[Swan] Cisco vpn client forces 1des encryption which libreswan not support
Paul Wouters
paul at nohats.ca
Mon Jul 14 17:21:54 EEST 2014
On Mon, 14 Jul 2014, peter at krajci.sk wrote:
> In cisco vpn client you cannot change encryption settings. It should
> negotiate autmatically one of both sides supported methods, but it does not.
If it send smore then just 1DES, that's fine and we will pick another
transform.
> 5 08:59:19.441 07/14/14 Sev=Warning/2 IKE/0xE300009B
> Invalid SPI size (PayloadNotify:116)
> 6 08:59:19.441 07/14/14 Sev=Warning/3 IKE/0xA3000058
> Received malformed message or negotiation no longer active (message id:
> 0x00000000)
That just means an old attempt is tried again. it's harmless.
> 7 08:59:24.927 07/14/14 Sev=Warning/2 IKE/0xA3000062
> Attempted incoming connection from 192.168.110.53. Inbound connections are
> not allowed.
That seems to be a rejection. If it really does not like unbound ones,
can you generate some traffic behind the cisco so the cisco initiates
the tunnel on demand?
> So libreswan do not work with cisco vpn client group authentication. I will
> try it with certificates and let you know if it work.
Group authentication usually means PreSharedKey, and not
RSA/certificates. You would need to specify this in your configuration,
eg: rightid=@[GroupName]
The [brackets] are needed on Cisco to user opaque identifiers of type ID_KEY_ID.
You put the preshared key in ipsec.secrets with that identifier as well.
Paul
More information about the Swan
mailing list