available.,” on page 28
• Section B.1.2, “VPNCLIENT-GUI-0002 Enter gateway name/IP address.,” on page 28
• Section B.1.3, “VPNCLIENT-GUI-0003 The certificate name is too lengthy. Rename the
Certificate name to proceed.,” on page 28
• Section B.1.4, “VPNCLIENT-GUI-0004 Enter the password.,” on page 28
• Section B.1.5, “VPNCLIENT-GUI-0006 Certificate not found. Ensure that the certificate is
available.,” on page 28
• Section B.1.6, “VPNCLIENT-GUI-0008 Failed to read certificate.,” on page 28
• Section B.1.7, “VPNCLIENT-GUI-0009 Gateway name/IP address is not valid.,” on page 29
novdocx (ENU) 01 February 2006
B
• Section B.1.8, “VPNCLIENT-GUI-0011 Server address error: Failed to resolve the DNS name.
Retry after some time.,” on page 29
• Section B.1.9, “VPNCLIENT-GUI-0012 Cannot read profile. Re-create the profile.,” on
page 29
• Section B.1.10, “VPNCLIENT-GUI-0013 Profile is not valid.,” on page 29
• Section B.1.11, “VPNCLIENT-GUI-0014 Failed to connect to IKE. Restart IKE.,” on page 29
• Section B.1.12, “VPNCLIENT-GUI-0015 Failed to connect to IKE. Restart IKE.,” on page 29
• Section B.1.13, “VPNCLIENT-GUI-0016 Failed to connect to IKE. Restart IKE.,” on page 30
• Section B.1.14, “VPNCLIENT-GUI-0017 Failed to connect to IKE. Restart IKE.,” on page 30
• Section B.1.15, “VPNCLIENT-GUI-0018 IKE failed to respond. The client is exiting.,” on
page 30
• Section B.1.16, “VPNCLIENT-GUI-0019 Gateway name/IP address is not valid.,” on page 30
• Section B.1.17, “VPNCLIENT-GUI-0020 Failed to meet system requirements.,” on page 30
• Section B.1.18, “VPNCLIENT-GUI-0021 Unable to locate the help file. Reinstall the client.,”
on page 30
• Section B.1.19, “VPNCLIENT-GUI-0022 Profile directory does not exist. Client installation
might be incomplete.,” on page 31
• Section B.1.20, “VPNCLIENT-GUI-0023 Invalid Network. Re-enter.,” on page 31
Error Codes
27
• Section B.1.21, “VPNCLIENT-GUI-0024 Invalid Mask. Re-enter.,” on page 31
• Section B.1.22, “VPNCLIENT-GUI-0025 Time-out occurred while waiting for a connection
response from gateway. The client is exiting.,” on page 31
• Section B.1.23, “VPNCLIENT-GUI-0026 Authentication Failed. Verify your Credentials,” on
page 31
• Section B.1.24, “VPNCLIENT-GUI-0026 Gateway is not responding. The client is exiting.,”
on page 31
B.1.1 VPNCLIENT-GUI-0000 Certificate not found. Ensure that the certificate is available.
Possible Cause: The profile you chose for the VPN connection has an invalid certificate. Possibly,
the profile is removed, renamed, or tampered with.
Action: Re-create the profile with another certificate. For details, refer to Section 3.2, “Connection
Profiles,” on page 12.
novdocx (ENU) 01 February 2006
B.1.2 VPNCLIENT-GUI-0002 Enter gateway name/IP address.
Possible Cause: You have not specified the IP address/gateway name.
Action: Specify the IP address/gateway name to proceed.
B.1.3 VPNCLIENT-GUI-0003 The certificate name is too lengthy. Rename the Certificate name to proceed.
Possible Cause: The number of characters in the certificate name has exceeded the limit. Only 80
characters are permitted (including the pathname). For example, /home/user1/.turnpike/
usercerts/mycert.pfx is treated as having 42 characters.
Action: Rename the certificate so that it adheres to the character limit.
B.1.4 VPNCLIENT-GUI-0004 Enter the password.
Possible Cause: You have not specified the password.
Action: Specify the password.
B.1.5 VPNCLIENT-GUI-0006 Certificate not found. Ensure that the certificate is available.
