Conceal

There is two phases in this protocol…

@jkr said:
There is two phases in this protocol…

Yes. I’m sure that we have to deal correctly with subnets on phase-2. I’m afraid if it require more specific variables.

@jkr - my error suggests my interesting traffic doesnt match. any tips on finding the right info for this?

@jkr said:
NO-PROPOSAL-CHOSEN you can just use a scanner for the protocol you need.

but the information from the scanner didn’t seem to work, or maybe there’s a syntax issue with constructing the proposal. I can’t seem to find documentation that helps for my particular client.

Edit: using the wrong client, or using it with an incomplete package.

@LegendarySpork the info from the scanner will get you phase 1. I still cant get phase 2 going.

If it is a matter of subnet maybe the scan also could lead to phase2, not sure how honestly ._.

@chppppp so that should get me past the proposal? I think that’s phase 1.

@Warlord711 said:
What client do you guys use to connect ? I tried vpnc but seems not to connect at all

Edited: strongswan

@LegendarySpork said:
@chppppp so that should get me past the proposal? I think that’s phase 1.

yes!

Just to confirm:

yes, you can connect directly from your kali box! :lol:

@0xEA31 said:
Just to confirm:

yes, you can connect directly from your kali box! :lol:

yeah! it works!!

a little suggestion : try to filter the traffic you are interested in…

Here’s the ONLY reference with a sample I have found: https://help.datica.com/hc/en-us/articles/115005906626--Legacy-VPN-Client-Setup (scroll down to the Ubuntu section where it gives an example of charon-cmd syntax)

I still haven’t successfully gotten past the phase1 proposal even using the syntax noted there with the crypto parameters I got from ike-scan.

Edit: apparently charon-cmd (CLI tool associated with, but not identical to, the mighty waterfowl) is not sufficient. It supports m*** m*** so it gets slightly further than vpnc, but doesn’t support the right profiles.

@CiccioPas said:
a little suggestion : try to filter the traffic you are interested in…

I have experimented with left/rights****t a million diff ways but it never completes phase 2. What am I missing here?

@0xEA31, do we need to brute force to get the right configs? I mean specifically the s****t, in order to get the params the server is expecting. I ask because I tried all the obvious ones and I keep getting the same response.

Can someone PM with final selector required changes. This one killing me from long.

Edit: Got the tunnel up. Now working on next step
Edit: After getting ports feeling like lol. amazing box

Edit: rooted :slight_smile:

Learning IP***, the hard way… :smiley:

@fjv said:
Learning IP***, the hard way… :smiley:

ip*** in real life you have all the info before building :stuck_out_tongue:

This is not the way to learn ip***. The way to properly learn it is to set it up on both sides, knowing in advance the settings!

Having to use brute force tools to guess the settings, and then having to figure out the proper way to write the command, only to have it not working for something else we still don’t know, is just stupid…

I can confirm that it’s also not easy to use the ‘native client’ :slight_smile: I think I am stuck where most of you are or were.

Getting past phase 1 might be easier in a next-next-finish way, but after that you also tinker with the low-level config - and you might find less ‘examples’ and 'how-to’s than for Linux as typically you don’t need to make any changes there.

I know one common root cause for the error I see - I even remember when that feature was added by Microsoft many years ago - but the usual fix does not help. In some sense that root cause is a bit similar to the ‘double V**’ so I wonder if it should work at all with that client … The nested tunnels is also something not too easily replicated in a test environment. That stuff is tricky to troubleshoot even if you have full access at both sides of the connection :slight_smile: