[Openswan dev] XAUTH Code for "Domain"

Michael H. Warfield mhw at WittsEnd.com
Tue Jul 5 20:15:48 EDT 2011


On Tue, 2011-07-05 at 19:39 -0400, Paul Wouters wrote: 
> On Tue, 5 Jul 2011, Michael H. Warfield wrote:
> 
> >> Is this past the authentication step? Can you trust that message?
> >
> > Yes, it's post auth.  We're all the way into the first couple of
> > quick-mode steps setting up the SA for ESP when it fails.
> 
> Oki.
> 
> >> Also, what other alternatives do we have then to keep on trying? If this
> >> is a misconfiguration on the remote end, we're better left trying and
> >> perhaps they will fix their end.
> >
> > I don't see we have any alternatives unless we want to try and implement
> > heuristics
> 
> that's why we just keep trying the same thing, and hope the other is "gets fixed".
> 
> > in what to try and that wouldn't make sense.  Seems like it's
> > a misconfiguration on our end but, for the life of me, I can see what it
> > is.
> >
> > There's something broken in the phase 2 transaction I'm not
> > understanding.  I see vpnc is negotiating a phase 2 of AES w/ 256 and
> > SHA1 without a problem and that's in our proposition list.  I now have 1
> > ASA that works with us and 3 that refuse to cooperate with the same
> > configurations and all 4 work with vpnc.

> Make sure you have the right modp. Sometimes Cisco does not like some phase1
> thing, but will only silently fail later on. Perhaps you need modp1024 or modp1536
> instead of modp2048?

Oh, and it's NOT silently failing, either.  That was my whole point.  It
is telling us that NONE of the proposals were acceptable but we're
ignoring the message.

> Paul

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20110705/622b2998/attachment.bin 


More information about the Dev mailing list