[vpnc-devel] VPNC and ASA 5510 series

Carlton Whitehead cebesius at cebesius.com
Fri Jun 13 16:07:20 CEST 2008 

Joerg Mayer wrote:
> On Mon, May 19, 2008 at 02:01:38PM -0400, Carlton Whitehead wrote:
>   
>> I'm not sure if this mailing list is the most appropriate place to ask technical questions about vpnc.  If not, please let me know.
>>     
>
> Yes, it is the right place.
>
>   
>> We have recently implemented a Cisco ASA 5510 series to run our VPN.  I am having trouble connecting to it from my Ubuntu 8.04 workstation with vpnc version 0.5.1r275-1 (version number of the installed .deb package).  The only way that it will connect is with single DES encryption enabled.  Our Windows machines with the official Cisco VPN client can connect with 3DES.
>>     
> ...
>   
>> Open vpnc.pcap in Wireshark, open packet #4, then drill down to the Internet Security Association and Key Management Protocol -> Security Association payload.  Notice the Proposal payload is # 0.  In the next packet, the Cisco ASA changed the Proposal payload to # 1.  Not sure if there is an issue here.
>>
>> Open OfficialCiscoVPNClient.pcap, open packet #1, then drill down to the Internet Security Association and Key Management Protocol -> Security Association payload.  Notice the Proposal payload is # 1.  The number in the response packet is also #1.
>>     
>
> OK, this might be a bug in the ASA, nevertheless it might be a misinterpretation
> of the standard on our side (although I couldn't find any restrictions on the value
> for the first proposal in RFC2408, I may have missed it).
>
> If you could test the attached patch that would be nice. Otherwise please let
> me know and I could try to reproduce the problem with your concentrator.
>
> Thanks for the report!
>     Joerg
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel at unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
Thanks Joerg!  I'll try the patch this weekend.  Should I just check out 
the latest revision from svn, or should I use the 0.5.1 release?

Regards,
Carlton Whitehead

More information about the vpnc-devel mailing list