Possible Cause: /user's home directory/.turnpike/usercerts/ does not contain
the certificate file.
Action: Copy the certificate file in .pfx format to the path mentioned above.
B.1.6 VPNCLIENT-GUI-0008 Failed to read certificate.
Possible Cause: Either the certificate is not valid or the password is incorrect.
28 Novell VPN Client for Linux User and Administrator Guide
Action: Verify the validity of the certificate and password.
B.1.7 VPNCLIENT-GUI-0009 Gateway name/IP address is not valid.
Possible Cause: The gateway name/IP address that you have specified is not valid.
Action: Specify a valid gateway name/IP address.
B.1.8 VPNCLIENT-GUI-0011 Server address error: Failed to resolve the DNS name. Retry after some time.
Possible Cause: Either the network or DNS server is down.
Action: Ensure that your network and DNS server are up and running.
B.1.9 VPNCLIENT-GUI-0012 Cannot read profile. Re-create the profile.
novdocx (ENU) 01 February 2006
Possible Cause: The profile file in XML format is corrupt.
Action: Using the Profile Manager, delete the profile and create a new one. For details, refer to
Section 3.2, “Connection Profiles,” on page 12.
B.1.10 VPNCLIENT-GUI-0013 Profile is not valid.
Possible Cause: You have not specified the certificate password.
Action: Specify the certificate password.
B.1.11 VPNCLIENT-GUI-0014 Failed to connect to IKE. Restart IKE.
Possible Cause: IKE is down.
Action: As root, restart IKE.
Possible Cause: IKE might be running, but you do not have sufficient user rights.
Action: Get access rights to use VPN Client. For details, refer to Section 3.1.2, “Non-Root Access,”
on page 11.
B.1.12 VPNCLIENT-GUI-0015 Failed to connect to IKE. Restart IKE.
Possible Cause: IKE is down.
Action: Verify the IKE log for details. The log file can be accessed at /var/log/messages.
Error Codes 29
B.1.13 VPNCLIENT-GUI-0016 Failed to connect to IKE. Restart IKE.
Possible Cause: IKE is down.
Action: Verify the IKE log for details. The log file can be accessed at /var/log/messages.
B.1.14 VPNCLIENT-GUI-0017 Failed to connect to IKE. Restart IKE.
Possible Cause: Application error. For details, refer to Section A.2, “Application Errors,” on
page 22.
Action: Restart IKE using the following command:
/etc/init.d/racoon restart
Possible Cause: Server failed to respond.
Action: Verify the IKE log for details. The log file can be accessed at /var/log/messages.
novdocx (ENU) 01 February 2006
B.1.15 VPNCLIENT-GUI-0018 IKE failed to respond. The client is exiting.
Possible Cause: IKE is down.
Action: Verify the IKE log for details. The log file can be accessed at /var/log/messages.
Possible Cause: IKE is down.
Action: As root, restart IKE.
B.1.16 VPNCLIENT-GUI-0019 Gateway name/IP address is not valid.
Possible Cause: The gateway name/IP address you have specified is not valid.
Action: Specify the correct gateway name/IP address.
B.1.17 VPNCLIENT-GUI-0020 Failed to meet system requirements.
Possible Cause: gmodule support is not available on your machine.
Action: Provide gmodule support to your machine. For details, refer to the GNOME developer
Website (http://developer.gnome.org/doc/API/2.0/glib/glib-Dynamic-Loading-of-Modules.html).
B.1.18 VPNCLIENT-GUI-0021 Unable to locate the help file. Reinstall the client.
Possible Cause: Issues with VPN Client installation.
30 Novell VPN Client for Linux User and Administrator Guide
Possible Cause: The help file is removed.
Action: Reinstall the VPN Client.
B.1.19 VPNCLIENT-GUI-0022 Profile directory does not exist. Client installation might be incomplete.
Possible Cause: Application error. For details, refer to Section A.2, “Application Errors,” on
page 22.
Action: Reinstall VPN Client.
B.1.20 VPNCLIENT-GUI-0023 Invalid Network. Re-enter.
Possible Cause: The format in which you specified the network details is not valid.
Action: Specify the details in the dotted IP address format (for example, 10.0.0.0).
