[Openswan Users] Openswan cisco vpn client compatibility

peter at krajci.sk peter at krajci.sk
Fri Jul 11 07:29:40 EDT 2014 

Thank you very much.
I followed config with little modifications, but cisco vpn client  
forces 1des encryption which libreswan do not support anymore.
Auth log:

Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
received Vendor ID payload [XAUTH]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
received Vendor ID payload [Dead Peer Detection]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
received Vendor ID payload [FRAGMENTATION 80000000]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 11 11:41:07 IPsec pluto[22157]: packet from 192.168.110.76:59670:  
received Vendor ID payload [Cisco-Unity]
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[3]  
192.168.110.76 #2: Aggressive mode peer ID is ID_KEY_ID: '<deleted>'
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[3]  
192.168.110.76 #2: switched from "xauth-psk-xauth-aggrmode" to  
"xauth-psk-xauth-aggrmode"
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: deleting connection "xauth-psk-xauth-aggrmode"  
instance with peer 192.168.110.76 {isakmp=#0/ipsec=#0}
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: responding to Aggressive Mode, state #2, connection  
"xauth-psk-xauth-aggrmode" from 192.168.110.76
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: peer requested 2147483 seconds which exceeds our  
limit 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: policy mandates Extended Authentication (XAUTH)  
with PSK of initiator (we are responder).  Attribute  
OAKLEY_AUTHENTICATION_METHOD
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: 1DES is not encryption
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: OAKLEY_DES_CBC is not supported.  Attribute  
OAKLEY_ENCRYPTION_ALGORITHM
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: 1DES is not encryption
Broadcast message from root at IPsec (pts/1) (Fri Jul 11 09:50:05  
2014):.168.110.76 #2: OAKLEY_DES_CBC is not supported.  Attribute  
OAKLEY_ENCRYPTION_ALGORITHM
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: no acceptable Oakley Transform
The system is going down for reboot NOW!th-psk-xauth-aggrmode"[4]  
192.168.110.76 #2: sending notification NO_PROPOSAL_CHOSEN to  
192.168.110.76:59670
Jul 11 11:41:07 IPsec pluto[22157]: "xauth-psk-xauth-aggrmode"[4]  
192.168.110.76: deleting connection "xauth-psk-xauth-aggrmode"  
instance with peer 192.168.110.76 {isakmp=#0/ipsec=#0}



I found some materials about cisco vpn client supported modes in this  
document  
(http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcA.pdf) on page 205 table 11-3. Then I tried some of Preshared Keys (XAUTH) modes, but with no luck. My ipsec.conf is  
following:

config setup
         protostack=netkey
         # exclude networks used on server side by adding %v4:!a.b.c.0/24
          
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24

conn xauth-psk-xauth-aggrmode
         aggrmode=yes
         authby=secret
         ike=3des-md5;modp1024
         phase2=esp
         phase2alg=3des-sha1
         pfs=no
         auto=add
         rekey=no
         left=<my real server IP>
         leftid=@vpn.nohats.ca
         leftsubnet=0.0.0.0/0
         rightaddresspool=10.231.247.1-10.231.247.254
         right=%any
         modecfgdns1=<my real DNS server>
         leftxauthserver=yes
         rightxauthclient=yes
         leftmodecfgserver=yes
         rightmodecfgclient=yes
         modecfgpull=yes
         xauthby=alwaysok
         ike_frag=yes
         xauthfail=soft



Everything works like a charm with shrew soft vpn client, but I want  
to get it work with cisco vpn client. I would be wery glad for every  
idea.
Thank you.

Citát Paul Wouters <paul at nohats.ca>:

>
> openswan does not really support roaming clients with XAUTH (cisco ipsec
> mode). libreswan does:
>
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
>
> Paul
>

More information about the Users mailing list