[Swan] Cisco vpn client forces 1des encryption which libreswan not support
peter at krajci.sk
peter at krajci.sk
Fri Jul 11 15:12:49 EEST 2014
Hello everybody,
I followed config tutorial
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
with small modifications but cisco vpn client forces 1des encryption
which libreswan do not support anymore. Is there any solution how to
get it work with cisco vpn client?
Auth log:
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:
received Vendor ID payload [XAUTH]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:
received Vendor ID payload [Dead Peer Detection]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:
received Vendor ID payload [FRAGMENTATION 80000000]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:
received Vendor ID payload [Cisco-Unity]
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[3]
192.168.110.76 #2: Aggressive mode peer ID is ID_KEY_ID: '<deleted>'
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[3]
192.168.110.76 #2: switched from "xauth-psk-xauth-aggrmode" to
"xauth-psk-xauth-aggrmode"
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: deleting connection "xauth-psk-xauth-aggrmode"
instance with peer 192.168.110.76 {isakmp=#0/ipsec=#0}
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: responding to Aggressive Mode, state #2, connection
"xauth-psk-xauth-aggrmode" from 192.168.110.76
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our
limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our
limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)
with PSK of initiator (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)
with PSK of initiator (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our
limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our
limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)
with PSK of initiator (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)
with PSK of initiator (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our
limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our
limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)
with PSK of initiator (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)
with PSK of initiator (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: 1DES is not encryption
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: 1DES is not encryption
Broadcast message from root at IPsec (pts/1) (Fri Jul 11 09:50:05
2014):.168.110.76 #2: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76 #2: no acceptable Oakley Transform
The system is going down for reboot NOW!th-psk-xauth-aggrmode"[4]
192.168.110.76 #2: sending notification NO_PROPOSAL_CHOSEN to
192.168.110.76:59670
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]
192.168.110.76: deleting connection "xauth-psk-aggrmode" instance with
peer 192.168.110.76 {isakmp=#0/ipsec=#0}
I found some materials about cisco vpn client supported modes in this
document
(http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcA.pdf) on page 205 table 11-3. Then I tried some of Preshared Keys (XAUTH) modes, but with no luck. My ipsec.conf is
following:
config setup
protostack=netkey
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
conn xauth-psk-aggrmode
aggrmode=yes
authby=secret
ike=3des-md5;modp1024
phase2=esp
phase2alg=3des-sha1
pfs=no
auto=add
rekey=no
left=<my real server IP>
leftid=@vpn.nohats.ca
leftsubnet=0.0.0.0/0
rightaddresspool=10.231.247.1-10.231.247.254
right=%any
modecfgdns1=<my real DNS server>
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
ike_frag=yes
xauthfail=soft
Libreswan vesion:
Linux Libreswan 3.8 (netkey) on 3.2.0-4-amd64
Cisco vpn client version:
Cisco Systems VPN Client Version 5.0.07.0440
Everything works like a charm with shrew soft vpn client, but I want
to get it work with cisco vpn client. I would be wery glad for every
idea.
Thank you.
More information about the Swan
mailing list