[Swan] Cisco vpn client forces 1des encryption which libreswan not support
peter at krajci.sk
peter at krajci.sk
Mon Jul 14 10:03:48 EEST 2014
In cisco vpn client you cannot change encryption settings. It should
negotiate autmatically one of both sides supported methods, but it
does not. I tried also dump traffic and the only thing I see is
request from host and answer no proposal chosen from server. Add log
from cisco vpn client, but I am not sure if it helps.
5 08:59:19.441 07/14/14 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
6 08:59:19.441 07/14/14 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message
id: 0x00000000)
7 08:59:24.927 07/14/14 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 192.168.110.53. Inbound connections
are not allowed.
8 08:59:30.003 07/14/14 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 192.168.110.53. Inbound connections
are not allowed.
9 08:59:35.066 07/14/14 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 192.168.110.53. Inbound connections
are not allowed.
So libreswan do not work with cisco vpn client group authentication. I
will try it with certificates and let you know if it work.
Peter
Citát Paul Wouters <paul at nohats.ca>:
> On Fri, 11 Jul 2014, peter at krajci.sk wrote:
>
>> I followed config tutorial
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
>> with small modifications but cisco vpn client forces 1des
>> encryption which libreswan do not support anymore. Is there any
>> solution how to get it work with cisco vpn client?
>
> That is a misconfiguration of that client. Please change its
> configuration. The Cisco client supports 3DES and most certainly AES.
>
> libreswan will never do 1DES, as it can be broken in hours on a $300
> computer.
>
>> Everything works like a charm with shrew soft vpn client, but I
>> want to get it work with cisco vpn client. I would be wery glad for
>> every idea.
>
> Look for some options to unset "1des" or "des".
>
> Paul
>
More information about the Swan
mailing list