Ubuntu VPNC – Cannot Connect to Cisco ASA

I’m running Ubuntu 10.04 on my laptop, and use Ubuntu’s vpn client frequently. I usually have no problems importing PCF files and connecting successfully, with the exception of having to change the NAT Traversal parameter from Cisco UDP to NAT-T. It seems that for some reason, it defaults to UDP, even though it shows NAT-T as being default. Eh…if that’s the only thing I have to change, I can live with that. I’ve been using Ubuntu and vpnc for about 6 months now, and have been really happy with it.

So when I was given a PCF file yesterday, I imported it like I normally do, changed the NAT traversal setting, and I was ready to go. Much to my surprise, I kept getting a “Connection to XXXX vpn failed” message. Weird. I rechecked the VPN settings on the ASA (one that someone else had configured): tunnel group name and password matched, IP address was fine, username and password were correct. Hmph. I tried the connection on an XP laptop, and it connected fine. Double hmph.

While perhaps there may be easier ways to do this, here’s what I did to troubleshoot. If you open a terminal and run sudo vpnc, Ubuntu prompts you for all of the endpoint information, just as if you created it via the GUI.

Enter IPSec gateway address: x.x.x.x
Enter IPSec ID for x.x.x.x:
Enter IPSec secret for @x.x.x.x:
Enter username for x.x.x.x:
Enter password for username@x.x.x.x:

IPSec ID in this case is looking for the tunnel group password. So after entering all of the required info, I see this:

vpnc: peer selected (single) DES as "encryption" method.
This algorithm is considered too weak today
If your vpn concentrator admin still insists on using DES
use the "--enable-1des" option.

Strange, but ok. Apparently the connection was set to use DES instead of AES (which is what vpnc defaults to). To remedy this, I had to modify the encryption method parameter in the vpnc GUI from secure to weak (I’ll spare you the discussion on DES vs. AES). Once I did that, I connected without a problem.