On Mon, 14 Jul 2014, [email protected] wrote:
In cisco vpn client you cannot change encryption settings. It should
negotiate autmatically one of both sides supported methods, but it does not.
If it send smore then just 1DES, that's fine and we will pick another
transform.
5 08:59:19.441 07/14/14 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
6 08:59:19.441 07/14/14 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id:
0x00000000)
That just means an old attempt is tried again. it's harmless.
7 08:59:24.927 07/14/14 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 192.168.110.53. Inbound connections are
not allowed.
That seems to be a rejection. If it really does not like unbound ones,
can you generate some traffic behind the cisco so the cisco initiates
the tunnel on demand?
So libreswan do not work with cisco vpn client group authentication. I will
try it with certificates and let you know if it work.
Group authentication usually means PreSharedKey, and not
RSA/certificates. You would need to specify this in your configuration,
eg: rightid=@[GroupName]
The [brackets] are needed on Cisco to user opaque identifiers of type ID_KEY_ID.
You put the preshared key in ipsec.secrets with that identifier as well.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
