[Fwd: Re: [Openswan Users] Re: Aggressive mode client to Netscreen
w/ leftid=email]
Tibor Incze
tibor.incze at eservglobal.com
Wed Aug 3 12:38:49 CEST 2005
I think I know what may be happening when it fails.(see pluto debug below)
Basically the Xauth on the Netscreen is set up to assign DNS(and netbios) IPs.
Can openswan handle this? would it need to be run suid root to add these values
into the appropriate files? Btw, I've tried all sorts of values for "esp=" and
nothing helps(even though the Netscreen is set up to accept multiple phase2 values)
Any help/hints would be appreciated.
Thanks
Tibor
(from pluto right before it gives the hash errors):
XAUTH: HASH computed:
Aug 3 10:31:42 gitz pluto[19905]: | f5 9f 02 24 f3 de 41 2d 1e 24 42
ce 78 70 19 d0Aug 3 10:31:42 gitz pluto[19905]: | 6e 5d 83 62
Aug 3 10:31:42 gitz pluto[19905]: | ****parse ISAKMP ModeCfg attribute:
Aug 3 10:31:42 gitz pluto[19905]: | ModeCfg attr type:
INTERNAL_IP4_ADDRESSAug 3 10:31:42 gitz pluto[19905]: | length/value: 4
Aug 3 10:31:42 gitz pluto[19905]: | ****parse ISAKMP ModeCfg attribute:
Aug 3 10:31:42 gitz pluto[19905]: | ModeCfg attr type:
INTERNAL_IP4_NETMASKAug 3 10:31:42 gitz pluto[19905]: | length/value: 4
Aug 3 10:31:42 gitz pluto[19905]: | ****parse ISAKMP ModeCfg attribute:
Aug 3 10:31:42 gitz pluto[19905]: | ModeCfg attr type: INTERNAL_IP4_DNS
Aug 3 10:31:42 gitz pluto[19905]: | length/value: 4
Aug 3 10:31:42 gitz pluto[19905]: | ****parse ISAKMP ModeCfg attribute:
Aug 3 10:31:42 gitz pluto[19905]: | ModeCfg attr type: INTERNAL_IP4_DNS
Aug 3 10:31:42 gitz pluto[19905]: | length/value: 4
Aug 3 10:31:42 gitz pluto[19905]: | ****parse ISAKMP ModeCfg attribute:
Aug 3 10:31:42 gitz pluto[19905]: | ModeCfg attr type: INTERNAL_IP4_NBNS
Aug 3 10:31:42 gitz pluto[19905]: | length/value: 4
Tibor Incze wrote:
> Guys,
>
> No luck yet, but I do have some more info. Firstly I tried v.2.3.2 and it
> behaves the same way, except for one additional slightly annoying thing.
> Basically it seems to block any connections on the ipsec-ed interface,
> until ipsec is shut down. The errors that relate to this are the
> following:%hold otherwise handled during DNS lookup for Opportunistic Initiation for
> 192.168.165.100 to 64.233.187.99
> This traffic (to google) should be going out directly, and not via the
> ipsec tunnel...
> Still waiting on an answer to what are all possible values for esp=. It'd
> be great to include this in a doc. I've tried several ones from the
> mailing list, but none seems to work. I get the errors:
> ailed to build notification for spisize=0
> Jun 9 21:01:47 gitz pluto[16940]: "next payload type of ISAKMP Hash
> Payload has an unknown value: <number>
> continuously shortly after Xauth. That would seem to indicate that xauth
> is failing, but interestingly enough if I put in the wrong username and
> password, it behaves correctly in prompting me again. Once I've put in the
> right username and pass, it gives the above errors. Any ideas?--Tibor
>
>
>
>>On Mon, 23 May 2005, Tibor Incze wrote:
>>
>>
>>>You also need the ike=(for phase1) and esp=(for phase2) lines in
>>>ipsec.conf. I now have:ike=3des-sha1-modp1024
>>>esp=3des-sha1
>>
>>You must specify explicite ike/esp lines, because aggressive mode
>>cannot negotiate those paramters. It has to be right in the first
>>packet exchange.
>>
>>
>>>However after putting in the xauth username and password, I now get
>>>these errors:---------------------------------
>>>04 "myclient" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set 228
>>>"myclient" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
>>>003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
>>>unknown value: 133003 "myclient" #1: malformed payload in packet
>>>003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
>>>unknown value: 133003 "myclient" #1: malformed payload in packet
>>>------------------------------------------
>>
>>I am not sure. Your remote end wants a certificate? Do you have one?
>>Did it load? Are you sending it?
>>
>>
>>>The "unknown value:" number changes on each attempt, so I'm not sure
>>>what the problem is. Any ideas? I'm not using certs btw, should I be?
>>>On the netscreen for phase2 I have it set to 3des-sha1(with pfs) and
>>>as a second option 3des-md5(with pfs)
>>
>>I don't know what the netscreen wants.
>>
>>
>>>Another question: does openswan support "CHAP" for Xauth?
>>
>>No, XAUTH currently only supports passwords in /etc/ipsec.d/passwd or
>>PAM. You should be able to hook up PAM to other things, such as radius
>>though. See docs/README.XAUTH
>>
>>Paul
>
>
>
>
--
Tibor Incze
Senior System Administrator
eServGlobal (NZ) Pty. Ltd.
tibor.incze at eservglobal.com
T: +64(0)4 939 3408
M: +64(0)21 382 383
--
Tibor Incze
Senior System Administrator
eServGlobal (NZ) Pty. Ltd.
tibor.incze at eservglobal.com
T: +64(0)4 939 3408
M: +64(0)21 382 383
More information about the Users
mailing list