bluefool |
06-07-2016 04:30 AM |
IPSEC/L2TP VPN Not Connecting with vpnc or StrongSwan
Hi,
I've set up a dual boot with Debian and am trying to move completely off having to use Windows. Pretty much the last thing is to do is to set up my VPN connection to the office Cisco router.
I've tried vpnc and StrongSwan and in each case I can log on and get an IP address on the office LAN, but it then fails. The error on the Cisco router is "Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy"
I've been using the same VPN account set up via Windows DUN for years and it's still working. So I know the VPN account is set up correctly server side. I'm not dogmatic about which method I use, I just want it to work on Linux!
If anyone could help me identify where I'm going wrong I would be very grateful. I'm far from an expert on VPNs I'm afraid so I'm hoping it's something obvious I'm doing wrong.
Here are my config files and output for both programs (usernames and IPs redacted):
VPNC
default.conf
Code:
IPSec gateway (remote IP)
IPSec ID (group ID)
IPSec secret (secret)
Xauth username (user)
Xauth password (pass)
IKE Authmode psk
IKE DH Group dh2
NAT Traversal Mode cisco-udp
Local Port 10000
Output:
Code:
vpnc --enable-1des --debug 2
vpnc version 0.5.3r550-2
S1 init_sockaddr
[2016-06-07 10:14:55]
S2 make_socket
[2016-06-07 10:14:55]
S3 setup_tunnel
[2016-06-07 10:14:55]
using interface tun0
S4 do_phase1_am
[2016-06-07 10:14:55]
S4.1 create_nonce
[2016-06-07 10:14:55]
S4.2 dh setup
[2016-06-07 10:14:55]
S4.3 AM packet_1
[2016-06-07 10:14:55]
S4.4 AM_packet2
[2016-06-07 10:14:55]
(Cisco Unity)
(Xauth)
(unknown)
(unknown)
got ike lifetime attributes: 2147483 seconds
IKE SA selected psk+xauth-des-sha1
peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)
NAT status: no NAT-T VID seen
S4.5 AM_packet3
[2016-06-07 10:14:55]
S4.6 cleanup
[2016-06-07 10:14:55]
S5 do_phase2_xauth
[2016-06-07 10:14:55]
S5.1 xauth_request
[2016-06-07 10:14:55]
S5.2 notice_check
[2016-06-07 10:14:55]
S5.3 type-is-xauth check
[2016-06-07 10:14:55]
S5.4 xauth type check
[2016-06-07 10:14:55]
S5.5 do xauth reply
[2016-06-07 10:14:55]
S5.2 notice_check
[2016-06-07 10:14:55]
S5.3 type-is-xauth check
[2016-06-07 10:14:55]
S5.6 process xauth set
[2016-06-07 10:14:55]
S5.7 send xauth ack
[2016-06-07 10:14:55]
S5.8 xauth done
[2016-06-07 10:14:55]
S6 do_phase2_config
[2016-06-07 10:14:55]
S6.1 phase2_config send modecfg
[2016-06-07 10:14:55]
S6.2 phase2_config receive modecfg
[2016-06-07 10:14:56]
got save password setting: 0
got pfs setting: 0
Remote Application Version: Cisco Systems, Inc ASA5505 Version 7.2(4) built by builders on Sun 06-Apr-08 13:39
got address 172.28.80.13
S7 setup_link (phase 2 + main_loop)
[2016-06-07 10:14:56]
S7.0 run interface setup script
[2016-06-07 10:14:56]
S7.1 QM_packet1
[2016-06-07 10:14:56]
S7.2 QM_packet2 send_receive
[2016-06-07 10:14:56]
S7.3 QM_packet2 validate type
[2016-06-07 10:14:56]
got ike lifetime attributes: 86400 seconds
got delete for old connection, ignoring..
vpnc: no response from target
StrongSwan
ipsec.conf:
Code:
version 2
config setup
strictcrlpolicy=no
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=xauthpsk
type=tunnel
conn "ADSL"
keyexchange=ikev1
ikelifetime=1440m
keylife=60m
aggressive=yes
ike=des-sha1-modp1024
esp=des-sha1-modp1024
xauth=client #Xauth client mode
left=(local IP) #local IP used to connect to IOS
leftsubnet=(local subnet/24)
leftid=(group)
leftsourceip=%config #apply received IP
leftauth=psk
rightauth=psk
leftauth2=xauth #use PSK for group RA and Xauth for user
right=(remote IP) #gateway IP
rightsubnet=172.28.0.0/16
xauth_identity=(user) #identity for Xauth, password in ipsec.secrets
auto=add
Output:
Code:
initiating Aggressive Mode IKE_SA ADSL[1] to (remote IP)
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from (local IP)[500] to (remote IP)[500] (434 bytes)
received packet: from (remote IP)[500] to (local IP)[500] (420 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (108 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (76 bytes)
parsed TRANSACTION request 2798627525 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 2798627525 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (84 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (68 bytes)
parsed TRANSACTION request 3033165335 [ HASH CPS(X_STATUS) ]
XAuth authentication of '(user)' (myself) successful
IKE_SA ADSL[1] established between (local IP)[(group)]...(remote IP)[(remote IP)]
scheduling reauthentication in 86082s
maximum IKE_SA lifetime 86262s
generating TRANSACTION response 3033165335 [ HASH CPA(X_STATUS) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (68 bytes)
generating TRANSACTION request 2611185267 [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (84 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (68 bytes)
parsed TRANSACTION response 2611185267 [ HASH CPRP(ADDR) ]
installing new virtual IP 172.28.80.12
generating QUICK_MODE request 1009442552 [ HASH SA No KE ID ID ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (308 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3691512445 [ HASH D ]
received DELETE for IKE_SA ADSL[1]
deleting IKE_SA ADSL[1] between (local IP)[(group)]...(remote IP)[(remote IP)]
installing new virtual IP 172.28.80.12
initiating Aggressive Mode IKE_SA ADSL[2] to (remote IP)
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from (local IP)[500] to (remote IP)[500] (434 bytes)
establishing connection 'ADSL' failed
Thanks in advance for any assistance!
|