[Swan-dev] pluto crashes with signal 11 when ike=des
Ben Lentz
ben.lentz at gmail.com
Wed Jul 9 07:24:24 EEST 2014
>> If you have any hints or tips / tricks I would be grateful.
>
> Usually with Cisco, their admin has it configured so you need:
>
> 1 Aggressive Mode (aggrmode=yes)
> 2 No Perfect Forward Secrecy (pfs=no)
> 3 DH group 2 or 5 (modp1024 or modp1536)
> 4 3des/aes/md5/sha1
>
> The last two items are part of the default proposal of
> libreswan/openswan, but it helps to reduce the DH groups if
> you know what to use exactly (eg ike=3des-sha1;modp1536)
>
> Paul
Well, using this information I am certainly a lot closer than ever
before! It looks like I am getting authenticated and the pluto logs are
showing the Cisco-delivered DNS servers and an IP address from the
correct client IP pool is being handed to my machine. However, the IP
alias I'm handed is never added to the interface and the routes are
never added. I think I'm still getting stuck at NO_PROPOSAL_CHOSEN even
though it looks to me like 95% of it is working now.
I'm going to try to keep throwing different combinations at it, but I
think I may have tried them all. Any other ideas?
Here's my log (scrubbed):
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: XAUTH: Successfully
Authenticated
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: STATE_XAUTH_I1: XAUTH
client - awaiting CFG_set
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: modecfg: Sending IP
request (MODECFG_I1)
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: received mode cfg reply
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: setting client address to
192.168.0.19/32
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: setting ip source address
to 192.168.0.19/32
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: Received IP4 NETMASK
255.255.255.0
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: Received DNS 10.0.0.20,
len=10
Jul 9 00:16:51 bentz pluto[14906]: | Cisco DNS info: 10.0.0.20, len=10
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: Received DNS 10.0.0.240,
len=10
Jul 9 00:16:51 bentz pluto[14906]: | Cisco DNS info: 10.0.0.20
10.0.0.240, len=21
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: transition from state
STATE_MODE_CFG_I1 to state STATE_MAIN_I4
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: STATE_MAIN_I4: ISAKMP SA
established
Jul 9 00:16:51 bentz pluto[14906]: "conn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK
{using isakmp#1 msgid:c1b12890 proposal=AES(12)_128-SHA1(2)_160
pfsgroup=no-pfs}
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: received and ignored
informational message
Jul 9 00:16:51 bentz pluto[14906]: "conn" #1: received Delete SA
payload: deleting ISAKMP State #1
Jul 9 00:16:51 bentz pluto[14906]: packet from 198.185.66.15:500:
received and ignored informational message
More information about the Swan-dev
mailing list