Bug#890490: "auth" and "cipher" configuration directives not available on Debian
Control: severity -1 wishlist Control: tags -1 + wontfix On Sat, 17 Sep 2022 21:25:48 +0200 Thomas Uhle wrote: > [...] > > It might be a little late for an answer. Anyway, vpnc supports both the > SHA1 hash algorithm for integrity protection (RFC 4109) and also the AES > cipher with 128 bit, 192 bit or 256 bit keys for encryption (RFC 3602). > vpnc has no such options to select a specific hash algorithm or cipher > because it is decided on the cryptographic parameters for the IPSec > connection during an initial handshake between vpnc and its peer. So vpnc > should work out of the box. Please remember that vpnc was developed as a > replacement to Cisco's proprietary client and as such should be as simple > and easy to configure and use as the Cisco client itself. However, you > might want to start vpnc in a terminal with the option '--debug 1' and > recognise among other messages a line similar to this: > > IKE SA selected psk+xauth+aes128-sha1 > > And so everything is fine ... > > [...] > > strongswan and also libreswan provide much more configuration options for > tweaking the IPSec connection exactly the way you need or want it. There > are packages in Debian's repositories for both libreswan and strongswan. With the explanation Thomas gave I reduce the bug's severity to wishlist and flag it as wontfix -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Bug#890490: "auth" and "cipher" configuration directives not available on Debian
On Thu, 15 Feb 2018, vitaminx wrote: On Thu, Feb 15, 2018 at 10:39:56AM +0100, vitaminx wrote: > Today our employer changed security settings on the gateways and told us to add following options: > > auth SHA1 > cipher AES-128-CBC > > This seems to work on Mac OS X, but the options are not available in the Linux version of vpnc: On Thu, Feb 15, 2018 at 11:05:16AM +0100, Florian Schlichting wrote: > you mean vpnc on Mac OS X? Which version of vpnc is that? I found e.g. > https://github.com/breiter/vpnc which doesn't seem to support those > configuration options, and I'm unaware of patches adding those options. It might be a little late for an answer. Anyway, vpnc supports both the SHA1 hash algorithm for integrity protection (RFC 4109) and also the AES cipher with 128 bit, 192 bit or 256 bit keys for encryption (RFC 3602). vpnc has no such options to select a specific hash algorithm or cipher because it is decided on the cryptographic parameters for the IPSec connection during an initial handshake between vpnc and its peer. So vpnc should work out of the box. Please remember that vpnc was developed as a replacement to Cisco's proprietary client and as such should be as simple and easy to configure and use as the Cisco client itself. However, you might want to start vpnc in a terminal with the option '--debug 1' and recognise among other messages a line similar to this: IKE SA selected psk+xauth+aes128-sha1 And so everything is fine ... There seems to be a native client on Mac OS X which supports these options. https://faq.oit.gatech.edu/content/how-do-i-configure-os-x-integrated-ipsec-vpn-client > Are you sure this is still an ipsec based VPN, rather than an SSL based > VPN like "AnyConnect", for which you'll need to switch from vpnc to > openconnect? We are using Global Protect which supports both SSL and Ipsec based connections: https://www.paloaltonetworks.com/products/globalprotect/subscription They are actually recommending vpnc or strongSwan for Linux. strongswan and also libreswan provide much more configuration options for tweaking the IPSec connection exactly the way you need or want it. There are packages in Debian's repositories for both libreswan and strongswan. Best regards, Thomas Uhle
Bug#890490: "auth" and "cipher" configuration directives not available on Debian
On Thu, Feb 15, 2018 at 11:05:16AM +0100, Florian Schlichting wrote: > you mean vpnc on Mac OS X? Which version of vpnc is that? I found e.g. > https://github.com/breiter/vpnc which doesn't seem to support those > configuration options, and I'm unaware of patches adding those options. There seems to be a native client on Mac OS X which supports these options. https://faq.oit.gatech.edu/content/how-do-i-configure-os-x-integrated-ipsec-vpn-client > Are you sure this is still an ipsec based VPN, rather than an SSL based > VPN like "AnyConnect", for which you'll need to switch from vpnc to > openconnect? We are using Global Protect which supports both SSL and Ipsec based connections: https://www.paloaltonetworks.com/products/globalprotect/subscription They are actually recommending vpnc or strongSwan for Linux. Best Regards.
Bug#890490: "auth" and "cipher" configuration directives not available on Debian
On Thu, Feb 15, 2018 at 10:39:56AM +0100, vitaminx wrote: > Today our employer changed security settings on the gateways and told us to > add following options: > > auth SHA1 > cipher AES-128-CBC > > This seems to work on Mac OS X, but the options are not available in the > Linux version of vpnc: you mean vpnc on Mac OS X? Which version of vpnc is that? I found e.g. https://github.com/breiter/vpnc which doesn't seem to support those configuration options, and I'm unaware of patches adding those options. Are you sure this is still an ipsec based VPN, rather than an SSL based VPN like "AnyConnect", for which you'll need to switch from vpnc to openconnect? Florian
Bug#890490: "auth" and "cipher" configuration directives not available on Debian
Package: vpnc Version: 0.5.3r550-3 Severity: important Hello, vpnc worked fine so far for our corporate VPN with this config: IPSec gateway [corporate_gateway] IPSec ID [id] IKE Authmode psk IPSec secret [secret] Xauth interactive Today our employer changed security settings on the gateways and told us to add following options: auth SHA1 cipher AES-128-CBC This seems to work on Mac OS X, but the options are not available in the Linux version of vpnc: vpnc: warning: unknown configuration directive in /etc/vpnc/myvpn.conf at line 6 vpnc: warning: unknown configuration directive in /etc/vpnc/myvpn.conf at line 7 Is there any chance to see this implemented at some point? Best Regards. -- System Information: Debian Release: buster/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages vpnc depends on: ii libc6 2.26-4 ii libgcrypt20 1.8.1-4 ii libgnutls30 3.5.17-1 ii perl 5.26.1-4 ii vpnc-scripts 0.1~git20160829-1 Versions of packages vpnc recommends: ii iproute2 4.14.1-2 Versions of packages vpnc suggests: pn resolvconf -- Configuration Files: /etc/vpnc/default.conf [Errno 13] Permission denied: '/etc/vpnc/default.conf' -- no debconf information