[Swan] Cisco vpn client forces 1des encryption which libreswan not support

peter at krajci.sk peter at krajci.sk
Fri Jul 11 15:12:49 EEST 2014 

Hello everybody,

I followed config tutorial  
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH  
with small modifications but cisco vpn client forces 1des encryption  
which libreswan do not support anymore. Is there any solution how to  
get it work with cisco vpn client?
Auth log:

Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
received Vendor ID payload [XAUTH]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
received Vendor ID payload [Dead Peer Detection]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
received Vendor ID payload [FRAGMENTATION 80000000]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
received Vendor ID payload [Cisco-Unity]
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[3]  
192.168.110.76 #2: Aggressive mode peer ID is ID_KEY_ID: '<deleted>'
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[3]  
192.168.110.76 #2: switched from "xauth-psk-xauth-aggrmode" to  
"xauth-psk-xauth-aggrmode"
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: deleting connection "xauth-psk-xauth-aggrmode"  
instance with peer 192.168.110.76 {isakmp=#0/ipsec=#0}
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: responding to Aggressive Mode, state #2, connection  
"xauth-psk-xauth-aggrmode" from 192.168.110.76
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: 1DES is not encryption
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: OAKLEY_DES_CBC is not supported.  Attribute  
OAKLEY_ENCRYPTION_ALGORITHM
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: 1DES is not encryption
Broadcast message from root at IPsec (pts/1) (Fri Jul 11 09:50:05  
2014):.168.110.76 #2: OAKLEY_DES_CBC is not supported.  Attribute  
OAKLEY_ENCRYPTION_ALGORITHM
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: no acceptable Oakley Transform
The system is going down for reboot NOW!th-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: sending notification NO_PROPOSAL_CHOSEN to  
192.168.110.76:59670
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76: deleting connection "xauth-psk-aggrmode" instance with  
peer 192.168.110.76 {isakmp=#0/ipsec=#0}



I found some materials about cisco vpn client supported modes in this  
document  
(http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcA.pdf) on page 205 table 11-3. Then I tried some of Preshared Keys (XAUTH) modes, but with no luck. My ipsec.conf is  
following:

config setup
         protostack=netkey
         # exclude networks used on server side by adding %v4:!a.b.c.0/24
          
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24

conn xauth-psk-aggrmode
         aggrmode=yes
         authby=secret
         ike=3des-md5;modp1024
         phase2=esp
         phase2alg=3des-sha1
         pfs=no
         auto=add
         rekey=no
         left=<my real server IP>
         leftid=@vpn.nohats.ca
         leftsubnet=0.0.0.0/0
         rightaddresspool=10.231.247.1-10.231.247.254
         right=%any
         modecfgdns1=<my real DNS server>
         leftxauthserver=yes
         rightxauthclient=yes
         leftmodecfgserver=yes
         rightmodecfgclient=yes
         modecfgpull=yes
         xauthby=alwaysok
         ike_frag=yes
         xauthfail=soft


Libreswan vesion:
Linux Libreswan 3.8 (netkey) on 3.2.0-4-amd64

Cisco vpn client version:
Cisco Systems VPN Client Version 5.0.07.0440


Everything works like a charm with shrew soft vpn client, but I want  
to get it work with cisco vpn client. I would be wery glad for every  
idea.
Thank you.

More information about the Swan mailing list