-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I submitted this as a bug report to the Fedora (Red Hat) bugzilla
(https://bugzilla.redhat.com/show_bug.cgi?id=1171852). Many details
there, summary here.
On Fedora 20, configured a new VPN in NetworkManager, using the vpnc
back-end. The remote end is a Fortigate firewall. I configured per
http://www.justdailynotes.com/fortinet/linux/2014/11/24/Fortigate-IPSec-Linux-NetworkManager/
Later, running SVN trunk from the command line with "Debug 3", I receive
the output below. No SIGABRT, but still did not successfully connect to
the remote.
I realize this isn't a Cisco VPN server, so feel free to tell me to go
away! Also, I now realize that the information below doesn't show a
reproduction of the bugzilla report. No SIGABRT, vpnc simply won't
connect (will it *does* connect, but then closes the connection).
Does this look like a simple configuration error on my part? That would
be great!
Thanks for looking at this and at the Bugzilla bug report.
Best regards,
~David Klann
Configuration summary from the Fortigate (I don't have admin access to
this device):
# IKE version 1
# Mode = aggressive
# NAT Traversal = enabled
# Dead Peer Detection = enabled
# Phase 1
# ---
# AES256-MD5, AES256-SHA1
# DH Group = 2
# Phase 2
# ---
# AES256-MD5, AES256-SHA1
# Replay Detection = enabled
# Autokey Keep Alive = enabled
My vpnc.conf:
IPSec gateway ip.addr.goes.here
Vendor cisco
IPSec ID WIN
IKE Authmode psk
IPSec secret big-long-secret
Xauth username username
Xauth password another-big-long-secret
NAT Traversal Mode natt
IKE DH Group dh2
Perfect Forward Secrecy dh2
DPD idle timeout (our side) 10
Debug 3
No Detach
STDERR from running 'sudo vpnc vpnc.conf':
vpnc: quick mode response rejected: (ISAKMP_N_INVALID_MESSAGE_ID)(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall
this locks out even Cisco clients on any platform except windows
which is an obvious security improvement. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using
compression, except on low-bandwith (read: ISDN) links, because it
uses much CPU-resources on the concentrator
Debug output in the attached text file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlSGIhoACgkQZtxZ++32cNgHfAD8DbkXFZm+DUzdIME1WD65el3k
A/YdgRdJ0GS0ENHAzv0A/RE1DDFpiXdSDOdDajB8VbiLoA9tid4uVQ24BfYiJ3M3
=fGK5
-----END PGP SIGNATURE-----
Hash: SHA256
Hello,
I submitted this as a bug report to the Fedora (Red Hat) bugzilla
(https://bugzilla.redhat.com/show_bug.cgi?id=1171852). Many details
there, summary here.
On Fedora 20, configured a new VPN in NetworkManager, using the vpnc
back-end. The remote end is a Fortigate firewall. I configured per
http://www.justdailynotes.com/fortinet/linux/2014/11/24/Fortigate-IPSec-Linux-NetworkManager/
Later, running SVN trunk from the command line with "Debug 3", I receive
the output below. No SIGABRT, but still did not successfully connect to
the remote.
I realize this isn't a Cisco VPN server, so feel free to tell me to go
away! Also, I now realize that the information below doesn't show a
reproduction of the bugzilla report. No SIGABRT, vpnc simply won't
connect (will it *does* connect, but then closes the connection).
Does this look like a simple configuration error on my part? That would
be great!
Thanks for looking at this and at the Bugzilla bug report.
Best regards,
~David Klann
Configuration summary from the Fortigate (I don't have admin access to
this device):
# IKE version 1
# Mode = aggressive
# NAT Traversal = enabled
# Dead Peer Detection = enabled
# Phase 1
# ---
# AES256-MD5, AES256-SHA1
# DH Group = 2
# Phase 2
# ---
# AES256-MD5, AES256-SHA1
# Replay Detection = enabled
# Autokey Keep Alive = enabled
My vpnc.conf:
IPSec gateway ip.addr.goes.here
Vendor cisco
IPSec ID WIN
IKE Authmode psk
IPSec secret big-long-secret
Xauth username username
Xauth password another-big-long-secret
NAT Traversal Mode natt
IKE DH Group dh2
Perfect Forward Secrecy dh2
DPD idle timeout (our side) 10
Debug 3
No Detach
STDERR from running 'sudo vpnc vpnc.conf':
vpnc: quick mode response rejected: (ISAKMP_N_INVALID_MESSAGE_ID)(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall
this locks out even Cisco clients on any platform except windows
which is an obvious security improvement. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using
compression, except on low-bandwith (read: ISDN) links, because it
uses much CPU-resources on the concentrator
Debug output in the attached text file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlSGIhoACgkQZtxZ++32cNgHfAD8DbkXFZm+DUzdIME1WD65el3k
A/YdgRdJ0GS0ENHAzv0A/RE1DDFpiXdSDOdDajB8VbiLoA9tid4uVQ24BfYiJ3M3
=fGK5
-----END PGP SIGNATURE-----