<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000066" bgcolor="#ffffff">
Hi All,<br>
<br>
I am trying to test 2 phase authentication for RoadWarrior client with
Checkpoint R95 firewall using XAUTH.<br>
My setup:<br>
<br>
conn "Prague"<br>
        left=%defaultroute<br>
        leftcert=ondrejv-unix<br>
        leftrsasigkey=%cert<br>
        leftprotoport=tcp/http<br>
        leftxauthclient=yes<br>
<br>
        right=193.85.188.83<br>
#       rightsubnet=192.168.60.0/24<br>
        rightcert=openswan-cert<br>
        rightrsasigkey=%cert<br>
        rightprotoport=tcp/http<br>
        rightxauthserver=yes<br>
<br>
Now, when I comment out the xauth stuff, I am able to establish the
tunnel using my certificates. When I uncomment the xauth stuff, I am
not able to finish even the first (IKE) stage of the negotiation:<br>
<br>
104 "Prague" #1: STATE_MAIN_I1: initiate<br>
003 "Prague" #1: ignoring informational payload, type
NO_PROPOSAL_CHOSEN msgid=00000000<br>
003 "Prague" #1: received and ignored informational message<br>
<br>
And the firewall complains: "Reason: unsupported authentication method
65005".<br>
<br>
Question:<br>
Who is right here? According to
<a class="moz-txt-link-freetext" href="http://tools.ietf.org/id/draft-ietf-ipsec-isakmp-xauth-06.txt">http://tools.ietf.org/id/draft-ietf-ipsec-isakmp-xauth-06.txt</a> the
extended authentication should be required AFTER successfully finished
stage 1. So OpenSwan should authenticate stage 1 using certificate and
THEN expect/require ISAKMP authentication request with XAUTH.<br>
<br>
Can someone shed some light into this?<br>
Many thanks,<br>
<br>
Ondrej<br>
<br>
</body>
</html>