The Vpn Client Was Unable To Modify The Ip Forwarding

broken image


  1. The Vpn Client Was Unable To Modify The Ip Forwarding Table
  2. The Vpn Client Was Unable To Modify The Ip Forwarding Table Cisco Anyconnect
  3. The Vpn Client Was Unable To Modify The Ip Forwarding Table Windows
  4. The Vpn Client Was Unable To Modify The Ip Forwarding Table Mac
  5. The Vpn Client Was Unable To Modify The Ip Forwarding Table Modifications

A user connecting from Vista 64 with the Cisco AnyConnect client was getting a 'The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established.' error when trying to connect. No changes had been made to the concentrator configuration which is an asa5520 running 8.0(3).

Via ASDM, there was a syslog notification of 'SVC Message: 17/ERROR: Unable to successfully verify all routing table modifications are correct.'

Also annoyingly, the license only supports 2 clientless ssl vpn connections and the ssl vpn client appears to use a clientless connection initally which fails to shut down then the ssl client fails to connect, which prevents future logins with not error on the client side due to the licensing.

The fix is quite simple actually, go to Network Connections from Control Panel, right-click Cisco AnyConnect Security Mobility Client Connection, and choose Properties. Then disable IPv6, change IPv4 IP settings from Fixed IP to Dynamic. Close all Network Properties dialog boxes, and try VPN connecting again. It should go through fine now. AnyConnect Unable to modify the IP forwarding table The VPN client was unable to modify the IP forwarding table. A VPN connection will not be established. Please restart your computer or device, then try again.

Unable

I found this article which linked the proble to Adobe Photoshop. The user had installed the photoshop trial recently and when he disabled bonjour for windows, which was installed by photoshop, the VPN worked fine.

I installed Bonjour on XP 32bit and could not reproduce the problem. Perhaps it's a Vista 64 issue. It's a small enough of an edge case that I don't think I'll try to reproduce.

User says: 'it had a really odd name #1_Service_name###. it was added when I installed Adobe'

This post is not new but I am excited to share my knowledge with you while I am going through this setup. It took me a while to feel that Raspberry Pi can do everything a basic computer can and actually a little more advanced. It's amazing that a $39 computer can do everything just a regular computer can. Raspberry Pi is officially running on Debian OS (Linux-based). People also make Windows 10 IoT to work Raspberry Pi. So, yes, it has everything you basically need.

Let's move on to our main topic. My goal today is to setup a OpenVPN client on my Raspberry Pi and share this VPN connection with all of my other devices. Raspberry Pi is limited on its resources because it's running on a quad-core ARM CPU and 1GB of RAM, so I will say it can handle about 6 devices at a time. I will stress test it after the setup is up and running.

Raspberry Pi Initial Configuration

Raspberry Pi is connecting to my network via WiFi. You can connect the network with Ethernet port as you wish, but for the mobility, I am using WiFi.

When you initially start Raspberry Pi and install the recommended Debian OS. You will need to use the following commands to upgrade your OS.

You wonder what are the differences between dist-upgrade and upgrade. Read the following description. Technically, if your system is up and running, you should think twice before doing sudo apt-get dist-upgrade because the new version of dependencies may corrupt your current configuration. Since this is a new system, I am running all those commands to get the latest and greatest.

upgrade
upgrade is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list. Packages currently installed with new versions available are retrieved and upgraded; under no circumstances are currently installed packages removed, or packages not already installed retrieved and installed. New versions of currently installed packages that cannot be upgraded without changing the install status of another package will be left at their current version. An update must be performed first so that apt-get knows that new versions of packages are available.

dist-upgrade
dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a 'smart' conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. So, dist-upgrade command may remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.

Next, you need to configure your Raspberry Pi. This step is not so important. You only need it to make changes such as changing your root password, your host name, your timezone, keyboarding map, enabling/disabling SSH, etc.

The Vpn Client Was Unable To Modify The Ip Forwarding

Static IP Address

Some people like setting static IP address. In my configuration, I choose not to use it. Instead, I am using DHCP Reservation to fix my Raspberry Pi's IP address. However, if you like manually setting it. These are the commands

First, find out the names of your network interfaces with this simple command

Then use nano editor to edit the network interfaces configuration file

Example of the network interfaces' file content

Download and install the VPN Client

Installing OpenVPN client

Downloading your client configuration file

You can copy the client configuration file to a flash drive or you can download it from the internet. In this example, I am showing you how to download the client files from Private Internet Access service.

