[Openswan Users] Trouble figuring out how to connect Openswan client to Cisco VPN
Steven Don
shd at earthling.net
Wed Apr 8 15:36:39 EDT 2009
Thanks for trying to help, Paul.
> For the record, this is a horrible setup to get working. Not only is it
> very hard due to PSK+IP authentication, it is hard because it is Cisco XAUTH
> on top of it, and on top of that you're adding NAT. Also, combining XAUTH+PSK
> is the most insecure IPsec rollout possible due to anyone with the PSK (eg
> any client or compromised client) being able to pretend they're the gateway
> and snag your user/pass.
>
> Grab the pcf file from Windows and look at openswan's contrib/cisco/pcf2os.pl
> and contrib/cisco-decrypt/
*** Good to know I've been stumped by a hard problem and not an easy one.
pcf2os.pl was very useful in getting the right configuration files. The server end is,
unfortunately, out of my control and I can't even get any configuration information
much less logs from the appropriate admin ivory tower. In this case I'm just a simple
codemonkey trying to get to the SVN server that is protected by the VPN. I may end
up using the Windows box as a proxy :S
> You are most likely not doing l2tp but cisco xauth/modeconfig. Verify this
> before spending the time on the wrong solution.
*** That makes a lot of sense. At lease I hadn't even gotten to that part yet.
With the configuration generated by the pcf2os.pl script, the output changes, of
course. This is what happens:
---
home:~ # /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.23.11...
home:~ # ipsec auto --verbose --up tst
002 "tst" #1: initiating Aggressive Mode #1, connection "tst"
112 "tst" #1: STATE_AGGR_I1: initiate
003 "tst" #1: Informational Exchange message must be encrypted
010 "tst" #1: STATE_AGGR_I1: retransmission; will wait 20s for response
003 "tst" #1: Informational Exchange message must be encrypted
---
(That keeps looping, with 40s intervals)
/var/log/messages gives the exact same messages as the above, with just 1 extra
line:
---
pluto[18085]: | setting sec: 1
---
Is any of that an error that points out something obvious to try next? I'm really
REALLY not looking forward to having to proxy through that Windows box.
Kind regards,
Steven Don
More information about the Users
mailing list