Cisco 3000 VPN Concentrator needs three times the same RSA secret to connect successfuly
I'm using a C-written vpn client on UNIX to connect to our company LAN. This worked fine for
years, but since some days I encounter the following problem.
To generate the 8 digits secret, I'm using a RSA app on my iPhone.
I can reproduce the following from my home office and as well when connected over data mobile using my smartphone as an Access Point:
1. I use the app to generate the 8 digits and wait until a fresh one shows up (to have 60 seconds for the rest of the following procedure)
2. I start the vpn client and enter the 8 digits carefully
3. VPN asks me to re-enter a secret, I do so using the same 8 digits for a 2nd time
4. VPN asks me to re-enter a secret, I do so and enter the same 8 digits for the 3rd time
5. VPN comes up fine after this
This is fully reproducible if someone needs more information.
I used the --debug 3 mode of vpnc client and this shows an interesting dialog in the tons of debug lines:
... DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)Connect Banner: | ==== XXXXXXXXXXXX Germany VPN ====^M | ^M | Use is restricted to XXXXXXXXXXXX authorized users.^M | Usage and activity may be monitored or recorded and may be subject to auditing.^M | Unauthorized access is strictly prohibited!
add host 184.108.40.206: gateway 10.42.0.1 delete net 10.49.94.0: gateway 10.49.94.100 fib 0: not in table
S5.4 xauth type check [2017-07-28 07:37:04] ^M Enter your new PIN, containing 5 chars,^M or^M <Ctrl-D> to cancel the New PIN procedure: <*************************************
Banner: ==== XXXXXXXXXXXX Germany VPN ====^M ^M Use is restricted to XXXXXXXXXXXX authorized users.^M Usage and activity may be monitored or recorded and may be subject to auditing.^M Unauthorized access is strictly prohibited! got save password setting: 0 got 42 acls for split include acl 0: addr: 192.168.0.0/ 255.255.0.0 (16), protocol: 0, sport: 0, dport: 0 ...
from here all is fine connected;
There seems to be some dialog in the authentication procedure which wants me to change the PIN, asking for a confirmation of the new PIN and is failing to accept this new PIN.
This would explain why I'm asked three times for some secret: two times for some PIN and at the end for the 8 RSA digits.
Does this ring someones bell? Any ideas?
I tested the same with a Windows VPN client. This connects fine after entering the 8 digits the first time.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.