Created attachment 330314 [details] lspci -k I can't get cisco-vpnclient-3des to work with kernels later then 3.3.8 using Intel wifi card. Tried 3.5.7 and 3.6.6, no luck. Latest working kernel i tried to use Cisco VPN Client over Intel WiFi connection is 3.3.8. It connects and i can ping or nslookup work hosts. With newer kernels i can connect, but can't ping or nslookup work hosts. With Cisco IpSec debugging i get messages like "Invalid Packet Recieved", "Malformed IKE header" adn so on, i attached logs. VPN connection works with kernel 3.6.6 and Trendnet USB WiFi adapter. emerge --info Portage 2.1.11.9 (default/linux/amd64/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r2, 3.3.8-gentoo x86_64) ================================================================= System uname: Linux-3.3.8-gentoo-x86_64-Intel-R-_Core-TM-_i5-2520M_CPU_@_2.50GHz-with-gentoo-2.1 Timestamp of tree: Thu, 22 Nov 2012 09:30:01 +0000 app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.12 dev-lang/python: 2.7.3-r2, 3.2.3-r1 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.2 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo kde esteid my_local_overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA google-chrome eula AdobeFlash-10.3 POSTGRESQL Oracle-BCLA-JavaSE skype-4.0.0.7-copyright" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfet$ FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/kde /var/lib/layman/esteid /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg kde $ Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON FAILED VPN CONNECTION LOG aleksei@ask300 ~ $ tail -f /var/log/vpn.log 195 20:24:20.530 11/11/2012 Sev=Warning/3 IKE/0xC300002C ISAKMP header invalid: Invalid version 2.12 found 196 20:24:20.530 11/11/2012 Sev=Warning/3 IKE/0xC3000039 Received an invalid or malformed IKE packet: message id = 0x614138BD 197 20:24:20.531 11/11/2012 Sev=Info/5 IKE/0x4300002F Received ISAKMP packet: peer = 195.20.151.193 198 20:24:20.531 11/11/2012 Sev=Warning/3 IKE/0xC300002C ISAKMP header invalid: Invalid version 0.2 found 199 20:24:20.531 11/11/2012 Sev=Warning/3 IKE/0xC3000039 Received an invalid or malformed IKE packet: message id = 0x62F1B450 200 20:24:20.538 11/11/2012 Sev=Info/5 IKE/0x4300002F Received ISAKMP packet: peer = 195.20.151.193 201 20:24:20.538 11/11/2012 Sev=Warning/3 IKE/0xC300002C ISAKMP header invalid: Invalid version 1.9 found 202 20:24:20.538 11/11/2012 Sev=Warning/3 IKE/0xC3000039 Received an invalid or malformed IKE packet: message id = 0x06C5A2D7
Portage 2.1.11.9 (default/linux/amd64/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r2, 3.3.8-gentoo x86_64) ================================================================= System uname: Linux-3.3.8-gentoo-x86_64-Intel-R-_Core-TM-_i5-2520M_CPU_@_2.50GHz-with-gentoo-2.1 Timestamp of tree: Thu, 22 Nov 2012 09:30:01 +0000 app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.12 dev-lang/python: 2.7.3-r2, 3.2.3-r1 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.2 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo kde esteid my_local_overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA google-chrome eula AdobeFlash-10.3 POSTGRESQL Oracle-BCLA-JavaSE skype-4.0.0.7-copyright" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfet$ FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/kde /var/lib/layman/esteid /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg kde $ Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Is that the binary one? Have you tried vpnc? I'm using vpnc to connect to the VPN of my university and it works using 3.6.6-gentoo
Does vpnc supports authenticating with certificates + xauth and proprietary cisco ipsec? I think better is to get cisco-vpnclient-3des to work with newer kernels than 3.3.8. There was something changed in kernel net/mac80211/ and client now is not working.
Someone?
This package is orphan: http://my.opera.com/pacho/blog/2012/11/27/about-maintainer-needed
Thanks for your reply, will try it in a few days
So, waiting for some patch...
I see Cisco dropped support for this in favor of Anyconnect: http://cco.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps2308/end_of_life_c51-680819.html Then, you will need to install it manually (as looks it has no ebuilds in the tree) or move to free alternatives (personally I use networkmanager-openconnect for my VPN connections) And this package should be treecleaned as upstream won't even fix it anymore
OpenConnect is used for SSL connection, but we use IpSec. Seems that only cisco-vpnclient can do this type of connections.
Looks like vpnc should also work: http://blog.miketoscano.com/?p=12
cert authentication is not yet implemented in vpnc, but we use certs + xAuth. And we use Cisco ASA firewalls for creating VPN connections, not IOS/PIX. So, i need to get cisco-vpnclient-3des to work with newer kernels.
sorry if this goes a little off-topic but here's my 2 cents: - cisco-vpnclient-3des is binary-only. cisco EOL'd it and there will be no further updates. nothing you can do about that proprietary crap - vpnc does currently not support authentication via certs (according to the page, I won't verify that) Here's what you can do IMO: - update your cisco-equipment (the "firewalls") to newer ones that are supported via "Anyconnect" and use the newer proprietary cisco client or net-misc/openconnect - change the VPN-rules on the existing firewalls so that vpnc can connect to it - find or pay s.o. to add certificate-support to vpnc - install a new VPN-server using OpenVPN/OpenSWAN/Open whatever
Yes, cisco-vpnclient-3des is EOL, but it works when i'm using 3G connection, Ethernet connection, WiFi connection with Realtek card. I simply does not work when i'm using Intel WiFi card and kernel newer then 3.3.8 1) About AnyConnect - it must be licensed per connection, it's not a good idea. 2) It's not a good idea to change authentication methods 3) We'll think about it 4) It's not a good idea too.
You should try to migrate to other server or authentication method if possible, for now, it's "only" a bug related with it no longer working with kernels newer than 3.3.8, later they will appear bugs (probably even security ones) that won't ever be fixed :/
Doesn't pptp work? (net-misc/networkmanager-pptp)
It doesn't work only with Intel WiFi cards. And pptp is will no work cause it's Cisco IpSec.
I found this related with working with Cisco ipsec, maybe it helps you: http://outhereinthefield.wordpress.com/2010/06/06/cisco-ipsec-vpn-support-on-ubuntu/
Hi Aleksey, did you ask at vpnc-devel {{}} unix-ag.uni-kl.de? Do so. There are multiple branches so maybe the certificates are supported in some branch? Here I am pasting some bits from our previous discussion about the Gentoo vpnc package: <quote> BTW, I am puzzled whether we should also provide packages for the branched versions of vpnc. It looks I could live better with vpnc-nortel binary because it uses UDP instead of ESP/AH packet and is said to be faster and if I got it right should still work against the Cisco concentrator I do connect to. http://svn.unix-ag.uni-kl.de/vpnc/branches/ http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-October/003293.html http://comments.gmane.org/gmane.network.vpnc.devel/3426 </quote> Maybe try to inspect those and report back? At the very moment I have no cisco access anymore so can't even test.
dropped
