[Swan] Fwd: Cisco XAUTH configuration rightid phase 1 fails
Nick Howitt
n1ck.h0w1tt at gmail.com
Tue Jun 11 10:56:30 EEST 2013
Andrew,
I have an open bug https://bugs.libreswan.org/show_bug.cgi?id=86 [3] for
left=%defaultroute not working. Can you test with left=some_IP_address
and see if it works? If this it does work, it is probably the same bug.
The bug is Libreswan only as they reworked the %defaultroute detection
code. I can't read the bug now, but from memory setting
leftnexthop=%defaultroute may also work. It is probably worth reading
the bug.
Nick
On 2013-06-11 02:10, Andrew Campbell wrote:
> Hello List,
>
> After a much needed break from the security scene, I return to find a whole raft of changes!
>
> Below are my findings with openswan and curios if the latest libreswan will have a different result.
>
> I'm trying to configure my test environment against a Cisco router. Everything works with vpnc, but I would prefer to use of OpenSwan (or now libreswan). I have tried all configuration combinations, but cannot get past phase 1 up - no suitable connection for peer.
>
> Any help will be much appreciated.
>
> Kind Regards,
>
> Andrew
>
> Test enviroment Linux Openswan U2.6.38-g312f1b8a-dirty/K3.2.0-4-amd64 (netkey)
>
> #-----------------------------------------#
>
> root at ipsec:/etc# cat ipsec.conf
> conn cisco
> ike=3des-sha1-modp1024
> esp=3des-sha1
> pfs=yes
> ikelifetime=86400s
> keylife=28800s
> #
> aggrmode=yes
> authby=secret
> #
> left=%defaultroute
> leftmodecfgclient=yes
> leftxauthclient=yes
> leftid="@customer.domain"
> #
> right=1xx.5x.5x.1xx
> rightid="@IPsec_1.cisco.com [2]"
> rightxauthserver=yes
> rightmodecfgserver=yes
> #
> modecfgpull=yes
> auto=add
>
> #-----------------------------------------#
>
> root at ipsec:/etc# cat ipsec.secrets
> @customer.domain 1xx.5x.5x.1xx : PSK "customer1234"
>
> #-----------------------------------------#
>
> ipsec whack --debug-all --name cisco --xauthname test at customer.domain --xauthpass xauth1234 --initiate
>
> 112 "cisco" #1: STATE_AGGR_I1: initiate
> 002 "cisco" #1: extra debugging enabled for connection: raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
> 003 "cisco" #1: received Vendor ID payload [Cisco-Unity]
> 003 "cisco" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "cisco" #1: ignoring unknown Vendor ID payload [12030e87294146bcd6828c998b89a5b7]
> 003 "cisco" #1: received Vendor ID payload [XAUTH]
> 003 "cisco" #1: received Vendor ID payload [RFC 3947] method set to=115
> 002 "cisco" #1: Aggressive mode peer ID is ID_FQDN: '@IPsec_1.cisco.com [2]'
> 003 "cisco" #1: no suitable connection for peer '@IPsec_1.cisco.com [2]'
> 003 "cisco" #1: initial Aggressive Mode packet claiming to be from @IPsec_1.cisco.com [2] on 1xx.5x.5x.1xx but no connection has been authorized
> 218 "cisco" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION
> 002 "cisco" #1: sending notification INVALID_ID_INFORMATION to 1xx.5x.5x.1xx:500
>
> #-----------------------------------------#
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan [1]
Links:
------
[1] https://lists.libreswan.org/mailman/listinfo/swan
[2] http://IPsec_1.cisco.com
[3] https://bugs.libreswan.org/show_bug.cgi?id=86
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130611/5ad1e61f/attachment.html>
More information about the Swan
mailing list