[Swan] Migrating from vpnc to libreswan to connect to Cisco ASAv 9.13

Nathan Strong gblues at gmail.com
Sat Sep 26 07:11:40 UTC 2020 

Hello all,

I've done some cursory searching but I haven't seen my issue addressed.

We have a Cisco ASAv that we've been using vpnc to open a IPsec tunnel. The
vpnc client seems to have issues handling rekey events, and is quite old,
so I am trying to connect to the same VPN gateway using libreswan to do
comparative testing. So far, I have not been successful in establishing a
link.

I am using CentOS 8, which comes with libreswan 3.29

For reference, here is the vpnc config (items in brackets are redacted):

IPSec ID <our_ipsec_group_id>
IPSec gateway <gateway_ip>
IPSec obfuscated secret <obfuscated-psk>
Local Port 0
Xauth password <vpn user password>
Xauth username <vpn username>

To map this to libreswan, I've done the following:

/etc/ipsec.d/myconn.secrets contains:
# note that <psk> is the de-obfuscated form of <obfuscated-psk> contained
in the vpnc config
<gateway_ip> %any : PSK "<psk>"
@<vpn username> : XAUTH "<vpn user password>"

/etc/ipsec.d/myconn.conf contains:
conn myconn
  ikev2=no
  authby=secret
  left=%defaultroute
  leftxauthclient=yes
  leftmodecfgclient=yes
  leftxauthusername=<vpn username>
  leftid=@<our_ipsec_group_id>
  right=<gateway_ip>
  rightxauthserver=yes
  rightmodecfgserver=yes
  rightid=@<our_ipsec_group_id>
  ike_frag=yes
  auto=ignore
  ike=aes256-sha1;dh2
  phase2=esp
  phase2alg=aes256-sha1;dh2
  nat-ikev1-method=rfc
  remote-peer-type=cisco
  salifetime=900

(I'm aware several of these settings are insecure, such as dh2)

I use the following commands to attempt to bring up the tunnel:
ipsec auto --add myconn
ipsec auto --up myconn

When I do this, I get the following output:

002 "myconn" #1: initiating Main Mode
104 "myconn" #1: STATE_MAIN_I1: initiate
106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "myconn" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for
response
003 "myconn" #1: ignoring informational payload INVALID_COOKIE,
msgid=00000000, length=40
003 "myconn" #1: received and ignored notification payload: INVALID_COOKIE

The last three lines repeat with increasing retransmission delays.

On the ASAv side, I get this interesting error:

%ASA-4-713903: Group = <my ip>, IP = <my ip>, Can't find a valid tunnel
group, aborting...!
%ASA-4-713903: IP = <my ip> Header invalid, missing SA payload! (next
payload = 4)

On working clients, it will show Group = <our_ipsec_group_id>

The documentation I've read says the `leftid` parameter should set this,
and I've tried both "leftid=@[<our_ipsec_group_id>]" and
"leftid=@<our_ipsec_group_id>" to no avail.

So, that's where I'm presently stuck.

TL;DR: under what circumstances would libreswan insist on sending the IP as
the group instead of what's set as `leftid`? Can I get there from here?

Thanks,

Nathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200926/2f348ccc/attachment.html>

More information about the Swan mailing list