B.1.21 VPNCLIENT-GUI-0024 Invalid Mask. Re-enter.
novdocx (ENU) 01 February 2006
Possible Cause: The format in which you specified the mask details is not valid.
Action: Specify the details in the dotted IP address format (for example, 255.0.0.0).
B.1.22 VPNCLIENT-GUI-0025 Time-out occurred while waiting for a connection response from gateway. The client is exiting.
Possible Cause: The connection failed. There is no response after connection attempts for a period
of time (more than five minutes).
Action: Check the IKE logs to find out the reason. For details, refer to Section A.1.3, “IKE Log,” on
page 22.
B.1.23 VPNCLIENT-GUI-0026 Authentication Failed. Verify your Credentials
Possible Cause: You have specified an incorrect username, password, or both.
Action: Specify the correct username and password.
B.1.24 VPNCLIENT-GUI-0026 Gateway is not responding. The client is exiting.
Possible Cause: The connection failed. There is no response from the VPN gateway.
Action: Ensure that the gateway is up and running.
B.2 CLI Messages
• Section B.2.1, “VPNCLIENT-CLI-256 Cannot open the file filename for editing.,” on page 32
Error Codes 31
• Section B.2.2, “VPNCLIENT-CLI-258 Gateway name/IP address gateway name/IP address is
not valid.,” on page 33
• Section B.2.3, “VPNCLIENT-CLI-259 Failed to connect to IKE. Restart IKE.,” on page 33
• Section B.2.4, “VPNCLIENT-CLI-260 Failed to connect to IKE. Restart IKE.,” on page 33
• Section B.2.5, “VPNCLIENT-CLI-261 Failed to connect to IKE. Restart IKE.,” on page 33
• Section B.2.6, “VPNCLIENT-GUI-262 Failed to connect to IKE. Restart IKE.,” on page 34
• Section B.2.7, “VPNCLIENT-CLI-263 Failed to connect to IKE. Restart IKE.,” on page 34
• Section B.2.8, “VPNCLIENT-CLI-264 Failed to connect to IKE. Restart IKE.,” on page 34
• Section B.2.9, “VPNCLIENT-CLI-265 Failed to connect to IKE. Restart IKE.,” on page 34
• Section B.2.10, “VPNCLIENT-CLI-266 Cannot read the profile.,” on page 34
• Section B.2.11, “VPNCLIENT-CLI-267 Profile profile name is not valid.,” on page 34
• Section B.2.12, “VPNCLIENT-CLI-268 Profile directory directory name does not exist.,” on
page 35
• Section B.2.13, “VPNCLIENT-CLI-269 Profile profile name not found.,” on page 35
• Section B.2.14, “VPNCLIENT-CLI-272 Too many arguments,” on page 35
novdocx (ENU) 01 February 2006
• Section B.2.15, “VPNCLIENT-CLI-273 Too many arguments,” on page 35
• Section B.2.16, “VPNCLIENT-CLI-274 Verbose mode has no meaning when specified alone.,”
on page 35
• Section B.2.17, “VPNCLIENT-CLI-275 Profile profile name does not exist.,” on page 35
• Section B.2.18, “VPNCLIENT-CLI-278 Certificate path path does not exist.,” on page 36
• Section B.2.19, “VPNCLIENT-CLI-279 Failed to read certificate.,” on page 36
• Section B.2.20, “VPNCLIENT-CLI-280 Profile is not valid.,” on page 36
• Section B.2.21, “VPNCLIENT-CLI-281 Failed to connect to IKE. Restart IKE.,” on page 36
• Section B.2.22, “VPNCLIENT-CLI-282 Profile is not valid.,” on page 36
• Section B.2.23, “VPNCLIENT-CLI-284 Profile is not valid.,” on page 36
• Section B.2.24, “VPNCLIENT-CLI-285 DNS resolution failed for gateway address specified
in the profile.,” on page 37
• Section B.2.25, “VPNCLIENT-CLI-286 Time-out occurred while waiting for a connection
response from gateway. The client is exiting.,” on page 37
• Section B.2.26, “VPNCLIENT-CLI-287 Profile does not exist. Create the profile using the
GUI.,” on page 37
• Section B.2.27, “VPNCLIENT-CLI-287 Authentication Failed. Verify your Credentials,” on
page 37
B.2.1 VPNCLIENT-CLI-256 Cannot open the file filename for editing.
Possible Cause: You do not have the required user rights to open and edit the file.
Action: Ensure that you have sufficient user rights. For details, refer to Section 3.1.2, “Non-Root
Access,” on page 11.
32 Novell VPN Client for Linux User and Administrator Guide
B.2.2 VPNCLIENT-CLI-258 Gateway name/IP address gateway name/IP address is not valid.
Possible Cause: The gateway name/ IP address is not valid.
Action: Specify a valid gateway name/IP address in the profile.
B.2.3 VPNCLIENT-CLI-259 Failed to connect to IKE. Restart IKE.
Possible Cause: IKE is down.
Action: Verify the IKE log for details. The log file can be accessed at /var/log/messages.
Possible Cause: Application error. For details, refer to Section A.2, “Application Errors,” on
page 22.
Action: Restart IKE using the following command:
/etc/init.d/racoon restart
novdocx (ENU) 01 February 2006
B.2.4 VPNCLIENT-CLI-260 Failed to connect to IKE. Restart IKE.
Possible Cause: IKE is not running.
Action: Start IKE using the following command:
/etc/init.d/racoon start
Possible Cause: Application error. For details, refer to Section A.2, “Application Errors,” on
page 22.
Action: Restart IKE using the following command:
/etc/init.d/racoon restart
B.2.5 VPNCLIENT-CLI-261 Failed to connect to IKE. Restart IKE.
Possible Cause: IKE is down.
Action: Verify the IKE log for details. The log file can be accessed at /var/log/messages.
Possible Cause: Application error. For details, refer to Section A.2, “Application Errors,” on
page 22.
Action: Restart IKE using the following command:
/etc/init.d/racoon restart
Error Codes 33
B.2.6 VPNCLIENT-GUI-262 Failed to connect to IKE. Restart IKE.
Possible Cause: Application error. For details, refer to Section A.2, “Application Errors,” on
page 22.
Action: Restart IKE using the following command:
/etc/init.d/racoon restart
B.2.7 VPNCLIENT-CLI-263 Failed to connect to IKE. Restart IKE.
Possible Cause: Application error. Refer to Section A.2, “Application Errors,” on page 22.
Action: Restart IKE using the following command:
/etc/init.d/racoon restart
novdocx (ENU) 01 February 2006
B.2.8 VPNCLIENT-CLI-264 Failed to connect to IKE. Restart IKE.
Possible Cause: Application error. Refer to Section A.2, “Application Errors,” on page 22.
Action: Restart IKE using the following command:
/etc/init.d/racoon restart
Possible Cause: Server failed to respond. Either the server is not up or the network is down.
Action: Ensure that the server and network are up and running.
B.2.9 VPNCLIENT-CLI-265 Failed to connect to IKE. Restart IKE.
Possible Cause: IKE is down.
Action: As root, restart IKE using the following command:
/etc/init.d/racoon start
B.2.10 VPNCLIENT-CLI-266 Cannot read the profile.
Possible Cause: The profile file (in XML format) is corrupt.
Action: Using the Profile Manager, delete the profile and create a new one. For details, refer to
Section 3.2, “Connection Profiles,” on page 12.
B.2.11 VPNCLIENT-CLI-267 Profile profile name is not valid.
Possible Cause: The profile file uses an incorrect file format.
34 Novell VPN Client for Linux User and Administrator Guide
Action: Using the Profile Manager, re-create the profile. For details, refer to Section 3.2,
“Connection Profiles,” on page 12.
B.2.12 VPNCLIENT-CLI-268 Profile directory directory name does not exist.
Possible Cause: The profile directory is not created or it is removed.
Action: Re-create the profile using the Profile Manager provided with the GUI. For details, refer to
Section 3.2, “Connection Profiles,” on page 12. By default, the profile gets created in the proper
directory.
B.2.13 VPNCLIENT-CLI-269 Profile profile name not found.
Possible Cause: The profile is missing.
Action: Re-create the profile using the Profile Manager provided with the GUI. For details, refer to
Section 3.2, “Connection Profiles,” on page 12.
novdocx (ENU) 01 February 2006
B.2.14 VPNCLIENT-CLI-272 Too many arguments
Possible Cause: You have provided multiple parameters. Only one parameter is allowed at one
instance.
