[Swan] Migrating from vpnc to libreswan to connect to Cisco ASAv 9.13
Nathan Strong
gblues at gmail.com
Sat Sep 26 07:11:40 UTC 2020
Hello all,
I've done some cursory searching but I haven't seen my issue addressed.
We have a Cisco ASAv that we've been using vpnc to open a IPsec tunnel. The
vpnc client seems to have issues handling rekey events, and is quite old,
so I am trying to connect to the same VPN gateway using libreswan to do
comparative testing. So far, I have not been successful in establishing a
link.
I am using CentOS 8, which comes with libreswan 3.29
For reference, here is the vpnc config (items in brackets are redacted):
IPSec ID <our_ipsec_group_id>
IPSec gateway <gateway_ip>
IPSec obfuscated secret <obfuscated-psk>
Local Port 0
Xauth password <vpn user password>
Xauth username <vpn username>
To map this to libreswan, I've done the following:
/etc/ipsec.d/myconn.secrets contains:
# note that <psk> is the de-obfuscated form of <obfuscated-psk> contained
in the vpnc config
<gateway_ip> %any : PSK "<psk>"
@<vpn username> : XAUTH "<vpn user password>"
/etc/ipsec.d/myconn.conf contains:
conn myconn
ikev2=no
authby=secret
left=%defaultroute
leftxauthclient=yes
leftmodecfgclient=yes
leftxauthusername=<vpn username>
leftid=@<our_ipsec_group_id>
right=<gateway_ip>
rightxauthserver=yes
rightmodecfgserver=yes
rightid=@<our_ipsec_group_id>
ike_frag=yes
auto=ignore
ike=aes256-sha1;dh2
phase2=esp
phase2alg=aes256-sha1;dh2
nat-ikev1-method=rfc
remote-peer-type=cisco
salifetime=900
(I'm aware several of these settings are insecure, such as dh2)
I use the following commands to attempt to bring up the tunnel:
ipsec auto --add myconn
ipsec auto --up myconn
When I do this, I get the following output:
002 "myconn" #1: initiating Main Mode
104 "myconn" #1: STATE_MAIN_I1: initiate
106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "myconn" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for
response
003 "myconn" #1: ignoring informational payload INVALID_COOKIE,
msgid=00000000, length=40
003 "myconn" #1: received and ignored notification payload: INVALID_COOKIE
The last three lines repeat with increasing retransmission delays.
On the ASAv side, I get this interesting error:
%ASA-4-713903: Group = <my ip>, IP = <my ip>, Can't find a valid tunnel
group, aborting...!
%ASA-4-713903: IP = <my ip> Header invalid, missing SA payload! (next
payload = 4)
On working clients, it will show Group = <our_ipsec_group_id>
The documentation I've read says the `leftid` parameter should set this,
and I've tried both "leftid=@[<our_ipsec_group_id>]" and
"leftid=@<our_ipsec_group_id>" to no avail.
So, that's where I'm presently stuck.
TL;DR: under what circumstances would libreswan insist on sending the IP as
the group instead of what's set as `leftid`? Can I get there from here?
Thanks,
Nathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200926/2f348ccc/attachment.html>
More information about the Swan
mailing list