[Openswan Users] OpenSWAN as Xauth client + RSA certs?

sean at obstacle9.com sean at obstacle9.com
Wed Dec 7 18:39:47 CET 2005


On Wed, 7 Dec 2005, Marc Spiegelman wrote:

> I haven't used XAuth client with RSA but I configure XAuth server + RSA
> (on 2.4.x) all the time.
> 
> The only difference in the config would be [left/right]xauthclient=yes
> Instead of [left/right]xauthserver=yes
> 
> The IP assignment part depends on mode-config which I haven't used.

I've tried giving it a go, but it looks like OpenSWAN is trying to 
authenticate via Xauth during phase 1 instead of just certificates. My 
pcaps show openswan sending a transform with Authentication-Method as 
"XAUTHInitRSA" when it should be "RSA-SIG". My SafeNet client advertises 
Xauth support later in the negotiation, not in the first packet:

1. Safenet -> Netscreen: Phase 1 Transforms (3DES/SHA, Main mode, RSA), 
   NAT-T support 
2. Netscreen -> Safenet: Phase 1 Transforms (3DES/SHA, 
   Main mode, RSA), NAT-T support 
3. Safenet -> Netscreen: NAT-D payloads, Xauth 
   advertisement(draft-beaulieu-ike-xauth-02.txt)

<phase 1, xauth, phase 2 complete>

Can OpenSWAN be configured to work in a similar manner?

thanks,
Sean








> 
> 
> 
> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
> Behalf Of sean at obstacle9.com
> Sent: Wednesday, December 07, 2005 5:03 PM
> To: users at openswan.org
> Subject: [Openswan Users] OpenSWAN as Xauth client + RSA certs?
> 
> Is this possible? It's not clear from the docs or from mailing list 
> archives- most of the examples are with PSKs. I'm trying to connect to a
> 
> Netscreen with RSA certs+Xauth so users can have IPs automatically 
> assigned from a pool depending on their user type (as defined in their 
> cert).
> 
> thanks,
> sk
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


More information about the Users mailing list