You will now need tn uncompress the zip file. After -d the name of the directory you want the files to be unzipped into.

Your client file may have already contained all the information such as CA certificate and PEM control key. In this example, the files are separate from the client file. So you will need to copy them to your OpenVPN program directory.

Private Internet Access (PIA) requires a username and password authentication. You will need to create a login file that contains your user name and password that you have with PIA.

Below is the example of the content in login.pia file.

Now let's edit the client file US.conf. You will need to use the nano program to edit the client file. In nano editor, look for the lines that start with auth-user-pass, ca, and crl-verif. Below is the example of the lines that are changed in the US.conf client file.

It's recommended that you reboot your Raspberry Pi by doing one of the following commands

Testing the VPN client file

The Vpn Client Was Unable To Modify The Ip Forwarding Table

I constantly make mistakes while editing these files. Let's test the file before we move on to the next step. In order to test the file, we simply have to call the OpenVPN program with the client file. First, check your current public IP address by opening up your web browser and going to http://whatismyip.host. Then do the following command

If you see errors, you should try to determine if you misconfigure the client file… Let's try the website http://whatismyip.host. The IP address should now show a different one from your public IP address.

Route Forwarding and Routings/IP tables

Now we are getting more serious.

First of all, we need to enable Route Forwarding so that the traffic can move between our local area network and virtual private network. To turn it on, you need to edit the sysctl.conf file

Find the line #net.ipv4.ip_forward =1 and remove #

After saving the file, you can enable the service by the following command

Now, let's get started with IPtables. I need to tell the Raspberry Pi how to route the traffics. There are 3 interfaces that we are working on in this current setup example; VPN tunnel (tun0), WiFi (wlan0), and loopback (lo). There are the three interfaces that network traffic will be running around.

The vpn client was unable to modify the ip forwarding table anyconnect
  1. Allow traffic to flow in and out the loopback
  1. Allow traffic to move in from LAN and out to VPN
  1. Open up some ports for VPN traffic, NTP, DHCP. These are required by OpenVPN. In our example, OpenVPN is using the port 1198
  1. Allow DHCP (port 67, 68) on all networks
  1. Forward traffic from VPN to WLAN only when the VPN is established. This is known as a kill switch
  1. Forward traffic from WLAN to VPN

The Vpn Client Was Unable To Modify The Ip Forwarding Table Cisco Anyconnect

  1. Masquerade all the traffic together

Now let's save all these rules. Otherwise, they will be forgotten after a reboot. IPtables-persistent tool needs to be downloaded if you have not downloaded it yet. While installing this, it will ask you couple of questions to confirm that you want to save these rules.

The Vpn Client Was Unable To Modify The Ip Forwarding Table Windows

Unable

The Vpn Client Was Unable To Modify The Ip Forwarding Table Mac

If you have already downloaded this tool, you can use the following command to save the rules.

The Vpn Client Was Unable To Modify The Ip Forwarding

I found this article which linked the proble to Adobe Photoshop. The user had installed the photoshop trial recently and when he disabled bonjour for windows, which was installed by photoshop, the VPN worked fine.

I installed Bonjour on XP 32bit and could not reproduce the problem. Perhaps it's a Vista 64 issue. It's a small enough of an edge case that I don't think I'll try to reproduce.

User says: 'it had a really odd name #1_Service_name###. it was added when I installed Adobe'

This post is not new but I am excited to share my knowledge with you while I am going through this setup. It took me a while to feel that Raspberry Pi can do everything a basic computer can and actually a little more advanced. It's amazing that a $39 computer can do everything just a regular computer can. Raspberry Pi is officially running on Debian OS (Linux-based). People also make Windows 10 IoT to work Raspberry Pi. So, yes, it has everything you basically need.

Let's move on to our main topic. My goal today is to setup a OpenVPN client on my Raspberry Pi and share this VPN connection with all of my other devices. Raspberry Pi is limited on its resources because it's running on a quad-core ARM CPU and 1GB of RAM, so I will say it can handle about 6 devices at a time. I will stress test it after the setup is up and running.

Raspberry Pi Initial Configuration

Raspberry Pi is connecting to my network via WiFi. You can connect the network with Ethernet port as you wish, but for the mobility, I am using WiFi.

When you initially start Raspberry Pi and install the recommended Debian OS. You will need to use the following commands to upgrade your OS.

You wonder what are the differences between dist-upgrade and upgrade. Read the following description. Technically, if your system is up and running, you should think twice before doing sudo apt-get dist-upgrade because the new version of dependencies may corrupt your current configuration. Since this is a new system, I am running all those commands to get the latest and greatest.

upgrade
upgrade is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list. Packages currently installed with new versions available are retrieved and upgraded; under no circumstances are currently installed packages removed, or packages not already installed retrieved and installed. New versions of currently installed packages that cannot be upgraded without changing the install status of another package will be left at their current version. An update must be performed first so that apt-get knows that new versions of packages are available.

dist-upgrade
dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a 'smart' conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. So, dist-upgrade command may remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.

Next, you need to configure your Raspberry Pi. This step is not so important. You only need it to make changes such as changing your root password, your host name, your timezone, keyboarding map, enabling/disabling SSH, etc.

Static IP Address

Some people like setting static IP address. In my configuration, I choose not to use it. Instead, I am using DHCP Reservation to fix my Raspberry Pi's IP address. However, if you like manually setting it. These are the commands

First, find out the names of your network interfaces with this simple command

Then use nano editor to edit the network interfaces configuration file

Example of the network interfaces' file content

Download and install the VPN Client

Installing OpenVPN client

Downloading your client configuration file

You can copy the client configuration file to a flash drive or you can download it from the internet. In this example, I am showing you how to download the client files from Private Internet Access service.

You will now need tn uncompress the zip file. After -d the name of the directory you want the files to be unzipped into.

Your client file may have already contained all the information such as CA certificate and PEM control key. In this example, the files are separate from the client file. So you will need to copy them to your OpenVPN program directory.

Private Internet Access (PIA) requires a username and password authentication. You will need to create a login file that contains your user name and password that you have with PIA.

Below is the example of the content in login.pia file.

Now let's edit the client file US.conf. You will need to use the nano program to edit the client file. In nano editor, look for the lines that start with auth-user-pass, ca, and crl-verif. Below is the example of the lines that are changed in the US.conf client file.

It's recommended that you reboot your Raspberry Pi by doing one of the following commands

Testing the VPN client file

The Vpn Client Was Unable To Modify The Ip Forwarding Table

I constantly make mistakes while editing these files. Let's test the file before we move on to the next step. In order to test the file, we simply have to call the OpenVPN program with the client file. First, check your current public IP address by opening up your web browser and going to http://whatismyip.host. Then do the following command

If you see errors, you should try to determine if you misconfigure the client file… Let's try the website http://whatismyip.host. The IP address should now show a different one from your public IP address.

Route Forwarding and Routings/IP tables

Now we are getting more serious.

First of all, we need to enable Route Forwarding so that the traffic can move between our local area network and virtual private network. To turn it on, you need to edit the sysctl.conf file

Find the line #net.ipv4.ip_forward =1 and remove #

After saving the file, you can enable the service by the following command

Now, let's get started with IPtables. I need to tell the Raspberry Pi how to route the traffics. There are 3 interfaces that we are working on in this current setup example; VPN tunnel (tun0), WiFi (wlan0), and loopback (lo). There are the three interfaces that network traffic will be running around.

  1. Allow traffic to flow in and out the loopback
  1. Allow traffic to move in from LAN and out to VPN
  1. Open up some ports for VPN traffic, NTP, DHCP. These are required by OpenVPN. In our example, OpenVPN is using the port 1198
  1. Allow DHCP (port 67, 68) on all networks
  1. Forward traffic from VPN to WLAN only when the VPN is established. This is known as a kill switch
  1. Forward traffic from WLAN to VPN

The Vpn Client Was Unable To Modify The Ip Forwarding Table Cisco Anyconnect

  1. Masquerade all the traffic together

Now let's save all these rules. Otherwise, they will be forgotten after a reboot. IPtables-persistent tool needs to be downloaded if you have not downloaded it yet. While installing this, it will ask you couple of questions to confirm that you want to save these rules.

The Vpn Client Was Unable To Modify The Ip Forwarding Table Windows

The Vpn Client Was Unable To Modify The Ip Forwarding Table Mac

If you have already downloaded this tool, you can use the following command to save the rules.

Now let's start those routing rules

The Vpn Client Was Unable To Modify The Ip Forwarding Table Modifications

Now everything is setup. The Raspberry Pi should be able to route traffic between the local area network and virtual private network. Start your VPN and change your device's gateway to point to the Raspberry Pi's IP address. In this example, it is 192.168.1.3 (look all the way up in the static IP address section)





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save