[Openswan Users]

Paul Wouters paul at xelerance.com
Sat Feb 5 16:58:27 CET 2005

On Sat, 5 Feb 2005, Ronald Moesbergen wrote:

> I have a VPN tunnel to a Cisco 3000 using XAUTH. The connection works
> fine, but when it's time to rekey (after one hour), the following shows
> up:
> Feb  4 11:28:54 #15: sent AI2, ISAKMP SA established
> Feb  4 11:28:54 #15: XAUTH: Bad Message: Enter Username and Password.
> Feb  4 11:28:54 #15: XAUTH username requested, but no file descriptor available for prompt
> Feb  4 11:28:54 #15: sending encrypted notification CERTIFICATE_UNAVAILABLE to x.x.x.x:500
> Feb  4 11:29:04 #14: IPsec SA expired (LATEST!)

> As you can see openswan needs the XAUTH username and password again, but
> it tries to get it by prompting for it, which of course fails because
> it's running in the background and there's no terminal (and no human)
> available. I start this connection with the following command:

I think we need to come up with some prompting method for this case. And
indeed a method for perhaps storing this information at startup, or in
ipsec.secrets (which ofcourse would defeat the point of xauth user/pass)

> ipsec whack --initiate --name cisco --xauthname username --xauthpass
> password

> I'm using CVS-HEAD from last Thursday. Is there an option I should use
> to make openswan remember the password so it can reuse it?

As far as I know, we do not have this option yet. Also, it doesn't always
work like this. For instance, some setups use SecureID, so when it is time
to rekey, they MUST get prompted for their new secureid number, and we cannot
re-use the old secureid number.

I guess we need some ncurses and/or graphical pop-up that pluto can call to
gather this information.


> Thanks,
> Ronald.


"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list