[Swan] Fwd: Cisco XAUTH configuration rightid phase 1 fails

Andrew Campbell andrewc at vayoka.com
Wed Jun 12 03:12:48 EEST 2013 

Hi Nick,

My original test with openswan and libreswan had the left= value set with
an IP address. Tried all the combination mentioned in the bug with the same
result.

It doesn't like the remote servers ID_FQDN reply of '@IPsec_1.cisco.com'

Would openswan/libreswan try to resolve the IP address form the ID_FQDN
reply?

Andrew






On Tue, Jun 11, 2013 at 5:56 PM, Nick Howitt <n1ck.h0w1tt at gmail.com> wrote:

> **
>
> Andrew,
>
> I have an open bug https://bugs.libreswan.org/show_bug.cgi?id=86 for
> left=%defaultroute not working. Can you test with left=some_IP_address and
> see if it works? If this it does work, it is probably the same bug. The bug
> is Libreswan only as they reworked the %defaultroute detection code. I
> can't read the bug now, but from memory setting leftnexthop=%defaultroute
> may also work. It is probably worth reading the bug.
>
> Nick
>
> On 2013-06-11 02:10, Andrew Campbell wrote:
>
> Hello List,
>
> After a much needed break from the security scene, I return to find a
> whole raft of changes!
>
> Below are my findings with openswan and curios if the latest libreswan
> will have a different result.
>
> I'm trying to configure my test environment against a Cisco router.
> Everything works with vpnc, but I would prefer to use of OpenSwan (or now
> libreswan). I have tried all configuration combinations, but cannot get
> past phase 1 up - no suitable connection for peer.
>
> Any help will be much appreciated.
>
> Kind Regards,
>
> Andrew
>
> Test enviroment Linux Openswan U2.6.38-g312f1b8a-dirty/K3.2.0-4-amd64
> (netkey)
>
> #-----------------------------------------#
>
> root at ipsec:/etc# cat ipsec.conf
> conn cisco
>   ike=3des-sha1-modp1024
>   esp=3des-sha1
>   pfs=yes
>   ikelifetime=86400s
>   keylife=28800s
>   #
>   aggrmode=yes
>   authby=secret
>   #
>   left=%defaultroute
>   leftmodecfgclient=yes
>   leftxauthclient=yes
>   leftid="@customer.domain"
>   #
>   right=1xx.5x.5x.1xx
>   rightid="@IPsec_1.cisco.com"
>   rightxauthserver=yes
>   rightmodecfgserver=yes
>   #
>   modecfgpull=yes
>   auto=add
>
> #-----------------------------------------#
>
> root at ipsec:/etc# cat ipsec.secrets
> @customer.domain 1xx.5x.5x.1xx : PSK "customer1234"
>
> #-----------------------------------------#
>
> ipsec whack  --debug-all --name cisco --xauthname test at customer.domain--xauthpass xauth1234 --initiate
>
> 112 "cisco" #1: STATE_AGGR_I1: initiate
> 002 "cisco" #1: extra debugging enabled for connection:
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
> 003 "cisco" #1: received Vendor ID payload [Cisco-Unity]
> 003 "cisco" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "cisco" #1: ignoring unknown Vendor ID payload
> [12030e87294146bcd6828c998b89a5b7]
> 003 "cisco" #1: received Vendor ID payload [XAUTH]
> 003 "cisco" #1: received Vendor ID payload [RFC 3947] method set to=115
> 002 "cisco" #1: Aggressive mode peer ID is ID_FQDN: '@IPsec_1.cisco.com'
> 003 "cisco" #1: no suitable connection for peer '@IPsec_1.cisco.com'
> 003 "cisco" #1: initial Aggressive Mode packet claiming to be from @
> IPsec_1.cisco.com on 1xx.5x.5x.1xx but no connection has been authorized
> 218 "cisco" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION
> 002 "cisco" #1: sending notification INVALID_ID_INFORMATION to
> 1xx.5x.5x.1xx:500
>
> #-----------------------------------------#
>
>
> _______________________________________________
> Swan mailing listSwan at lists.libreswan.orghttps://lists.libreswan.org/mailman/listinfo/swan
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130612/58033ab2/attachment.html>

More information about the Swan mailing list