Summary: | net-misc/cisco-vpnclient-3des with kernel >3.3.8 - Sev=Warning/3 IKE/0xC300002C ISAKMP header invalid: Invalid version 2.12 found | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Aleksei <oizzzo> |
Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
Status: | RESOLVED WONTFIX | ||
Severity: | major | CC: | kripton, mmokrejs, oizzzo, treecleaner |
Priority: | Normal | Keywords: | PMASKED |
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | Pending Removal: 2013-01-25 | ||
Package list: | Runtime testing required: | --- | |
Attachments: | lspci -k |
Description
Aleksei
2012-11-23 10:36:05 UTC
Portage 2.1.11.9 (default/linux/amd64/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r2, 3.3.8-gentoo x86_64) ================================================================= System uname: Linux-3.3.8-gentoo-x86_64-Intel-R-_Core-TM-_i5-2520M_CPU_@_2.50GHz-with-gentoo-2.1 Timestamp of tree: Thu, 22 Nov 2012 09:30:01 +0000 app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.12 dev-lang/python: 2.7.3-r2, 3.2.3-r1 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.2 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo kde esteid my_local_overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA google-chrome eula AdobeFlash-10.3 POSTGRESQL Oracle-BCLA-JavaSE skype-4.0.0.7-copyright" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfet$ FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/kde /var/lib/layman/esteid /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg kde $ Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON Is that the binary one? Have you tried vpnc? I'm using vpnc to connect to the VPN of my university and it works using 3.6.6-gentoo Does vpnc supports authenticating with certificates + xauth and proprietary cisco ipsec? I think better is to get cisco-vpnclient-3des to work with newer kernels than 3.3.8. There was something changed in kernel net/mac80211/ and client now is not working. Someone? This package is orphan: http://my.opera.com/pacho/blog/2012/11/27/about-maintainer-needed Thanks for your reply, will try it in a few days So, waiting for some patch... I see Cisco dropped support for this in favor of Anyconnect: http://cco.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps2308/end_of_life_c51-680819.html Then, you will need to install it manually (as looks it has no ebuilds in the tree) or move to free alternatives (personally I use networkmanager-openconnect for my VPN connections) And this package should be treecleaned as upstream won't even fix it anymore OpenConnect is used for SSL connection, but we use IpSec. Seems that only cisco-vpnclient can do this type of connections. Looks like vpnc should also work: http://blog.miketoscano.com/?p=12 cert authentication is not yet implemented in vpnc, but we use certs + xAuth. And we use Cisco ASA firewalls for creating VPN connections, not IOS/PIX. So, i need to get cisco-vpnclient-3des to work with newer kernels. sorry if this goes a little off-topic but here's my 2 cents: - cisco-vpnclient-3des is binary-only. cisco EOL'd it and there will be no further updates. nothing you can do about that proprietary crap - vpnc does currently not support authentication via certs (according to the page, I won't verify that) Here's what you can do IMO: - update your cisco-equipment (the "firewalls") to newer ones that are supported via "Anyconnect" and use the newer proprietary cisco client or net-misc/openconnect - change the VPN-rules on the existing firewalls so that vpnc can connect to it - find or pay s.o. to add certificate-support to vpnc - install a new VPN-server using OpenVPN/OpenSWAN/Open whatever Yes, cisco-vpnclient-3des is EOL, but it works when i'm using 3G connection, Ethernet connection, WiFi connection with Realtek card. I simply does not work when i'm using Intel WiFi card and kernel newer then 3.3.8 1) About AnyConnect - it must be licensed per connection, it's not a good idea. 2) It's not a good idea to change authentication methods 3) We'll think about it 4) It's not a good idea too. You should try to migrate to other server or authentication method if possible, for now, it's "only" a bug related with it no longer working with kernels newer than 3.3.8, later they will appear bugs (probably even security ones) that won't ever be fixed :/ Doesn't pptp work? (net-misc/networkmanager-pptp) It doesn't work only with Intel WiFi cards. And pptp is will no work cause it's Cisco IpSec. I found this related with working with Cisco ipsec, maybe it helps you: http://outhereinthefield.wordpress.com/2010/06/06/cisco-ipsec-vpn-support-on-ubuntu/ Hi Aleksey, did you ask at vpnc-devel {{}} unix-ag.uni-kl.de? Do so. There are multiple branches so maybe the certificates are supported in some branch? Here I am pasting some bits from our previous discussion about the Gentoo vpnc package: <quote> BTW, I am puzzled whether we should also provide packages for the branched versions of vpnc. It looks I could live better with vpnc-nortel binary because it uses UDP instead of ESP/AH packet and is said to be faster and if I got it right should still work against the Cisco concentrator I do connect to. http://svn.unix-ag.uni-kl.de/vpnc/branches/ http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-October/003293.html http://comments.gmane.org/gmane.network.vpnc.devel/3426 </quote> Maybe try to inspect those and report back? At the very moment I have no cisco access anymore so can't even test. dropped |