[strongSwan] Cisco VPN: "Informational Exchange message must be encrypted"

Michael Gorbach michael at mgorbach.name
Sat Mar 10 05:15:47 CET 2012 

I'm having problems connecting to a VPN hosted on Cisco ASA. I've gotten it working with the vpnc client, so I know that the server name, tunnel group name, and password are right, and the VPN host is working as expected.

My config is as follows:
ipsec.conf:

config setup
        plutodebug=all
        nat_traversal=yes
        charonstart=no
        plutostart=yes
        plutostderrlog=/var/log/strongswan_pluto.log

conn ansible-threshold-cisco-vpn
        left=%defaultroute
        xauth=client
        compress=no
        leftid=@#<hex value of Cisco tunnel group name>
        #modeconfig=push
        #pfs=no
        leftsourceip=%config
        auto=start
        authby=xauthpsk
        keyexchange=ikev1
        ike=3des,sha,modp1024
        esp=3des,sha1,modp1024
        right=<vpn server hostname>

ipsec.secrets looks like this:
: PSK "<Cisco Group PSK string>"
<VPN Username> : XAUTH "<VPN password>"

I get passed initial authentication, and see "enabled possible NAT-traversal with method RCF3947". Then, I see nothing for a while. Debug logging shows "Informational Exchange message must be encrypted". Am I doing something wrong in the configuration? Unfortunately, I don't have access to the Cisco server logs, since I'm not an admin at work. Strangely, this behavior is the same even if I change the PSK, so it looks like it doesn't get to point where it sends to PSK out to server. Finally, this is using main mode while vpnc is using aggressive mode. ike-scan does show that this VPN server supports main mode, however.

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
<vpn server ip>  Main Mode Handshake returned
        HDR=(CKY-R=73f1b60f1d71552d)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Any help would be greatly appreciated ...

Thanks,
~ Michael Gorbach

PS. Andreas and other devs: The list archives show you responding to similar threads in the past. I can send debug logs from pluto if needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4371 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120309/7cdf56f2/attachment.bin>

More information about the Users mailing list