On Thu, 15 Feb 2018, vitaminx wrote:
On Thu, Feb 15, 2018 at 10:39:56AM +0100, vitaminx wrote:
> Today our employer changed security settings on the gateways and told us to
add following options:
>
> auth SHA1
> cipher AES-128-CBC
>
> This seems to work on Mac OS X, but the options are not available in the
Linux version of vpnc:
On Thu, Feb 15, 2018 at 11:05:16AM +0100, Florian Schlichting wrote:
> you mean vpnc on Mac OS X? Which version of vpnc is that? I found e.g.
> https://github.com/breiter/vpnc which doesn't seem to support those
> configuration options, and I'm unaware of patches adding those options.
It might be a little late for an answer. Anyway, vpnc supports both the
SHA1 hash algorithm for integrity protection (RFC 4109) and also the AES
cipher with 128 bit, 192 bit or 256 bit keys for encryption (RFC 3602).
vpnc has no such options to select a specific hash algorithm or cipher
because it is decided on the cryptographic parameters for the IPSec
connection during an initial handshake between vpnc and its peer. So vpnc
should work out of the box. Please remember that vpnc was developed as a
replacement to Cisco's proprietary client and as such should be as simple
and easy to configure and use as the Cisco client itself. However, you
might want to start vpnc in a terminal with the option '--debug 1' and
recognise among other messages a line similar to this:
IKE SA selected psk+xauth+aes128-sha1
And so everything is fine ...
There seems to be a native client on Mac OS X which supports these options.
https://faq.oit.gatech.edu/content/how-do-i-configure-os-x-integrated-ipsec-vpn-client
> Are you sure this is still an ipsec based VPN, rather than an SSL based
> VPN like "AnyConnect", for which you'll need to switch from vpnc to
> openconnect?
We are using Global Protect which supports both SSL and Ipsec based connections:
https://www.paloaltonetworks.com/products/globalprotect/subscription
They are actually recommending vpnc or strongSwan for Linux.
strongswan and also libreswan provide much more configuration options for
tweaking the IPSec connection exactly the way you need or want it. There
are packages in Debian's repositories for both libreswan and strongswan.
Best regards,
Thomas Uhle
