[Openswan Users] OpenSWAN as Xauth client + RSA certs?

sean at obstacle9.com sean at obstacle9.com
Fri Dec 9 10:02:51 CET 2005 

Ooops, didn't mean to bounce this to the list, sorry.

I still haven't heard if it's possible to use OpenSWAN as an XAuth client 
to a Netscreen, authenticating during phase 1 with RSA certs. Anyone know?

sk


On Wed, 7 Dec 2005 sean at obstacle9.com wrote:

> On Wed, 7 Dec 2005, Marc Spiegelman wrote:
> 
> > I haven't used XAuth client with RSA but I configure XAuth server + RSA
> > (on 2.4.x) all the time.
> > 
> > The only difference in the config would be [left/right]xauthclient=yes
> > Instead of [left/right]xauthserver=yes
> > 
> > The IP assignment part depends on mode-config which I haven't used.
> 
> I've tried giving it a go, but it looks like OpenSWAN is trying to 
> authenticate via Xauth during phase 1 instead of just certificates. My 
> pcaps show openswan sending a transform with Authentication-Method as 
> "XAUTHInitRSA" when it should be "RSA-SIG". My SafeNet client advertises 
> Xauth support later in the negotiation, not in the first packet:
> 
> 1. Safenet -> Netscreen: Phase 1 Transforms (3DES/SHA, Main mode, RSA), 
>    NAT-T support 
> 2. Netscreen -> Safenet: Phase 1 Transforms (3DES/SHA, 
>    Main mode, RSA), NAT-T support 
> 3. Safenet -> Netscreen: NAT-D payloads, Xauth 
>    advertisement(draft-beaulieu-ike-xauth-02.txt)
> 
> <phase 1, xauth, phase 2 complete>
> 
> Can OpenSWAN be configured to work in a similar manner?
> 
> thanks,
> Sean
> 
> 
> 
> 
> 
> 
> 
> 
> > 
> > 
> > 
> > -----Original Message-----
> > From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
> > Behalf Of sean at obstacle9.com
> > Sent: Wednesday, December 07, 2005 5:03 PM
> > To: users at openswan.org
> > Subject: [Openswan Users] OpenSWAN as Xauth client + RSA certs?
> > 
> > Is this possible? It's not clear from the docs or from mailing list 
> > archives- most of the examples are with PSKs. I'm trying to connect to a
> > 
> > Netscreen with RSA certs+Xauth so users can have IPs automatically 
> > assigned from a pool depending on their user type (as defined in their 
> > cert).
> > 
> > thanks,
> > sk
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > 
> > 
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

More information about the Users mailing list