[Swan] Getting INVALID_ID_INFORMATION from Libreswan while connecting to Watchguard VPN

Sascha Greve sascha-privat at posteo.de
Thu Dec 8 09:00:53 EET 2022 

Hey,

hopefully one of you can help me.
I have to connect to a Watchguard VPN Server.
I got from the VPN Owner a configuration file for the shrewsoft client. 
With this client you can connect to the vpn but only on windows and not without GUI.
In the linux Client there are some known issues with nat traversal where the connection can be established but you can’t send any traffic over it.

I wrote the whole problem down in a StackOverflow post: https://stackoverflow.com/questions/74722259/libreswan-invalid-peer-id-while-connecting-to-ikev1-tunnel

In a nutshell: I get an INVALID_ID_INFORMATION error and I captured the initial ISAKMP network traffic from both the shrewsoft client and the libreswan client, I would assume when I send the same payloads the Gateway should give me the correct id, right?

I am aware of resources like
https://libreswan.org/man/ipsec.conf.5.html
https://libreswan.org/wiki/Configuration_examples

But I couldn’t find any answers in it.

Shrewsoft traffic:

User Datagram Protocol, Src Port: 500, Dst Port: 500
Internet Security Association and Key Management Protocol
    Initiator SPI: add0b9afcf550e9f
    Responder SPI: 0000000000000000
    Next payload: Security Association (1)
    Version: 1.0
    Exchange type: Aggressive (4)
    Flags: 0x00
    Message ID: 0x00000000
    Length: 629
    Payload: Security Association (1)
    Payload: Key Exchange (4)
    Payload: Nonce (10)
    Payload: Identification (5)
    Payload: Vendor ID (13) : XAUTH
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-01
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
    Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
    Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
    Payload: Vendor ID (13) : Unknown Vendor ID
    Payload: Vendor ID (13) : Shrew Soft
    Payload: Vendor ID (13) : Netscreen-15
    Payload: Vendor ID (13) : SIDEWINDER
    Payload: Vendor ID (13) : CISCO-UNITY 1.0

Libreswan traffic:

User Datagram Protocol, Src Port: 500, Dst Port: 500
Internet Security Association and Key Management Protocol
    Initiator SPI: 58a02f2b38e2e070
    Responder SPI: 0000000000000000
    Next payload: Security Association (1)
    Version: 1.0
    Exchange type: Aggressive (4)
    Flags: 0x00
    Message ID: 0x00000000
    Length: 516
    Payload: Security Association (1)
    Payload: Key Exchange (4)
    Payload: Nonce (10)
    Payload: Identification (5)
    Payload: Vendor ID (13) : XAUTH
    Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
    Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
    Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02

Regards,
Sascha




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221208/36673512/attachment.htm>

More information about the Swan mailing list