[Openswan Users] Openswan XAUTH client with SA using Vendor ID(VID-13)

Rodrigo Costa rlvcosta at hotmail.com
Wed Nov 28 14:38:45 EST 2007


Hello Users e-mail list,

I'm trying to use Openswan as a XAUTH client with PSK but I'm having some difficulties. I have a proprietary Windows client which performs correctly the association. Now I'm trying to use Openswan in Linux for the same thing.

The configuration I'm using in /etc/ipsec.conf is :

conn roadwarrior
   compress=yes
   xauth=yes
   left=192.168.223.128
   leftsubnet=192.168.0.0/24
   leftnexthop=%defaultroute
   leftid="LVC7.1.2:XPL"
   right=xxx.xxx.xxx.xxx
   rightsubnet=0.0.0.0/0
   rightnexthop=%defaultroute
   auto=add
   keyexchange=ike
   ike=3des-sha1
   aggrmode=yes
   auth=esp
   type=tunnel
   authby=secret
   pfs=no

Snooping the Windows client I get the package contents below :

-----------------------------------------------------------------------------------------------
No.     Time        Source                Destination           Protocol Info
      6 6.125933    192.168.1.100         xxx.xxx.xxx.xxx        ISAKMP   Aggressive

Frame 6 (462 bytes on wire, 462 bytes captured)
    Arrival Time: Nov 21, 2007 23:34:52.741078000
    [Time delta from previous packet: 1.006724000 seconds]
    [Time since reference or first frame: 6.125933000 seconds]
    Frame Number: 6
    Packet Length: 462 bytes
    Capture Length: 462 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:isakmp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: 00:18:de:ca:45:6a (00:18:de:ca:45:6a), Dst: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
    Destination: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
        Address: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:18:de:ca:45:6a (00:18:de:ca:45:6a)
        Address: 00:18:de:ca:45:6a (00:18:de:ca:45:6a)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 448
    Identification: 0x9fc6 (40902)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x2f68 [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.1.100 (192.168.1.100)
    Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 57713 (57713), Dst Port: 500 (500)
    Source port: 57713 (57713)
    Destination port: 500 (500)
    Length: 428
    Checksum: 0x2295 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Internet Security Association and Key Management Protocol
    Initiator cookie: 203109707FBD28E1
    Responder cookie: 0000000000000000
    Next payload: Security Association (1)
    Version: 1.0
    Exchange type: Aggressive (4)
    Flags: 0x00
        .... ...0 = Not encrypted
        .... ..0. = No commit
        .... .0.. = No authentication
    Message ID: 0x00000000
    Length: 420
    Security Association payload
        Next payload: Vendor ID (13)
        Payload length: 164
        Domain of interpretation: IPSEC (1)
        Situation: IDENTITY (1)
        Proposal payload # 1
            Next payload: NONE (0)
            Payload length: 152
            Proposal number: 1
            Protocol ID: ISAKMP (1)
            SPI Size: 0
            Proposal transforms: 4
            Transform payload # 1
                Next payload: Transform (3)
                Payload length: 36
                Transform number: 1
                Transform ID: KEY_IKE (1)
                Encryption-Algorithm (1): DES-CBC (1)
                Hash-Algorithm (2): MD5 (1)
                Authentication-Method (3): PSK (1)
                Group-Description (4): Alternate 1024-bit MODP group (2)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (864000)
            Transform payload # 2
                Next payload: Transform (3)
                Payload length: 36
                Transform number: 2
                Transform ID: KEY_IKE (1)
                Encryption-Algorithm (1): DES-CBC (1)
                Hash-Algorithm (2): SHA (2)
                Authentication-Method (3): PSK (1)
                Group-Description (4): Alternate 1024-bit MODP group (2)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (864000)
            Transform payload # 3
                Next payload: Transform (3)
                Payload length: 36
                Transform number: 3
                Transform ID: KEY_IKE (1)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): MD5 (1)
                Authentication-Method (3): PSK (1)
                Group-Description (4): Alternate 1024-bit MODP group (2)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (864000)
            Transform payload # 4
                Next payload: NONE (0)
                Payload length: 36
                Transform number: 4
                Transform ID: KEY_IKE (1)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): SHA (2)
                Authentication-Method (3): PSK (1)
                Group-Description (4): Alternate 1024-bit MODP group (2)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (864000)
    Vendor ID payload
        Next payload: Key Exchange (4)
        Payload length: 15
        Vendor ID: unknown vendor ID: 0x4C5643372E312E323A5850
    Key Exchange payload
        Next payload: Nonce (10)
        Payload length: 132
        Key Exchange Data (128 bytes / 1024 bits)
    Nonce payload
        Next payload: Identification (5)
        Payload length: 68
        Nonce Data
    Identification payload
        Next payload: NONE (0)
        Payload length: 13
        ID type: 3
        ID type: USER_FQDN (3)
        Protocol ID: Unused
        Port: Unused
        Identification data: !@#$%

