[Swan] Fwd: Cisco XAUTH configuration rightid phase 1 fails

Andrew Campbell andrewc at vayoka.com
Tue Jun 11 04:10:23 EEST 2013 

Hello List,

After a much needed break from the security scene, I return to find a whole
raft of changes!

Below are my findings with openswan and curios if the latest libreswan will
have a different result.

I'm trying to configure my test environment against a Cisco router.
Everything works with vpnc, but I would prefer to use of OpenSwan (or now
libreswan). I have tried all configuration combinations, but cannot get
past phase 1 up - no suitable connection for peer.

Any help will be much appreciated.

Kind Regards,

Andrew

Test enviroment Linux Openswan U2.6.38-g312f1b8a-dirty/K3.2.0-4-amd64
(netkey)

#-----------------------------------------#

root at ipsec:/etc# cat ipsec.conf
conn cisco
  ike=3des-sha1-modp1024
  esp=3des-sha1
  pfs=yes
  ikelifetime=86400s
  keylife=28800s
  #
  aggrmode=yes
  authby=secret
  #
  left=%defaultroute
  leftmodecfgclient=yes
  leftxauthclient=yes
  leftid="@customer.domain"
  #
  right=1xx.5x.5x.1xx
  rightid="@IPsec_1.cisco.com"
  rightxauthserver=yes
  rightmodecfgserver=yes
  #
  modecfgpull=yes
  auto=add

#-----------------------------------------#

root at ipsec:/etc# cat ipsec.secrets
@customer.domain 1xx.5x.5x.1xx : PSK "customer1234"

#-----------------------------------------#

ipsec whack  --debug-all --name cisco --xauthname
test at customer.domain--xauthpass xauth1234 --initiate

112 "cisco" #1: STATE_AGGR_I1: initiate
002 "cisco" #1: extra debugging enabled for connection:
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
003 "cisco" #1: received Vendor ID payload [Cisco-Unity]
003 "cisco" #1: received Vendor ID payload [Dead Peer Detection]
003 "cisco" #1: ignoring unknown Vendor ID payload
[12030e87294146bcd6828c998b89a5b7]
003 "cisco" #1: received Vendor ID payload [XAUTH]
003 "cisco" #1: received Vendor ID payload [RFC 3947] method set to=115
002 "cisco" #1: Aggressive mode peer ID is ID_FQDN: '@IPsec_1.cisco.com'
003 "cisco" #1: no suitable connection for peer '@IPsec_1.cisco.com'
003 "cisco" #1: initial Aggressive Mode packet claiming to be from @
IPsec_1.cisco.com on 1xx.5x.5x.1xx but no connection has been authorized
218 "cisco" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION
002 "cisco" #1: sending notification INVALID_ID_INFORMATION to
1xx.5x.5x.1xx:500

#-----------------------------------------#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130611/9d437aac/attachment.html>

More information about the Swan mailing list