[Openswan Users] Re: Aggressive mode client to Netscreen w/
leftid=email
Paul Wouters
paul at xelerance.com
Mon May 23 12:42:31 CEST 2005
On Mon, 23 May 2005, Tibor Incze wrote:
> You also need the ike=(for phase1) and esp=(for phase2) lines in
> ipsec.conf. I now have:ike=3des-sha1-modp1024
> esp=3des-sha1
You must specify explicite ike/esp lines, because aggressive mode cannot
negotiate those paramters. It has to be right in the first packet exchange.
> However after putting in the xauth username and password, I now get these
> errors:---------------------------------
> 04 "myclient" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 228 "myclient" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
> 003 "myclient" #1: next payload type of ISAKMP Hash Payload has an unknown
> value: 133003 "myclient" #1: malformed payload in packet
> 003 "myclient" #1: next payload type of ISAKMP Hash Payload has an unknown
> value: 133003 "myclient" #1: malformed payload in packet
> ------------------------------------------
I am not sure. Your remote end wants a certificate? Do you have one? Did it
load? Are you sending it?
> The "unknown value:" number changes on each attempt, so I'm not sure what
> the problem is. Any ideas? I'm not using certs btw, should I be? On the
> netscreen for phase2 I have it set to 3des-sha1(with pfs) and as a second
> option 3des-md5(with pfs)
I don't know what the netscreen wants.
> Another question: does openswan support "CHAP" for Xauth?
No, XAUTH currently only supports passwords in /etc/ipsec.d/passwd or
PAM. You should be able to hook up PAM to other things, such as radius
though. See docs/README.XAUTH
Paul
More information about the Users
mailing list