-----------------------------------------------------------------------------------------------

Where some important points are :

    Security Association payload
        Next payload: Vendor ID (13)
and

Authentication-Method (3): PSK (1)

and
    Vendor ID payload
        Next payload: Key Exchange (4)
        Payload length: 15
        Vendor ID: unknown vendor ID: 0x4C5643372E312E323A5850

But with my Openswan configuration above I have the following package data :

-----------------------------------------------------------------------------------------------
No.     Time        Source                Destination           Protocol Info
      1 0.000000    192.168.1.100         xxx.xxx.xxx.xxx        ISAKMP   Aggressive

Frame 1 (482 bytes on wire, 482 bytes captured)
    Arrival Time: Nov 28, 2007 11:43:01.668306000
    [Time delta from previous packet: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Packet Length: 482 bytes
    Capture Length: 482 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:isakmp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: 00:18:de:ca:45:6a (00:18:de:ca:45:6a), Dst: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
    Destination: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
        Address: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:18:de:ca:45:6a (00:18:de:ca:45:6a)
        Address: 00:18:de:ca:45:6a (00:18:de:ca:45:6a)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 468
    Identification: 0x4b20 (19232)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x83fa [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.1.100 (192.168.1.100)
    Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 1018 (1018), Dst Port: 500 (500)
    Source port: 1018 (1018)
    Destination port: 500 (500)
    Length: 448
    Checksum: 0x6791 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Internet Security Association and Key Management Protocol
    Initiator cookie: 0CF4F88E40528977
    Responder cookie: 0000000000000000
    Next payload: Security Association (1)
    Version: 1.0
    Exchange type: Aggressive (4)
    Flags: 0x00
        .... ...0 = Not encrypted
        .... ..0. = No commit
        .... .0.. = No authentication
    Message ID: 0x00000000
    Length: 440
    Security Association payload
        Next payload: Key Exchange (4)
        Payload length: 52
        Domain of interpretation: IPSEC (1)
        Situation: IDENTITY (1)
        Proposal payload # 0
            Next payload: NONE (0)
            Payload length: 40
            Proposal number: 0
            Protocol ID: ISAKMP (1)
            SPI Size: 0
            Proposal transforms: 1
            Transform payload # 0
                Next payload: NONE (0)
                Payload length: 32
                Transform number: 0
                Transform ID: KEY_IKE (1)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (3600)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): SHA (2)
                Authentication-Method (3): XAUTHInitPreShared (65001)
                Group-Description (4): 1536 bit MODP group (5)
    Key Exchange payload
        Next payload: Nonce (10)
        Payload length: 196
        Key Exchange Data (192 bytes / 1536 bits)
    Nonce payload
        Next payload: Identification (5)
        Payload length: 20
        Nonce Data
    Identification payload
        Next payload: Vendor ID (13)
        Payload length: 12
        ID type: 1
        ID type: IPV4_ADDR (1)
        Protocol ID: Unused
        Port: Unused
        Identification data: 192.168.223.128
    Vendor ID payload
        Next payload: Vendor ID (13)
        Payload length: 20
        Vendor ID: RFC 3706 Detecting Dead IKE Peers (DPD)
    Vendor ID payload
        Next payload: Vendor ID (13)
        Payload length: 20
        Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
    Vendor ID payload
        Next payload: Vendor ID (13)
        Payload length: 20
        Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Vendor ID payload
        Next payload: Vendor ID (13)
        Payload length: 20
        Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Vendor ID payload
        Next payload: Vendor ID (13)
        Payload length: 20
        Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Vendor ID payload
        Next payload: Vendor ID (13)
        Payload length: 20
        Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Vendor ID payload
        Next payload: NONE (0)
        Payload length: 12
        Vendor ID: draft-beaulieu-ike-xauth-02.txt
-----------------------------------------------------------------------------------------------

Where IPSec concentrator is not even responding client requests.

I was wondering if there is a way in OpenSwan where I can change the Security Association -> Next payload from Key Exchange (4) to Vendor ID (13)?

Also how can I configure Authentication-Method (3) from XAUTHInitPreShared (65001) to PSK (1)?

And the Vendor ID to the value 0x4C5643372E312E323A5850?

I believe if the initial ISAKMP phase 1 could be configured just like the original Windows IPSec client this flow could work.

I compiled Linux kernel and all modules are working. I'm using the latest stable Openswan version 2.4.9 with kernel 2.6.15.7 compiled for my  IPSec tentative.

I do not know anymore where to go and I'm stuck now. Any direction or configuration suggestion would be very welcome.

Thanks in advance!

Rodrigo.
_________________________________________________________________
Conheça o Windows Live Spaces, a rede de relacionamentos conectada ao Messenger!
http://spaces.live.com/signup.aspx


More information about the Users mailing list