[Swan] Getting INVALID_ID_INFORMATION from Libreswan while connecting to Watchguard VPN
Sascha Greve
sascha-privat at posteo.de
Thu Dec 8 09:00:53 EET 2022
Hey,
hopefully one of you can help me.
I have to connect to a Watchguard VPN Server.
I got from the VPN Owner a configuration file for the shrewsoft client.
With this client you can connect to the vpn but only on windows and not without GUI.
In the linux Client there are some known issues with nat traversal where the connection can be established but you can’t send any traffic over it.
I wrote the whole problem down in a StackOverflow post: https://stackoverflow.com/questions/74722259/libreswan-invalid-peer-id-while-connecting-to-ikev1-tunnel
In a nutshell: I get an INVALID_ID_INFORMATION error and I captured the initial ISAKMP network traffic from both the shrewsoft client and the libreswan client, I would assume when I send the same payloads the Gateway should give me the correct id, right?
I am aware of resources like
https://libreswan.org/man/ipsec.conf.5.html
https://libreswan.org/wiki/Configuration_examples
But I couldn’t find any answers in it.
Shrewsoft traffic:
User Datagram Protocol, Src Port: 500, Dst Port: 500
Internet Security Association and Key Management Protocol
Initiator SPI: add0b9afcf550e9f
Responder SPI: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Aggressive (4)
Flags: 0x00
Message ID: 0x00000000
Length: 629
Payload: Security Association (1)
Payload: Key Exchange (4)
Payload: Nonce (10)
Payload: Identification (5)
Payload: Vendor ID (13) : XAUTH
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-01
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Payload: Vendor ID (13) : Unknown Vendor ID
Payload: Vendor ID (13) : Shrew Soft
Payload: Vendor ID (13) : Netscreen-15
Payload: Vendor ID (13) : SIDEWINDER
Payload: Vendor ID (13) : CISCO-UNITY 1.0
Libreswan traffic:
User Datagram Protocol, Src Port: 500, Dst Port: 500
Internet Security Association and Key Management Protocol
Initiator SPI: 58a02f2b38e2e070
Responder SPI: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Aggressive (4)
Flags: 0x00
Message ID: 0x00000000
Length: 516
Payload: Security Association (1)
Payload: Key Exchange (4)
Payload: Nonce (10)
Payload: Identification (5)
Payload: Vendor ID (13) : XAUTH
Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02
Regards,
Sascha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221208/36673512/attachment.htm>
More information about the Swan
mailing list