[Swan] Migrating from vpnc to libreswan to connect to Cisco ASAv 9.13
gblues at gmail.com
Sat Sep 26 07:11:40 UTC 2020
I've done some cursory searching but I haven't seen my issue addressed.
We have a Cisco ASAv that we've been using vpnc to open a IPsec tunnel. The
vpnc client seems to have issues handling rekey events, and is quite old,
so I am trying to connect to the same VPN gateway using libreswan to do
comparative testing. So far, I have not been successful in establishing a
I am using CentOS 8, which comes with libreswan 3.29
For reference, here is the vpnc config (items in brackets are redacted):
IPSec ID <our_ipsec_group_id>
IPSec gateway <gateway_ip>
IPSec obfuscated secret <obfuscated-psk>
Local Port 0
Xauth password <vpn user password>
Xauth username <vpn username>
To map this to libreswan, I've done the following:
# note that <psk> is the de-obfuscated form of <obfuscated-psk> contained
in the vpnc config
<gateway_ip> %any : PSK "<psk>"
@<vpn username> : XAUTH "<vpn user password>"
(I'm aware several of these settings are insecure, such as dh2)
I use the following commands to attempt to bring up the tunnel:
ipsec auto --add myconn
ipsec auto --up myconn
When I do this, I get the following output:
002 "myconn" #1: initiating Main Mode
104 "myconn" #1: STATE_MAIN_I1: initiate
106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "myconn" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for
003 "myconn" #1: ignoring informational payload INVALID_COOKIE,
003 "myconn" #1: received and ignored notification payload: INVALID_COOKIE
The last three lines repeat with increasing retransmission delays.
On the ASAv side, I get this interesting error:
%ASA-4-713903: Group = <my ip>, IP = <my ip>, Can't find a valid tunnel
%ASA-4-713903: IP = <my ip> Header invalid, missing SA payload! (next
payload = 4)
On working clients, it will show Group = <our_ipsec_group_id>
The documentation I've read says the `leftid` parameter should set this,
and I've tried both "leftid=@[<our_ipsec_group_id>]" and
"leftid=@<our_ipsec_group_id>" to no avail.
So, that's where I'm presently stuck.
TL;DR: under what circumstances would libreswan insist on sending the IP as
the group instead of what's set as `leftid`? Can I get there from here?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan