[vpnc-devel] one way around ISAKMP_N_INVALID_MESSAGE_ID

Marques Johansson displague at displague.com
Sun Jul 9 02:32:07 CEST 2006

I was having difficulty using vpnc to connect to my company's vpn.  In 
past releases vpnc would sometimes connect and sometimes it would not 
connect - for seemingly no reason.  It had been a while since my last 
attempt so I thought I'ld give 0.3.3 a whirl.

At first, it failed giving a somewhat informative list of possible reasons 
for the failure (ISAKMP_N_INVALID_MESSAGE_ID).  Examining the output of 
the Cisco client, you see that IP Compression is not in use.  I am also 
capable of running the Cisco client under Linux, so the other possibility 
is also not the case.

The "56-bit DES" is the clue that I should have been using 

vpnc connects everytime establishing all the routes and setting up the 
dns.  Now if only there were a PocketPC build... :)

[displague at fall] /tmp/vpnclient> vpnclient stat
Cisco Systems VPN Client Version 4.8.00 (0490)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.17-3-686 #1 SMP Thu Jun 29 03:49:12 UTC 2006 i686
Config file directory: /etc/opt/cisco-vpnclient

VPN tunnel information.
Connection Entry: na1
Client address:
Server address:
Encryption: 56-bit DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 4500
Local LAN Access is disabled

( I used pcf2vpnc to convert my config file... )

[displague at fall] /tmp/trunk> cat /etc/vpnc/na1.conf
IPSec ID **********
IPSec gateway
IPSec secret ********
Xauth username mjohansson
Domain  *******

(close the vpnclient connection)

[displague at fall] /tmp/trunk> sudo ./vpnc na1
Enter password for mjohansson at
vpnc: quick mode response rejected: ISAKMP_N_INVALID_MESSAGE_ID(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
    * concentrator configured to require a firewall
       this locks out even Cisco clients on any platform expect windows
       which is an obvious security improvment. There is no workaround (yet).
    * concentrator configured to require IP compression
       this is not yet supported by vpnc.
       Note: the Cisco Concentrator Documentation recommends against using
       compression, expect on low-bandwith (read: ISDN) links, because it
       uses much CPU-resources on the concentrator

[displague at fall] /tmp/trunk> sudo vpnc --enable-1des na1
Enter password for mjohansson at
VPNC started in background (pid: 6778)..

(everything works after this point)
Marques Johansson
marques at displague.com

Q:	Why did the lone ranger kill Tonto?
A:	He found out what "kimosabe" really means.

More information about the vpnc-devel mailing list