[Swan] Migrating from vpnc to libreswan to connect to Cisco ASAv 9.13
paul at nohats.ca
Sat Sep 26 14:55:11 UTC 2020
Try aggressive=yes ?
Also, DH2 support has been disabled - it is too weak. Try using dh5.
Sent from my iPhone
> On Sep 26, 2020, at 03:12, Nathan Strong <gblues at gmail.com> wrote:
> Hello all,
> I've done some cursory searching but I haven't seen my issue addressed.
> We have a Cisco ASAv that we've been using vpnc to open a IPsec tunnel. The vpnc client seems to have issues handling rekey events, and is quite old, so I am trying to connect to the same VPN gateway using libreswan to do comparative testing. So far, I have not been successful in establishing a link.
> I am using CentOS 8, which comes with libreswan 3.29
> For reference, here is the vpnc config (items in brackets are redacted):
> IPSec ID <our_ipsec_group_id>
> IPSec gateway <gateway_ip>
> IPSec obfuscated secret <obfuscated-psk>
> Local Port 0
> Xauth password <vpn user password>
> Xauth username <vpn username>
> To map this to libreswan, I've done the following:
> /etc/ipsec.d/myconn.secrets contains:
> # note that <psk> is the de-obfuscated form of <obfuscated-psk> contained in the vpnc config
> <gateway_ip> %any : PSK "<psk>"
> @<vpn username> : XAUTH "<vpn user password>"
> /etc/ipsec.d/myconn.conf contains:
> conn myconn
> leftxauthusername=<vpn username>
> (I'm aware several of these settings are insecure, such as dh2)
> I use the following commands to attempt to bring up the tunnel:
> ipsec auto --add myconn
> ipsec auto --up myconn
> When I do this, I get the following output:
> 002 "myconn" #1: initiating Main Mode
> 104 "myconn" #1: STATE_MAIN_I1: initiate
> 106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 010 "myconn" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response
> 003 "myconn" #1: ignoring informational payload INVALID_COOKIE, msgid=00000000, length=40
> 003 "myconn" #1: received and ignored notification payload: INVALID_COOKIE
> The last three lines repeat with increasing retransmission delays.
> On the ASAv side, I get this interesting error:
> %ASA-4-713903: Group = <my ip>, IP = <my ip>, Can't find a valid tunnel group, aborting...!
> %ASA-4-713903: IP = <my ip> Header invalid, missing SA payload! (next payload = 4)
> On working clients, it will show Group = <our_ipsec_group_id>
> The documentation I've read says the `leftid` parameter should set this, and I've tried both "leftid=@[<our_ipsec_group_id>]" and "leftid=@<our_ipsec_group_id>" to no avail.
> So, that's where I'm presently stuck.
> TL;DR: under what circumstances would libreswan insist on sending the IP as the group instead of what's set as `leftid`? Can I get there from here?
> Swan mailing list
> Swan at lists.libreswan.org
More information about the Swan