[Openswan Users] Problem connecting to cisco 3000 vpn

Roi Rodríguez roi.rodriguez at qubitia.com
Mon Aug 10 08:18:05 EDT 2015 

Hi,

I'm trying to configure openswan on the client side. The VPN server is a 
Cisco VPN 3000 Series, but i can't know about their configuration. It 
works with vpnc (cisco vpn client) with some problems, so i'm trying 
with openswan. People running the VPN server does not give any support 
on this, so i'm asking here.

The configuration i'm trying:

version    2.0

config setup
     plutodebug="all"
     plutowait=yes
     dumpdir=/var/run/pluto/
     nat_traversal=yes
     protostack=netkey
     plutostderrlog=/dev/null
     interfaces=%defaultroute

# Left is server, right is this machine
conn vpncon
     auto=add
     keyexchange=ike
     authby=secret
     aggrmode=yes
     ike=3des-md5;modp1024
     ikev2=no
     #phase2alg=3des-md5;modp1024
     phase2alg=aes128-md5;modp1024
     ikelifetime=86400s
     phase2=esp
     rekey=no
     forceencaps=yes
     pfs=no
     left=xx.xx.xx.xx (their public ip)
     remote_peer_type=cisco
     leftxauthserver=yes
     leftmodecfgserver=yes
     modecfgpull=yes
     rightid=@groupname
     right=%defaultroute
     rightsourceip=xx.xx.xx.xx (our public ip)
     rightmodecfgclient=yes
     rightxauthusername=groupname

Some things may be unnecessary, as i'm trying everything (with/without 
ikev2, rekey, pfs, rightsourceip, modecfgpull and plutowait, and also 
diffrent phase2alg params).

ipsec.secrets:
@groupname : PSK "the-psk-key"
@groupname : XAUTH "the-xauth-pass"

They gave us a xauth username which is the same as the group name.

Connection fails:
root at ubuntu:/etc/ipsec.d# ipsec auto --up vpncon
112 "cqg" #1: STATE_AGGR_I1: initiate
003 "cqg" #1: received Vendor ID payload [Cisco-Unity]
003 "cqg" #1: received Vendor ID payload [XAUTH]
003 "cqg" #1: received Vendor ID payload [Dead Peer Detection]
003 "cqg" #1: received Vendor ID payload [RFC 3947] method set to=115
003 "cqg" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
003 "cqg" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "cqg" #1: protocol/port in Phase 1 ID Payload MUST be 0/0 or 17/500 
but are 17/0 (attempting to continue)
003 "cqg" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike 
(MacOS X): both are NATed
004 "cqg" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1024}
010 "cqg" #1: STATE_MODE_CFG_I1: retransmission; will wait 20s for response
010 "cqg" #1: STATE_MODE_CFG_I1: retransmission; will wait 40s for response
031 "cqg" #1: max number of retransmissions (2) reached STATE_MODE_CFG_I1
000 "cqg" #1: starting keying attempt 2 of an unlimited number, but 
releasing whack

Seeing the "oakley" lines i wonder if my cipher configuration is ok (but 
i don't know what to test instead).

I can connect correctly with vpnc (Cisco VPN client), so i traced both 
cases with tcpdump (192.168.0.38 being my openswan machine local ip):

VPNC (OK):
root at ubuntu:~# tcpdump -i eth0 -n -p udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:28:25.671600 IP 192.168.0.38.500 > theirip.500: isakmp: phase 1 I agg
12:28:25.815335 IP theirip.500 > 192.168.0.38.500: isakmp: phase 1 R agg
12:28:25.852098 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 1 I agg[E]
12:28:26.012885 IP theirip.4500 > 192.168.0.38.4500: NONESP-encap: 
isakmp: phase 2/others R #6[E]
12:28:26.013193 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others I #6[E]
12:28:26.163199 IP theirip.4500 > 192.168.0.38.4500: NONESP-encap: 
isakmp: phase 2/others R #6[E]
12:28:26.163657 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others I #6[E]
12:28:26.164065 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others I #6[E]
12:28:26.318767 IP 208.48.16.11.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others R #6[E]
12:28:26.333606 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others I oakley-quick[E]
12:28:26.491409 IP theirip.4500 > 192.168.0.38.4500: NONESP-encap: 
isakmp: phase 2/others R inf[E]
12:28:26.493153 IP theirip.4500 > 192.168.0.38.4500: NONESP-encap: 
isakmp: phase 2/others R oakley-quick[E]
12:28:26.493344 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others I oakley-quick[E]
12:28:36.004868 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: [|isakmp]
...

OpenSwan (failing):
root at ubuntu:~# tcpdump -i eth0 -n -p udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:26:26.980829 IP 192.168.0.38.500 > theirip.500: isakmp: phase 1 I agg
12:26:27.125619 IP theirip.500 > 192.168.0.38.500: isakmp: phase 1 R agg
12:26:27.131340 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 1 I agg[E]
12:26:27.131651 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others I #6[E]
12:26:57.162505 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others I #6[E]
12:27:17.183204 IP 192.168.0.38.4500 > theirip.4500: NONESP-encap: 
isakmp: phase 2/others I #6[E]

The difference i see here is that in the vpnc case it is their side the 
first sending a phase2 packet, while it is my side in the openswan case.

I've tried everything i know about, which is not very much actually (not 
an expert) :( Any ideas?

Thank you,
Roi Rodriguez




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150810/e9ccb8d8/attachment.html>

More information about the Users mailing list