<div dir="ltr">Hi Nick,<div><br></div><div>My original test with openswan and libreswan had the left= value set with an IP address. Tried all the combination mentioned in the bug with the same result.</div><div><br></div><div>
It doesn't like the remote servers <span style="font-family:arial,sans-serif;font-size:13px">ID_FQDN</span> reply of '@<a href="http://IPsec_1.cisco.com">IPsec_1.cisco.com</a>'</div><div><br></div><div>Would openswan/libreswan try to resolve the IP address form the <span style="font-family:arial,sans-serif;font-size:13px">ID_FQDN reply?</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Andrew</span></div><div><br></div><div><br></div><div><br></div><div><br></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 11, 2013 at 5:56 PM, Nick Howitt <span dir="ltr"><<a href="mailto:n1ck.h0w1tt@gmail.com" target="_blank">n1ck.h0w1tt@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div style="font-family:Arial,Helvetica,sans-serif">
<p>Andrew,</p>
<p>I have an open bug <a href="https://bugs.libreswan.org/show_bug.cgi?id=86" target="_blank">https://bugs.libreswan.org/show_bug.cgi?id=86</a> for left=%defaultroute not working. Can you test with left=some_IP_address and see if it works? If this it does work, it is probably the same bug. The bug is Libreswan only as they reworked the %defaultroute detection code. I can't read the bug now, but from memory setting leftnexthop=%defaultroute may also work. It is probably worth reading the bug.</p>
<p>Nick</p><div><div class="h5">
<p>On 2013-06-11 02:10, Andrew Campbell wrote:</p>
</div></div><blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px solid;margin-left:5px"><div><div class="h5">
<div dir="ltr">Hello List,
<div> </div>
<div>After a much needed break from the security scene, I return to find a whole raft of changes!</div>
<div> </div>
<div>Below are my findings with openswan and curios if the latest libreswan will have a different result. <br>
<div class="gmail_quote">
<div dir="ltr">
<div> </div>
<div>I'm trying to configure my test environment against a Cisco router. Everything works with vpnc, but I would prefer to use of OpenSwan (or now libreswan). I have tried all configuration combinations, but cannot get past phase 1 up - no suitable connection for peer.</div>
<div> </div>
<div>Any help will be much appreciated.</div>
<div> </div>
<div>Kind Regards,</div>
<div> </div>
<div>Andrew</div>
<div> </div>
<div>Test enviroment Linux Openswan U2.6.38-g312f1b8a-dirty/K3.2.0-4-amd64 (netkey)</div>
<div> </div>
<div>#-----------------------------------------#</div>
<div> </div>
<div>root@ipsec:/etc# cat ipsec.conf</div>
<div>conn cisco</div>
<div> ike=3des-sha1-modp1024</div>
<div> esp=3des-sha1</div>
<div> pfs=yes</div>
<div> ikelifetime=86400s</div>
<div> keylife=28800s</div>
<div> #</div>
<div> aggrmode=yes</div>
<div> authby=secret</div>
<div> #</div>
<div> left=%defaultroute</div>
<div> leftmodecfgclient=yes</div>
<div> leftxauthclient=yes</div>
<div> leftid="@customer.domain"</div>
<div> #</div>
<div> right=1xx.5x.5x.1xx</div>
<div> rightid="@<a href="http://IPsec_1.cisco.com" target="_blank">IPsec_1.cisco.com</a>"</div>
<div> rightxauthserver=yes</div>
<div> rightmodecfgserver=yes</div>
<div> #</div>
<div> modecfgpull=yes</div>
<div> auto=add</div>
<div> </div>
<div>#-----------------------------------------#</div>
<div> </div>
<div>root@ipsec:/etc# cat ipsec.secrets </div>
<div>@customer.domain 1xx.5x.5x.1xx : PSK "customer1234"</div>
<div> </div>
<div>#-----------------------------------------#</div>
<div> </div>
<div>ipsec whack --debug-all --name cisco --xauthname test@customer.domain --xauthpass xauth1234 --initiate</div>
<div> </div>
<div>112 "cisco" #1: STATE_AGGR_I1: initiate</div>
<div>002 "cisco" #1: extra debugging enabled for connection: raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo</div>
<div>003 "cisco" #1: received Vendor ID payload [Cisco-Unity]</div>
<div>003 "cisco" #1: received Vendor ID payload [Dead Peer Detection]</div>
<div>003 "cisco" #1: ignoring unknown Vendor ID payload [12030e87294146bcd6828c998b89a5b7]</div>
<div>003 "cisco" #1: received Vendor ID payload [XAUTH]</div>
<div>003 "cisco" #1: received Vendor ID payload [RFC 3947] method set to=115 </div>
<div>002 "cisco" #1: Aggressive mode peer ID is ID_FQDN: '@<a href="http://IPsec_1.cisco.com" target="_blank">IPsec_1.cisco.com</a>'</div>
<div>003 "cisco" #1: no suitable connection for peer '@<a href="http://IPsec_1.cisco.com" target="_blank">IPsec_1.cisco.com</a>'</div>
<div>003 "cisco" #1: initial Aggressive Mode packet claiming to be from @<a href="http://IPsec_1.cisco.com" target="_blank">IPsec_1.cisco.com</a> on 1xx.5x.5x.1xx but no connection has been authorized</div>
<div>218 "cisco" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION</div>
<div>002 "cisco" #1: sending notification INVALID_ID_INFORMATION to 1xx.5x.5x.1xx:500</div>
<div> </div>
<div>#-----------------------------------------#</div>
<div> </div>
</div>
</div>
</div>
</div>
<br>
</div></div><pre>_______________________________________________
Swan mailing list
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
</div>
<br>_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
<br></blockquote></div><br></div>