[Openswan dev] forwarded, was [Openswan Users] Openswan reporting XAUTH problem in client mode (fwd)

Paul Wouters paul at xelerance.com
Thu Sep 8 17:28:05 CEST 2005 


-- 

"With Data mining, we can search specifically for clues"

--- The AIVD (The Dutch NSA) on the necessity of ISP's data retension

---------- Forwarded message ----------
Date: Thu, 8 Sep 2005 11:37:13 +1000
From: Ravindra Ranasinghe <Ravindra.Ranasinghe at nicta.com.au>
To: users at openswan.org
Subject: [Openswan Users] Openswan reporting XAUTH problem in client mode


Dear all,

I've compiled Openswan 2.3.0 with both (USE_XAUTH ?= true) and
(USE_XAUTHPAM ?= true) under 2.6.10 kernel successfully.

I've then tried to establish IPSec connections between the Openswan and
Cisco PIX 501 Firewall. I could successfully establish a
3DES-MD5-DH2(modp1024) tunnel between Openswan and Cisco PIX firewall
under both Aggressive mode and Main modes using PSK but WITHOUT XAUTH
enable. After that I could ping/ftp between networks behind the Cisco
box and the Openswan Linux box using the IPSec channel between them.

I really wanted to run the Openswan in client mode with Cisco IPX box
for some testing. So I enabled XAUTH with (leftxauthclient=yes) &
(rightxauthserver=yes) and tried to connect to the Cisco box. Openswan
went through some state transitions. The final state it reported was
STATE_MAIN_I4: ISAKMP SA esabblished. After that it displayed the
following bit on the screen

Ignoring informational payload, type IPSEC_INITIAL_CONTACT
received and ignored informational payload
XAUTH: unsupported attribute: SUPPORTED_ATTRIBUTES
XAUTH: unsupported attribute: INTERNAL_IP6_SUBNET
XAUTH: No username/password request received


After that I checked the /var/log/auth.log file. Here is what I noticed.
After Openswan has reported that it has not received XAUTH
username/password, it received a 76 bytes packet from Cisco PIX box.
Then after decrypting the received message Openswan reported the
following error in the log file.

"message ignored because it contains an unexpected payload type
(ISAKMP_NEXT_HASH)
"sending encrypted notification INVALID_PAYLOAD_TYPE to 129.97.157.140

After that, it seems to me that Openswan keep on sending this
INVALID_PAYLOAD_TYPE message to Cisco box. But I could clearly see from
PIX 501 debug messages that it has forwarded the XAUTH request. Here is
the bit I've observed in Cisco box relavent to this.

ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD


Do I have to activate any other compilation options to get Openswan
working with Cisco with XAUTH option? Is there any specific option to be
set in the ipsec.conf file to set Openswan as xauth client? Or do I've
to setup anything in my Linux box for XAUTH?

Pls. help me get over this xauth problem.

Here is important bits from my ipsec.conf file

conn testconn
    left=129.97.157.138
    leftid=@nicta
    leftxauthclient=yes
    leftsubnet=192.168.10.0/24
    right=129.97.157.140
    rightxauthserver=yes
    rightsubnet=192.168.1.0/24
    authby=secret
    pfs=no
    auto=add

Here is my ipsec.secrets
@nicta 129.97.157.140 : PSK "testpass"



Many thanks

Ravindra


--------------------------------------------------------------------------
This email and any attachments may be confidential. They may contain legally
privileged information or copyright material. You should not read, copy,
use or disclose them without authorisation. If you are not an intended
recipient, please contact us at once by return email and then delete both
messages. We do not accept liability in connection with computer virus,
data corruption, delay, interruption, unauthorised access or unauthorised
amendment. This notice should not be removed.
-------------- next part --------------
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Dev mailing list