[Swan] Migrating from vpnc to libreswan to connect to Cisco ASAv 9.13
Paul Wouters
paul at nohats.ca
Sat Sep 26 14:55:11 UTC 2020
Try aggressive=yes ?
Also, DH2 support has been disabled - it is too weak. Try using dh5.
Sent from my iPhone
> On Sep 26, 2020, at 03:12, Nathan Strong <gblues at gmail.com> wrote:
>
>
> Hello all,
>
> I've done some cursory searching but I haven't seen my issue addressed.
>
> We have a Cisco ASAv that we've been using vpnc to open a IPsec tunnel. The vpnc client seems to have issues handling rekey events, and is quite old, so I am trying to connect to the same VPN gateway using libreswan to do comparative testing. So far, I have not been successful in establishing a link.
>
> I am using CentOS 8, which comes with libreswan 3.29
>
> For reference, here is the vpnc config (items in brackets are redacted):
>
> IPSec ID <our_ipsec_group_id>
> IPSec gateway <gateway_ip>
> IPSec obfuscated secret <obfuscated-psk>
> Local Port 0
> Xauth password <vpn user password>
> Xauth username <vpn username>
>
> To map this to libreswan, I've done the following:
>
> /etc/ipsec.d/myconn.secrets contains:
> # note that <psk> is the de-obfuscated form of <obfuscated-psk> contained in the vpnc config
> <gateway_ip> %any : PSK "<psk>"
> @<vpn username> : XAUTH "<vpn user password>"
>
> /etc/ipsec.d/myconn.conf contains:
> conn myconn
> ikev2=no
> authby=secret
> left=%defaultroute
> leftxauthclient=yes
> leftmodecfgclient=yes
> leftxauthusername=<vpn username>
> leftid=@<our_ipsec_group_id>
> right=<gateway_ip>
> rightxauthserver=yes
> rightmodecfgserver=yes
> rightid=@<our_ipsec_group_id>
> ike_frag=yes
> auto=ignore
> ike=aes256-sha1;dh2
> phase2=esp
> phase2alg=aes256-sha1;dh2
> nat-ikev1-method=rfc
> remote-peer-type=cisco
> salifetime=900
>
> (I'm aware several of these settings are insecure, such as dh2)
>
> I use the following commands to attempt to bring up the tunnel:
> ipsec auto --add myconn
> ipsec auto --up myconn
>
> When I do this, I get the following output:
>
> 002 "myconn" #1: initiating Main Mode
> 104 "myconn" #1: STATE_MAIN_I1: initiate
> 106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 010 "myconn" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response
> 003 "myconn" #1: ignoring informational payload INVALID_COOKIE, msgid=00000000, length=40
> 003 "myconn" #1: received and ignored notification payload: INVALID_COOKIE
>
> The last three lines repeat with increasing retransmission delays.
>
> On the ASAv side, I get this interesting error:
>
> %ASA-4-713903: Group = <my ip>, IP = <my ip>, Can't find a valid tunnel group, aborting...!
> %ASA-4-713903: IP = <my ip> Header invalid, missing SA payload! (next payload = 4)
>
> On working clients, it will show Group = <our_ipsec_group_id>
>
> The documentation I've read says the `leftid` parameter should set this, and I've tried both "leftid=@[<our_ipsec_group_id>]" and "leftid=@<our_ipsec_group_id>" to no avail.
>
> So, that's where I'm presently stuck.
>
> TL;DR: under what circumstances would libreswan insist on sending the IP as the group instead of what's set as `leftid`? Can I get there from here?
>
> Thanks,
>
> Nathan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list