Issue with connecting using vpnc client

[shooter0106]

Hello!

I have a problem with connecting using vpnc. After connection attempt it's instatly refused.

sudo vpnc --gateway xxx.xxx.xxx.xxx --id users --username vpnuser
Enter IPSec secret for users@xxx.xxx.xxx.xxx:
Enter password for vpnuser@xxx.xxx.xxx.xxx:
vpnc: response was invalid [1]:  (ISAKMP_N_INVALID_EXCHANGE_TYPE)(7)

On server side i see this:

packet from xxx.xxx.xxx.xxx:36790: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: Peer ID is ID_KEY_ID: '@#0x7573657273'
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: responding to Aggressive Mode, state #2, connection "xauth-psk"[1] xxx.xxx.xxx.xxx from xxx.xxx.xxx.xxx
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: warning: peer requested IKE lifetime of 2147483 seconds which we capped at our limit of 86400 seconds
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: warning: peer requested IKE lifetime of 2147483 seconds which we capped at our limit of 86400 seconds
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_DES_CBC(UNUSED) is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_DES_CBC(UNUSED) is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: 0?? is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: 0?? is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: policy mandates Extended Authentication (XAUTH) with PSK of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_MET
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: policy mandates Extended Authentication (XAUTH) with PSK of initiator (we are responder).  Attribute OAKLEY_AUTHENTICATION_MET
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_DES_CBC(UNUSED) is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: OAKLEY_DES_CBC(UNUSED) is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: 0?? is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: 0?? is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: no acceptable Oakley Transform
"xauth-psk"[1] xxx.xxx.xxx.xxx #2: sending notification NO_PROPOSAL_CHOSEN to xxx.xxx.xxx.xxx:36790

I try to use vpnc CLI and Network Manager GUI without any result.

[kshcherban]

If fixed that by changing ike option in /etc/ipsec.conf. Added modp1024 to it.

My ike looks like following:

ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512

Now i receive vpnc: authentication unsuccessful.

[kshcherban]

Fixed authentication unsuccessful issue by setting xauthby=pam in /etc/ipsec.conf.

[hwdsl2]

@shooter0106 Hello! Because vpnc uses the "aggressive mode" of IPsec/XAuth, it is not supported by the VPN setup scripts in the default configuration. See [1].

[1] #304

[kshcherban]

This pull request #386 makes both default (aka mobile) and Linux setup to work. Please clarify why is it not possible to have 2 modes at the same time.

[hwdsl2]

@kshcherban Thank you for contributing. I have not yet got a chance to look at (and test) your pull request.

[pauloesteban]

If fixed that by changing ike option in /etc/ipsec.conf. Added modp1024 to it.

My ike looks like following:

ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512

Now i receive vpnc: authentication unsuccessful.

This worked for connection but devices (an RPi 3 and a Mac) cannot navigate.

Is there any other options apart from vpnc to connect several devices (including a RPi with Raspbian[1]) simultaneously in the same network (behind same NAT, same router) to use the same credentials (PSK, user, password)? Or can I create another user in L2TP to mitigate the simultaneous connections behind same router?

Thanks in advance for any response.

[1] Classified as Other Linux (Debian-based) network manager not available in LXDE.