Action: Provide one option at a time (for example vpnc -d). Only the command vpnc -v -c
profile is allowed to have multiple parameters.
B.2.15 VPNCLIENT-CLI-273 Too many arguments
Possible Cause: You have provided more parameters than required.
Action: The CLI does not allow more parameters than required for the function. Refer to the
“Connecting to the Gateway Using a CLI” on page 19 or use vpnc -h before proceeding.
B.2.16 VPNCLIENT-CLI-274 Verbose mode has no meaning when specified alone.
Possible Cause: You have used the verbose mode without specifying any other parameter.
Action: Verbose mode makes sense only when used along with other parameters. For options, refer
to Section 3.3.3, “Using the Command Line Utility,” on page 18. Specify the parameters as in the
example vpnc -v -c profile for getting verbose details.
B.2.17 VPNCLIENT-CLI-275 Profile profile name does not exist.
Possible Cause: The specified profile does not exist.
Action: Specify a valid profile. If no valid profile exists, create a new one using the Profile Manager
provided with the GUI. For details, refer to Section 3.2, “Connection Profiles,” on page 12.
Error Codes 35
B.2.18 VPNCLIENT-CLI-278 Certificate path path does not exist.
Possible Cause: The specified profile is corrupt.
Action: Re-create the profile using the Profile Manager provided with the GUI. For details, refer to
Section 3.2, “Connection Profiles,” on page 12.
Possible Cause: The certificate path is not created or it is deleted.
Action: Re-create the certificate path /user's home directory/.turnpike/
usercerts/ and copy the certificate to this path.
B.2.19 VPNCLIENT-CLI-279 Failed to read certificate.
Possible Cause: Either the certificate is not valid or the password is incorrect.
Action: Verify the validity of the certificate and password. Relaunch the CLI and specify the correct
certificate password.
novdocx (ENU) 01 February 2006
B.2.20 VPNCLIENT-CLI-280 Profile is not valid.
Possible Cause: The specified profile is corrupt.
Action: Re-create the profile using the Profile Manager provided with the GUI. For details, refer to
Section 3.2, “Connection Profiles,” on page 12.
B.2.21 VPNCLIENT-CLI-281 Failed to connect to IKE. Restart IKE.
Possible Cause: IKE is not running, the server is not responding, or the network is down.
Action: Ensure that IKE, the server, and the network are up and running.
B.2.22 VPNCLIENT-CLI-282 Profile is not valid.
Possible Cause: The specified profile is not in the correct format.
Action: Re-create the profile using the Profile Manager provided with the GUI. For details, refer to
Section 3.2, “Connection Profiles,” on page 12.
B.2.23 VPNCLIENT-CLI-284 Profile is not valid.
Possible Cause: The gateway IP address you specified in the profile is not valid.
Action: Edit the profile (using the Profile Manager provided with the GUI) to specify the correct IP
address/gateway name.
36 Novell VPN Client for Linux User and Administrator Guide
B.2.24 VPNCLIENT-CLI-285 DNS resolution failed for gateway address specified in the profile.
Possible Cause: You have specified an incorrect DNS name.
Action: Ensure that the DNS name you specified is valid.
Possible Cause: The network or the DNS server is down.
Action: Ensure that the network and the DNS server are up and running.
B.2.25 VPNCLIENT-CLI-286 Time-out occurred while waiting for a connection response from gateway. The client is exiting.
Possible Cause: The connection attempt failed.
Action: Check the IKE logs to find out the reason. For details, refer to Section A.1.3, “IKE Log,” on
page 22.
novdocx (ENU) 01 February 2006
B.2.26 VPNCLIENT-CLI-287 Profile does not exist. Create the profile using the GUI.
Possible Cause: There is no profile directory.
Action: Create a profile using the GUI. For details, refer to Section 3.2, “Connection Profiles,” on
page 12.
B.2.27 VPNCLIENT-CLI-287 Authentication Failed. Verify your Credentials
Possible Cause: You have specified an incorrect username, password, or both.
Action: Specify the correct username and password.
Error Codes 37
Loading...