[Swan] Migrating from vpnc to libreswan to connect to Cisco ASAv 9.13

Paul Wouters paul at nohats.ca
Sat Sep 26 14:55:11 UTC 2020 

Try aggressive=yes ?

Also, DH2 support has been disabled - it is too weak. Try using dh5.

Sent from my iPhone

> On Sep 26, 2020, at 03:12, Nathan Strong <gblues at gmail.com> wrote:
> 
> 
> Hello all,
> 
> I've done some cursory searching but I haven't seen my issue addressed.
> 
> We have a Cisco ASAv that we've been using vpnc to open a IPsec tunnel. The vpnc client seems to have issues handling rekey events, and is quite old, so I am trying to connect to the same VPN gateway using libreswan to do comparative testing. So far, I have not been successful in establishing a link.
> 
> I am using CentOS 8, which comes with libreswan 3.29
> 
> For reference, here is the vpnc config (items in brackets are redacted):
> 
> IPSec ID <our_ipsec_group_id>
> IPSec gateway <gateway_ip>
> IPSec obfuscated secret <obfuscated-psk>
> Local Port 0
> Xauth password <vpn user password>
> Xauth username <vpn username>
> 
> To map this to libreswan, I've done the following:
> 
> /etc/ipsec.d/myconn.secrets contains:
> # note that <psk> is the de-obfuscated form of <obfuscated-psk> contained in the vpnc config
> <gateway_ip> %any : PSK "<psk>"
> @<vpn username> : XAUTH "<vpn user password>"
> 
> /etc/ipsec.d/myconn.conf contains:
> conn myconn
>   ikev2=no
>   authby=secret
>   left=%defaultroute
>   leftxauthclient=yes
>   leftmodecfgclient=yes
>   leftxauthusername=<vpn username>
>   leftid=@<our_ipsec_group_id>
>   right=<gateway_ip>
>   rightxauthserver=yes
>   rightmodecfgserver=yes
>   rightid=@<our_ipsec_group_id>
>   ike_frag=yes
>   auto=ignore
>   ike=aes256-sha1;dh2
>   phase2=esp
>   phase2alg=aes256-sha1;dh2
>   nat-ikev1-method=rfc
>   remote-peer-type=cisco
>   salifetime=900
> 
> (I'm aware several of these settings are insecure, such as dh2)
> 
> I use the following commands to attempt to bring up the tunnel:
> ipsec auto --add myconn
> ipsec auto --up myconn
> 
> When I do this, I get the following output:
> 
> 002 "myconn" #1: initiating Main Mode
> 104 "myconn" #1: STATE_MAIN_I1: initiate
> 106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 010 "myconn" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response
> 003 "myconn" #1: ignoring informational payload INVALID_COOKIE, msgid=00000000, length=40
> 003 "myconn" #1: received and ignored notification payload: INVALID_COOKIE
> 
> The last three lines repeat with increasing retransmission delays.
> 
> On the ASAv side, I get this interesting error:
> 
> %ASA-4-713903: Group = <my ip>, IP = <my ip>, Can't find a valid tunnel group, aborting...!
> %ASA-4-713903: IP = <my ip> Header invalid, missing SA payload! (next payload = 4)
> 
> On working clients, it will show Group = <our_ipsec_group_id>
> 
> The documentation I've read says the `leftid` parameter should set this, and I've tried both "leftid=@[<our_ipsec_group_id>]" and "leftid=@<our_ipsec_group_id>" to no avail.
> 
> So, that's where I'm presently stuck.
> 
> TL;DR: under what circumstances would libreswan insist on sending the IP as the group instead of what's set as `leftid`? Can I get there from here?
> 
> Thanks,
> 
> Nathan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list