[Swan-dev] Did Libreswan address these two issues with a Cisco IOS peer ??????
Philippe Vouters
philippe.vouters at laposte.net
Sat Feb 22 00:08:42 EET 2014
Paul,
I solved these specific two issues inside Shrew VPN client. The missing
Libreswan sent issuer issue prevents any Libreswan use with Cisco IOS
whichever the version. This missing Libreswan sent issuer issue leads to
the symptom largely described at
http://vouters.dyndns.org/tima/Linux-Windows-Cisco-VPN-Cisco_may_abort_when_attempting_to_establish_a_VPN.html
that I strongly suggest you to carefully reread.
The NAT-T issue symptom is described in the same document. Libreswan
suffers from as was Shrew VPN Client until I modified it to allow the
end-user to specify a force NAT-T v02 or V03 payload proposal preventing
Shrew to propose a NAT-T RFC proposal. This was the only way with the
two tested versions of Cisco IOS to have the tunnel correctly established.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
On 02/21/2014 10:21 PM, Paul Wouters wrote:
> On Fri, 21 Feb 2014, Philippe Vouters wrote:
>
>> Did Libreswan address these two issues with a Cisco IOS peer ?
>> 1/ A missing sent issuer issue when in RSA mode (was not present in
>> Libreswan 3.5)
>
> No. AFAIK, there is no RFC method for sending the CAcert. I was also not
> sure if that actually solved the problem at hand, which seemed to be
> some Cisco-specified method for doing RSA that was neither "raw rsa" nor
> "standard X.509".
>
>> 2/ A Libreswan configurable NAT-T payload proposal. This is much
>> needed in RSA mode.
>
> Configure what about the NAT-T payload? Not sending it? You can disable
> nat-t globally using nat_traversal=no in "config setup". Or enforce a
> NAT detection using "forceencaps=yes" in the connection.
>
> Paul
>
More information about the Swan-dev
mailing list