[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Michael H. Warfield mhw at WittsEnd.com
Wed Mar 10 18:37:46 EST 2010

On Wed, 2010-03-10 at 14:33 -0500, Michael Richardson wrote: 
> >>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
>     >> We now know that we can, in fact, generate multiple proposals,
>     >> provided the DH group is at least kept constant, since that's
>     >> what vpnc is doing.
>     Paul> Note that "some implementation can do this" is not the same as
>     Paul> being RFC compliant. What is needed is the check with the
>     Paul> proper RFC's to see if this is indeed valid, and if so, update
>     Paul> to code.
>     >> Fixing that would seem to cover a wealth of sins with these Cisco
>     >> boxes.  Any hope for that?
>     Paul> Though we'd gladly accept patches, I think people would rather
>     Paul> put their energy into IKEv2, then into fixing IKEv1 Aggressive
>     Paul> Mode.
>     Paul> Michael (Richardson), can you perhaps tell us more about why
>     Paul> Openswan claims there can only be one proposal in Aggressive
>     Paul> Mode?

> The ISAKMP SA is created in exchange 1 in aggressive mode. 
> You have to send the exponent during that exchange, so you have to know
> what DH group you are using before you start.

> This is why you can not have multiple DH groups in aggressive mode, and
> I'd say historically, that meant that you can only have one proposal,
> since different DH groups was really the only parameter in historical
> (Freeswan 1.xx) code.

The Cisco vpnclient and the OSS vpnc offer up 24 proposals in the first
exchange, all with the same DH group.  The server picks one.  Offering
all these others would cover a lot of complaints I'm seeing on this list
where the response is "you need to have the correct proposal".  A lot of
people can't readily get at that information.

> The only other option was MD5 vs SHA1 then, and I think you have to also
> pick which hash to use since you have to know which PRF to use to
> generate keys as well (and in IKEv1, the hash negotiated is really the PRF).

There are a full set of AES (128, 192, 256), 3DES, and DES proposals
offered plus SHA1 and MD5.  All combinations.

> Maybe in concept, you can propose 3DES or AES128 in aggressive mode.
> I'd have to spend some time thinking about why that might not be
> acceptable.  

The ASA's seem perfectly happy with it and that's what vpnc and the
Cisco clients emit.

> Frankly --- why not put in a support request to CISCO and make them do
> some testing, or explain why their product isn't compliant with the RFP
> you sent out?

Frankly, because I know exactly what I'm going to get back in response
(this is not my first go around with them and I know several Cisco
security people and engineers).  "Well, the Cisco client on Linux is
vpnclient and the OpenSource flavor of that is vpnc.  Why don't you use
one of these instead of such a broken client?"  "Because neither
vpnclient nor vpnc support multiple connections and neither will coexist
with OpenSwan due to the conflicts with pluto over IKE.  And vpnclient,
per se, is so unstable that it warfs up a hairball if you even look at
it wrong."  "Well, how about Racoon?  I hear that will work."  Gag...
I've got all the Racoon information and yes, that will work as well.
But racoon embodies all that everyone complains about with IPSec...
That it takes a rocket scientist to configure and it's obtuse and
confusing and there's no uniform package to make it just work (one of my
co-workers has a big hair-ball hack-and-a-half set of a scripts to shim
Racoon to get all the pieces for Mac's to play right).

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100310/9fc0adee/attachment.bin 

More information about the Users mailing list