Try aggressive=yes ? Also, DH2 support has been disabled - it is too weak. Try using dh5.
Sent from my iPhone > On Sep 26, 2020, at 03:12, Nathan Strong <[email protected]> wrote: > > > Hello all, > > I've done some cursory searching but I haven't seen my issue addressed. > > We have a Cisco ASAv that we've been using vpnc to open a IPsec tunnel. The > vpnc client seems to have issues handling rekey events, and is quite old, so > I am trying to connect to the same VPN gateway using libreswan to do > comparative testing. So far, I have not been successful in establishing a > link. > > I am using CentOS 8, which comes with libreswan 3.29 > > For reference, here is the vpnc config (items in brackets are redacted): > > IPSec ID <our_ipsec_group_id> > IPSec gateway <gateway_ip> > IPSec obfuscated secret <obfuscated-psk> > Local Port 0 > Xauth password <vpn user password> > Xauth username <vpn username> > > To map this to libreswan, I've done the following: > > /etc/ipsec.d/myconn.secrets contains: > # note that <psk> is the de-obfuscated form of <obfuscated-psk> contained in > the vpnc config > <gateway_ip> %any : PSK "<psk>" > @<vpn username> : XAUTH "<vpn user password>" > > /etc/ipsec.d/myconn.conf contains: > conn myconn > ikev2=no > authby=secret > left=%defaultroute > leftxauthclient=yes > leftmodecfgclient=yes > leftxauthusername=<vpn username> > leftid=@<our_ipsec_group_id> > right=<gateway_ip> > rightxauthserver=yes > rightmodecfgserver=yes > rightid=@<our_ipsec_group_id> > ike_frag=yes > auto=ignore > ike=aes256-sha1;dh2 > phase2=esp > phase2alg=aes256-sha1;dh2 > nat-ikev1-method=rfc > remote-peer-type=cisco > salifetime=900 > > (I'm aware several of these settings are insecure, such as dh2) > > I use the following commands to attempt to bring up the tunnel: > ipsec auto --add myconn > ipsec auto --up myconn > > When I do this, I get the following output: > > 002 "myconn" #1: initiating Main Mode > 104 "myconn" #1: STATE_MAIN_I1: initiate > 106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2 > 010 "myconn" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for > response > 003 "myconn" #1: ignoring informational payload INVALID_COOKIE, > msgid=00000000, length=40 > 003 "myconn" #1: received and ignored notification payload: INVALID_COOKIE > > The last three lines repeat with increasing retransmission delays. > > On the ASAv side, I get this interesting error: > > %ASA-4-713903: Group = <my ip>, IP = <my ip>, Can't find a valid tunnel > group, aborting...! > %ASA-4-713903: IP = <my ip> Header invalid, missing SA payload! (next payload > = 4) > > On working clients, it will show Group = <our_ipsec_group_id> > > The documentation I've read says the `leftid` parameter should set this, and > I've tried both "leftid=@[<our_ipsec_group_id>]" and > "leftid=@<our_ipsec_group_id>" to no avail. > > So, that's where I'm presently stuck. > > TL;DR: under what circumstances would libreswan insist on sending the IP as > the group instead of what's set as `leftid`? Can I get there from here? > > Thanks, > > Nathan > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
