[Openswan Users]

Ronald Moesbergen Ronald.Moesbergen at bkvision.nl
Wed Feb 9 15:05:52 CET 2005


> 
> On Sat, 5 Feb 2005, Ronald Moesbergen wrote:
> 
> > I have a VPN tunnel to a Cisco 3000 using XAUTH. The 
> connection works 
> > fine, but when it's time to rekey (after one hour), the following 
> > shows
> > up:
> >
> > Feb  4 11:28:54 #15: sent AI2, ISAKMP SA established Feb  4 
> 11:28:54 
> > #15: XAUTH: Bad Message: Enter Username and Password.
> > Feb  4 11:28:54 #15: XAUTH username requested, but no file 
> descriptor 
> > available for prompt Feb  4 11:28:54 #15: sending encrypted 
> > notification CERTIFICATE_UNAVAILABLE to x.x.x.x:500
> >
> > Feb  4 11:29:04 #14: IPsec SA expired (LATEST!)
> 
> > As you can see openswan needs the XAUTH username and 
> password again, 
> > but it tries to get it by prompting for it, which of course fails 
> > because it's running in the background and there's no 
> terminal (and no 
> > human) available. I start this connection with the 
> following command:
> 
> I think we need to come up with some prompting method for 
> this case. And indeed a method for perhaps storing this 
> information at startup, or in ipsec.secrets (which ofcourse 
> would defeat the point of xauth user/pass)
> 
> > ipsec whack --initiate --name cisco --xauthname username 
> --xauthpass 
> > password
> >
> 
> > I'm using CVS-HEAD from last Thursday. Is there an option I 
> should use 
> > to make openswan remember the password so it can reuse it?
> 
> As far as I know, we do not have this option yet. Also, it 
> doesn't always work like this. For instance, some setups use 
> SecureID, so when it is time to rekey, they MUST get prompted 
> for their new secureid number, and we cannot re-use the old 
> secureid number.

Ok, thanks, that confirms what I suspected. I modified pluto to save the
password and reuse it for now, so for the time being that works for me.
I hope this feature will be added in the future.

Thanks,
Ronald.


More information about the Users mailing list