[Swan-dev] pluto crashes with signal 11 when ike=des
Paul Wouters
paul at nohats.ca
Wed Jul 9 04:50:25 EEST 2014
On Tue, 8 Jul 2014, Ben Lentz wrote:
> Thank you for your very detailed response. I'm glad to hear the crash was
> fixed and if it's not yet in a release that explains why neither my RHEL
> boxes nor the Fedora 20 Live CD I tested with has it.
>
> You're completely right... I had a working vpnc configuration with this Cisco
> IPsec remote access ASA and the config file had " Enable Single DES" in it,
> which I thought was mandatory. I just tore that line out, bounced vpnc, and I
> can still connect without issue.
Great! Happy to see 1DES die more!
> However, I am totally back to square one as far as OpenSwan / libreswan goes.
> I have read many many howtos and articles online with regard to connecting
> OpenSwan to a Cisco VPN Concentrator / 3000 / IPsec Remote Access / whatever
> Cisco calls it these days but I absolutely cannot get it to work with
> OpenSwan.
> If you have any hints or tips / tricks I would be grateful.
Usually with Cisco, their admin has it configured so you need:
1 Aggressive Mode (aggrmode=yes)
2 No Perfect Forward Secrecy (pfs=no)
3 DH group 2 or 5 (modp1024 or modp1536)
4 3des/aes/md5/sha1
The last two items are part of the default proposal of
libreswan/openswan, but it helps to reduce the DH groups if
you know what to use exactly (eg ike=3des-sha1;modp1536)
Paul
More information about the Swan-dev
mailing list