<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2627" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial><FONT size=2><SPAN class=061443001-08092005>Dear
all,</SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=061443001-08092005></SPAN></FONT></FONT> </DIV>
<DIV><FONT><SPAN class=061443001-08092005></SPAN><FONT face=Arial size=2>I've
compiled Openswan 2.3.0 with both (USE_XAUTH ?= true) and (USE_XAUTHPAM ?= true)
under 2.6.10 kernel successfully.<BR><BR>I've then tried to establish IPSec
connections between the Openswan and Cisco PIX 501 Firewall. I could
successfully establish a 3DES-MD5-DH2<SPAN
class=061443001-08092005>(modp1024)</SPAN> tunnel between Openswan and Cisco PIX
firewall under both Aggressive mode and Main modes using PSK<SPAN
class=061443001-08092005> </SPAN>but WITHOUT XAUTH enable.<SPAN
class=061443001-08092005> After that I could ping/ftp between networks behind
the Cisco box and the Openswan Linux box using the IPSec channel between
them.</SPAN><BR><BR>I really wanted to run the Openswan in client mode with
Cisco IPX box for some testing. So I enabled XAUTH with (leftxauthclient=yes)
& (rightxauthserver=yes) and tried to connect to the Cisco box. Openswan
went through some state transitions. The final state it reported was
STATE_MAIN_I4: ISAKMP SA esabblished. After that it displayed the following bit
on the screen<BR><BR>Ignoring informational payload, type
IPSEC_INITIAL_CONTACT<BR>received and ignored informational payload<BR>XAUTH:
unsupported attribute: SUPPORTED_ATTRIBUTES<BR>XAUTH: unsupported attribute:
INTERNAL_IP6_SUBNET<BR>XAUTH: No username/password request
received<BR><BR><BR>After that I checked the /var/log/auth.log file. Here is
what I noticed. After Openswan has reported that it has not received
XAUTH <SPAN class=061443001-08092005>username/password, </SPAN>it received
a 76 byte<SPAN class=061443001-08092005>s</SPAN> packet from Cisco PIX box. Then
after decrypting the received message Openswan reported the following error in
the log file.<BR><BR>"message ignored because it contains an unexpected payload
type (ISAKMP_NEXT_HASH)<BR>"sending encrypted notification INVALID_PAYLOAD_TYPE
to 129.97.157.140<BR><BR>After that, it seems to me that Openswan keep on
sending this INVALID_PAYLOAD_TYPE message to Cisco box. But I could clearly see
from PIX 501 debug messages that it has forwarded the XAUTH request. Here is the
bit I've observed in Cisco box relavent to this.<BR><BR>ISAKMP/xauth: request
attribute XAUTH_TYPE<BR>ISAKMP/xauth: request attribute
XAUTH_USER_NAME<BR>ISAKMP/xauth: request attribute
XAUTH_USER_PASSWORD<BR><BR> <BR>Do I<SPAN class=061443001-08092005>
have </SPAN>to activate any other compilation options to get Openswan
working with Cisco with XAUTH option? Is there any specific option to be set in
the ipsec.conf file to set Openswan as xauth client? Or do I've to setup
anything in my Linux box for XAUTH?<BR><BR>Pls. help me get over this xauth
problem. </FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=061443001-08092005><FONT face=Arial size=2>Here is important
bits from my ipsec.conf file<BR><BR>conn
testconn<BR> left=129.97.157.138<BR> leftid=@nicta<BR> leftxauthclient=yes<BR> leftsubnet=192.168.10.0/24<BR> right=129.97.157.140<BR> rightxauthserver=yes<BR> rightsubnet=192.168.1.0/24<BR> authby=secret<BR> pfs=no<BR> auto=add<BR><BR>Here
is my ipsec.secrets<BR>@nicta 129.97.157.140 : PSK "testpass"
</FONT></SPAN></DIV>
<DIV><SPAN class=061443001-08092005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=061443001-08092005></SPAN><FONT face=Arial><FONT
size=2></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2>M<SPAN class=061443001-08092005>any
thanks</SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=061443001-08092005></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=061443001-08092005>Ravindra</SPAN></FONT></FONT></DIV></BODY></HTML>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre>--------------------------------------------------------------------------
This email and any attachments may be confidential. They may contain legally
privileged information or copyright material. You should not read, copy,
use or disclose them without authorisation. If you are not an intended
recipient, please contact us at once by return email and then delete both
messages. We do not accept liability in connection with computer virus,
data corruption, delay, interruption, unauthorised access or unauthorised
amendment. This notice should not be removed.
</pre></font></td></tr></table>