[Swan] Fwd: Cisco XAUTH configuration rightid phase 1 fails

Nick Howitt n1ck.h0w1tt at gmail.com
Tue Jun 11 10:56:30 EEST 2013 


Andrew, 

I have an open bug https://bugs.libreswan.org/show_bug.cgi?id=86 [3] for
left=%defaultroute not working. Can you test with left=some_IP_address
and see if it works? If this it does work, it is probably the same bug.
The bug is Libreswan only as they reworked the %defaultroute detection
code. I can't read the bug now, but from memory setting
leftnexthop=%defaultroute may also work. It is probably worth reading
the bug. 

Nick 

On 2013-06-11 02:10, Andrew Campbell wrote: 

> Hello List, 
> 
> After a much needed break from the security scene, I return to find a whole raft of changes! 
> 
> Below are my findings with openswan and curios if the latest libreswan will have a different result. 
> 
> I'm trying to configure my test environment against a Cisco router. Everything works with vpnc, but I would prefer to use of OpenSwan (or now libreswan). I have tried all configuration combinations, but cannot get past phase 1 up - no suitable connection for peer. 
> 
> Any help will be much appreciated. 
> 
> Kind Regards, 
> 
> Andrew 
> 
> Test enviroment Linux Openswan U2.6.38-g312f1b8a-dirty/K3.2.0-4-amd64 (netkey) 
> 
> #-----------------------------------------# 
> 
> root at ipsec:/etc# cat ipsec.conf 
> conn cisco 
> ike=3des-sha1-modp1024 
> esp=3des-sha1 
> pfs=yes 
> ikelifetime=86400s 
> keylife=28800s 
> # 
> aggrmode=yes 
> authby=secret 
> # 
> left=%defaultroute 
> leftmodecfgclient=yes 
> leftxauthclient=yes 
> leftid="@customer.domain" 
> # 
> right=1xx.5x.5x.1xx 
> rightid="@IPsec_1.cisco.com [2]" 
> rightxauthserver=yes 
> rightmodecfgserver=yes 
> # 
> modecfgpull=yes 
> auto=add 
> 
> #-----------------------------------------# 
> 
> root at ipsec:/etc# cat ipsec.secrets 
> @customer.domain 1xx.5x.5x.1xx : PSK "customer1234" 
> 
> #-----------------------------------------# 
> 
> ipsec whack --debug-all --name cisco --xauthname test at customer.domain --xauthpass xauth1234 --initiate 
> 
> 112 "cisco" #1: STATE_AGGR_I1: initiate 
> 002 "cisco" #1: extra debugging enabled for connection: raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo 
> 003 "cisco" #1: received Vendor ID payload [Cisco-Unity] 
> 003 "cisco" #1: received Vendor ID payload [Dead Peer Detection] 
> 003 "cisco" #1: ignoring unknown Vendor ID payload [12030e87294146bcd6828c998b89a5b7] 
> 003 "cisco" #1: received Vendor ID payload [XAUTH] 
> 003 "cisco" #1: received Vendor ID payload [RFC 3947] method set to=115 
> 002 "cisco" #1: Aggressive mode peer ID is ID_FQDN: '@IPsec_1.cisco.com [2]' 
> 003 "cisco" #1: no suitable connection for peer '@IPsec_1.cisco.com [2]' 
> 003 "cisco" #1: initial Aggressive Mode packet claiming to be from @IPsec_1.cisco.com [2] on 1xx.5x.5x.1xx but no connection has been authorized 
> 218 "cisco" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION 
> 002 "cisco" #1: sending notification INVALID_ID_INFORMATION to 1xx.5x.5x.1xx:500 
> 
> #-----------------------------------------# 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan [1]


Links:
------
[1] https://lists.libreswan.org/mailman/listinfo/swan
[2] http://IPsec_1.cisco.com
[3] https://bugs.libreswan.org/show_bug.cgi?id=86
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130611/5ad1e61f/attachment.html>

More information about the Swan mailing list