On Tuesday 03 Mar 2015 19:52:14 Petric Frank wrote: > Hello Mick, > > Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick: > > > The homepage on vpnc in chapter TODO tells: > > > "phase2-rekeying is now supported as of svn revision 126!" > > > > > > Changelog states for 0.5.2: > > > "Fix Phase 2 rekeying, by various authors" > > > > > > I don't know whether this is along your statement above. > > > > > > So it seems not to be completely fixed. The homepage is not updated the > > > last 7 years. > > > > OK, then yes, it has been fixed and your problem is not related to that > > old bug, but could it be a more recent regression? > > maybe. > > > > > BTW, have you tried more actively developed VPN software like > > > > strongswan (it has a networkmanager plugin) or even ipsec-tools > > > > instead of vpnc, to see if you're getting the same problem? I think > > > > that they should work with Cisco VPN gateways, although it may be > > > > fiddly to set them up. > > > > > > i can find only ebuilds of (networkmanager-)openswan in the official > > > tree. > > > > No, this only good for the SSL VPN solution of Cisco. > > good to know. I beg your pardon, I typed too fast. I was referring to net-misc/openconnect, which is an alternative client for Cisco AnyConnect SSL VPN. The net- misc/openswan package is hard masked because of the security bug #499870. You could try net-misc/libreswan instead, a fork of openswan. It may just work with the net-misc/networkmanager-openswan plugin. > > > strongswan is in the stable tree but not the networkmanager plugin. > > > > Are you sure? This is what I see here for strongswan-5.2.2 > > > > [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql > > networkmanager > > ^^^^^^^^^^^^^^ > > +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish > > strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm > > strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led > > +strongswan_plugins_lookip strongswan_plugins_ntru > > strongswan_plugins_padlock strongswan_plugins_rdrand > > +strongswan_plugins_systime-fix > > strongswan_plugins_unbound +strongswan_plugins_unity > > +strongswan_plugins_vici strongswan_plugins_whitelist] > > True, strongswan is in tree, but not networkmanager-strongswan > (NetworkManager plugin). My understanding is that as long as you enable the networkmanager plugin in the strongswan package, it will interoperate with the networkmanager front end - but I have not tried it. Reading now the relevant webpage it says that it is *only* available for IKEv2 - so probably not good for your use case. https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager > > The latest version 5.2.2 has a bug with some IKEv1 implementations. > > There is a patch proposed which works and will be included in the next > > version 5.2.3 when released. If your VPN server is affected then you'll > > have to apply the patch yourself in a local overlay: > > > > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 > > Stable strongswan is already compiled and installed on my system. Any of > the "strongswan_plugins_*" use flags i have to enable here ? Since its networkmanager plugin is only useful for IKEv2 I don't think it would make any odds. You can enable it anyway and initially try it from the command line (/etc/init.d/ipsec start) to see if it works with the Cisco VPN gateway. If it does, then try it with the networkmanager front end, but I don't expect this to work. If a GUI is a must for you, libreswan with the net-misc/networkmanager-openswan plugin may be a better bet. -- Regards, Mick