[strongSwan] Cisco VPN: "Informational Exchange message must be encrypted"
michael at mgorbach.name
Sat Mar 10 05:15:47 CET 2012
I'm having problems connecting to a VPN hosted on Cisco ASA. I've gotten it working with the vpnc client, so I know that the server name, tunnel group name, and password are right, and the VPN host is working as expected.
My config is as follows:
leftid=@#<hex value of Cisco tunnel group name>
right=<vpn server hostname>
ipsec.secrets looks like this:
: PSK "<Cisco Group PSK string>"
<VPN Username> : XAUTH "<VPN password>"
I get passed initial authentication, and see "enabled possible NAT-traversal with method RCF3947". Then, I see nothing for a while. Debug logging shows "Informational Exchange message must be encrypted". Am I doing something wrong in the configuration? Unfortunately, I don't have access to the Cisco server logs, since I'm not an admin at work. Strangely, this behavior is the same even if I change the PSK, so it looks like it doesn't get to point where it sends to PSK out to server. Finally, this is using main mode while vpnc is using aggressive mode. ike-scan does show that this VPN server supports main mode, however.
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
<vpn server ip> Main Mode Handshake returned
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
Any help would be greatly appreciated ...
~ Michael Gorbach
PS. Andreas and other devs: The list archives show you responding to similar threads in the past. I can send debug logs from pluto if needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4371 bytes
Desc: not available
More information about the Users