ihashacks

i dunno

NetworkManager / Vpnc + Cisco ASA Firewall

I’m not sure what triggers it but vpnc negotiates 1des or no encryption when trying to VPN to some Cisco ASA firewalls (but not others). NetworkManager just reports an instant failure in connection.

Fortunately, this is all libre software so after finding a thread at Ubuntu Forums a potential fix was not far away. The fix involves modifying vpnc so that it doesn’t even try to negotiate the incorrect encryption types. The problem is that the forum suggests building from vpnc SVN. This may work, but it does not include patches from Ubuntu and may break other things. The better resolution is to repackage the version from Ubuntu.

Install build dependencies.

1
2
3
4
5
6
sudo apt-get install build-essential fakeroot dpkg-dev
mkdir ~/vpnc
cd !$
apt-get source vpnc
sudo apt-get build-dep vpnc
dpkg-source -x vpnc_0.5.3r449-2.1.dsc

Make your modifications to supp.c

modify the source code
1
vim vpnc-0.5.3r449/supp.c

existing encryption support:

supp.c - before
1
2
3
4
5
6
7
8
const supported_algo_t supp_crypt[] = {
    {"null", GCRY_CIPHER_NONE, IKE_ENC_NO_CBC, ISAKMP_IPSEC_ESP_NULL, 0},
    {"des", GCRY_CIPHER_DES, IKE_ENC_DES_CBC, ISAKMP_IPSEC_ESP_DES, 0},
    {"3des", GCRY_CIPHER_3DES, IKE_ENC_3DES_CBC, ISAKMP_IPSEC_ESP_3DES, 0},
    {"aes128", GCRY_CIPHER_AES128, IKE_ENC_AES_CBC, ISAKMP_IPSEC_ESP_AES, 128},
    {"aes192", GCRY_CIPHER_AES192, IKE_ENC_AES_CBC, ISAKMP_IPSEC_ESP_AES, 192},
    {"aes256", GCRY_CIPHER_AES256, IKE_ENC_AES_CBC, ISAKMP_IPSEC_ESP_AES, 256},
    {NULL, 0, 0, 0, 0}

Remove support you don’t need. In my case I only want 3des and aes256:

supp.c - after
1
2
3
4
const supported_algo_t supp_crypt[] = {
    {"3des", GCRY_CIPHER_3DES, IKE_ENC_3DES_CBC, ISAKMP_IPSEC_ESP_3DES, 0},
    {"aes256", GCRY_CIPHER_AES256, IKE_ENC_AES_CBC, ISAKMP_IPSEC_ESP_AES, 256},
    {NULL, 0, 0, 0, 0}

Rebuild it and install.

build it
1
2
3
cd vpnc-0.5.3r449
sudo dpkg-buildpackage -rfakeroot -b
sudo dpkg -i ../vpnc_0.5.3r449-2.1_amd64.deb

Final note:

If using NetworkManager to start the problematic connection you will need to change the “Encryption method” to “Weak” (sounds wrong but it is the only way to get it to work… even though it isn’t using 1des anymore). You only need to change this for connections that weren’t working before the modification! Otherwise functioning VPN connections don’t need to be changed!

NetworkManager encryption method

Comments