Hello all, I've done some cursory searching but I haven't seen my issue addressed.
We have a Cisco ASAv that we've been using vpnc to open a IPsec tunnel. The vpnc client seems to have issues handling rekey events, and is quite old, so I am trying to connect to the same VPN gateway using libreswan to do comparative testing. So far, I have not been successful in establishing a link. I am using CentOS 8, which comes with libreswan 3.29 For reference, here is the vpnc config (items in brackets are redacted): IPSec ID <our_ipsec_group_id> IPSec gateway <gateway_ip> IPSec obfuscated secret <obfuscated-psk> Local Port 0 Xauth password <vpn user password> Xauth username <vpn username> To map this to libreswan, I've done the following: /etc/ipsec.d/myconn.secrets contains: # note that <psk> is the de-obfuscated form of <obfuscated-psk> contained in the vpnc config <gateway_ip> %any : PSK "<psk>" @<vpn username> : XAUTH "<vpn user password>" /etc/ipsec.d/myconn.conf contains: conn myconn ikev2=no authby=secret left=%defaultroute leftxauthclient=yes leftmodecfgclient=yes leftxauthusername=<vpn username> leftid=@<our_ipsec_group_id> right=<gateway_ip> rightxauthserver=yes rightmodecfgserver=yes rightid=@<our_ipsec_group_id> ike_frag=yes auto=ignore ike=aes256-sha1;dh2 phase2=esp phase2alg=aes256-sha1;dh2 nat-ikev1-method=rfc remote-peer-type=cisco salifetime=900 (I'm aware several of these settings are insecure, such as dh2) I use the following commands to attempt to bring up the tunnel: ipsec auto --add myconn ipsec auto --up myconn When I do this, I get the following output: 002 "myconn" #1: initiating Main Mode 104 "myconn" #1: STATE_MAIN_I1: initiate 106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2 010 "myconn" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response 003 "myconn" #1: ignoring informational payload INVALID_COOKIE, msgid=00000000, length=40 003 "myconn" #1: received and ignored notification payload: INVALID_COOKIE The last three lines repeat with increasing retransmission delays. On the ASAv side, I get this interesting error: %ASA-4-713903: Group = <my ip>, IP = <my ip>, Can't find a valid tunnel group, aborting...! %ASA-4-713903: IP = <my ip> Header invalid, missing SA payload! (next payload = 4) On working clients, it will show Group = <our_ipsec_group_id> The documentation I've read says the `leftid` parameter should set this, and I've tried both "leftid=@[<our_ipsec_group_id>]" and "leftid=@<our_ipsec_group_id>" to no avail. So, that's where I'm presently stuck. TL;DR: under what circumstances would libreswan insist on sending the IP as the group instead of what's set as `leftid`? Can I get there from here? Thanks, Nathan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
