[Swan-dev] Did Libreswan address these two issues with a Cisco IOS peer ??????
Paul Wouters
paul at nohats.ca
Sat Feb 22 17:38:17 EET 2014
On Fri, 21 Feb 2014, Philippe Vouters wrote:
> I solved these specific two issues inside Shrew VPN client. The missing
> Libreswan sent issuer issue prevents any Libreswan use with Cisco IOS
> whichever the version. This missing Libreswan sent issuer issue leads to the
> symptom largely described at
> http://vouters.dyndns.org/tima/Linux-Windows-Cisco-VPN-Cisco_may_abort_when_attempting_to_establish_a_VPN.html
> that I strongly suggest you to carefully reread.
That would require a cisco with the configuration for testing. And we
would have to figure out the wire format used for sending the CAcert
PLUS the EEcert.
> The NAT-T issue symptom is described in the same document. Libreswan suffers
> from as was Shrew VPN Client until I modified it to allow the end-user to
> specify a force NAT-T v02 or V03 payload proposal preventing Shrew to propose
> a NAT-T RFC proposal. This was the only way with the two tested versions of
> Cisco IOS to have the tunnel correctly established.
That one is easier to do. If all that Cisco needs is to _not_ see the NATT
vendorid to agree on the 02/02n/03 proposal. Does the cisco itself send
the NATT RFC version? That is, do we also need to ignore the incoming
RFC NATT payload?
Paul
More information about the Swan-dev
mailing list