[Swan] Cisco vpn client forces 1des encryption which libreswan not support

peter at krajci.sk peter at krajci.sk
Mon Jul 14 10:03:48 EEST 2014 

In cisco vpn client you cannot change encryption settings. It should  
negotiate autmatically one of both sides supported methods, but it  
does not. I tried also dump traffic and the only thing I see is  
request from host and answer no proposal chosen from server. Add log  
from cisco vpn client, but I am not sure if it helps.


5      08:59:19.441  07/14/14  Sev=Warning/2	IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
6      08:59:19.441  07/14/14  Sev=Warning/3	IKE/0xA3000058
Received malformed message or negotiation no longer active (message  
id: 0x00000000)
7      08:59:24.927  07/14/14  Sev=Warning/2	IKE/0xA3000062
Attempted incoming connection from 192.168.110.53. Inbound connections  
are not allowed.
8      08:59:30.003  07/14/14  Sev=Warning/2	IKE/0xA3000062
Attempted incoming connection from 192.168.110.53. Inbound connections  
are not allowed.
9      08:59:35.066  07/14/14  Sev=Warning/2	IKE/0xA3000062
Attempted incoming connection from 192.168.110.53. Inbound connections  
are not allowed.


So libreswan do not work with cisco vpn client group authentication. I  
will try it with certificates and let you know if it work.

Peter



Citát Paul Wouters <paul at nohats.ca>:

> On Fri, 11 Jul 2014, peter at krajci.sk wrote:
>
>> I followed config tutorial  
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH  
>> with small modifications but cisco vpn client forces 1des  
>> encryption which libreswan do not support anymore. Is there any  
>> solution how to get it work with cisco vpn client?
>
> That is a misconfiguration of that client. Please change its
> configuration. The Cisco client supports 3DES and most certainly AES.
>
> libreswan will never do 1DES, as it can be broken in hours on a $300
> computer.
>
>> Everything works like a charm with shrew soft vpn client, but I  
>> want to get it work with cisco vpn client. I would be wery glad for  
>> every idea.
>
> Look for some options to unset "1des" or "des".
>
> Paul
>

More information about the Swan mailing list