[Openswan Users]
Ronald Moesbergen
Ronald.Moesbergen at bkvision.nl
Wed Feb 9 15:05:52 CET 2005
>
> On Sat, 5 Feb 2005, Ronald Moesbergen wrote:
>
> > I have a VPN tunnel to a Cisco 3000 using XAUTH. The
> connection works
> > fine, but when it's time to rekey (after one hour), the following
> > shows
> > up:
> >
> > Feb 4 11:28:54 #15: sent AI2, ISAKMP SA established Feb 4
> 11:28:54
> > #15: XAUTH: Bad Message: Enter Username and Password.
> > Feb 4 11:28:54 #15: XAUTH username requested, but no file
> descriptor
> > available for prompt Feb 4 11:28:54 #15: sending encrypted
> > notification CERTIFICATE_UNAVAILABLE to x.x.x.x:500
> >
> > Feb 4 11:29:04 #14: IPsec SA expired (LATEST!)
>
> > As you can see openswan needs the XAUTH username and
> password again,
> > but it tries to get it by prompting for it, which of course fails
> > because it's running in the background and there's no
> terminal (and no
> > human) available. I start this connection with the
> following command:
>
> I think we need to come up with some prompting method for
> this case. And indeed a method for perhaps storing this
> information at startup, or in ipsec.secrets (which ofcourse
> would defeat the point of xauth user/pass)
>
> > ipsec whack --initiate --name cisco --xauthname username
> --xauthpass
> > password
> >
>
> > I'm using CVS-HEAD from last Thursday. Is there an option I
> should use
> > to make openswan remember the password so it can reuse it?
>
> As far as I know, we do not have this option yet. Also, it
> doesn't always work like this. For instance, some setups use
> SecureID, so when it is time to rekey, they MUST get prompted
> for their new secureid number, and we cannot re-use the old
> secureid number.
Ok, thanks, that confirms what I suspected. I modified pluto to save the
password and reuse it for now, so for the time being that works for me.
I hope this feature will be added in the future.
Thanks,
Ronald.
More information about the Users
mailing list