Much ado about scripting, Linux & Eclipse: card subject to change

2008-07-24

/usr/sbin/vpnc-connect: quick mode response rejected: (ISAKMP_N_INVALID_MESSAGE_ID)(9)

I've been using vpnc 0.3.3 and then 0.5.1 for about the last 3 years to connect to my VPN at work. This week, it stopped working.

/usr/sbin/vpnc-connect: quick mode response rejected:  (ISAKMP_N_INVALID_MESSAGE_ID)(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
 * concentrator configured to require a firewall
    this locks out even Cisco clients on any platform expect windows
    which is an obvious security improvment. There is no workaround (yet).
 * concentrator configured to require IP compression
    this is not yet supported by vpnc.
    Note: the Cisco Concentrator Documentation recommends against using
    compression, expect on low-bandwith (read: ISDN) links, because it
    uses much CPU-resources on the concentrator 

Did I call the help desk? No: Google to the rescue.

The fix? Well, this post got me in the right direction, and I updated my version of vpnc from 0.5.1r275-1 to 0.5.1r334-1 (apt-get update; apt-get install vpnc) using these repos... which didn't seem to help.

# Unstable Sid
deb http://http.us.debian.org/debian/ unstable main contrib non-free
# Unstable Sources
deb-src http://http.us.debian.org/debian/ unstable main contrib non-free

# sidux http://sidux.com/files/misc/sources.list
deb http://sidux.com/debian/ sid main contrib non-free firmware fix.main fix.contrib fix.non-free
deb-src http://sidux.com/debian/ sid main contrib non-free firmware fix.main fix.contrib fix.non-free

But the actual solution was to add this line to my .conf file:

Enable Single DES

And remove this:

Perfect Forward Secrecy nopfs

0 comments: