[Openswan Users] Re: Aggressive mode client to Netscreen w/ leftid=email

Tibor Incze tibor.incze at eservglobal.com
Tue May 24 09:01:00 CEST 2005 

Thanks guys. Some comments, more debug info inline.
> On Mon, 23 May 2005, Tibor Incze wrote:
>
>> You also need the ike=(for phase1) and esp=(for phase2) lines in
>> ipsec.conf. I now have:ike=3des-sha1-modp1024
>> esp=3des-sha1
>
> You must specify explicite ike/esp lines, because aggressive mode
> cannot negotiate those paramters. It has to be right in the first
> packet exchange.
This makes sense, but the manual says that, especially for esp, there's a
default value of 3des-sha1,3des-md5. Not clear from the docs if ike has a
default value, but it probably should...Anyways this part works, so that's
fine.>
>> However after putting in the xauth username and password, I now get
>> these errors:---------------------------------
>> 04 "myclient" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set 228
>> "myclient" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
>> 003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
>> unknown value: 133003 "myclient" #1: malformed payload in packet
>> 003 "myclient" #1: next payload type of ISAKMP Hash Payload has an
>> unknown value: 133003 "myclient" #1: malformed payload in packet
>> ------------------------------------------
>
> I am not sure. Your remote end wants a certificate? Do you have one?
> Did it load? Are you sending it?
Although the Netscreen has the capability to use certs, we're not using
them at this time. Again, the Windows clients work fine with just
preshared secrets. Please see below for debug info from Netscreen.
>
>> The "unknown value:" number changes on each attempt, so I'm not sure
>> what the problem is. Any ideas? I'm not using certs btw, should I be?
>> On the netscreen for phase2 I have it set to 3des-sha1(with pfs) and
>> as a second option 3des-md5(with pfs)
>
> I don't know what the netscreen wants.
Here's what the Netscreen is saying:
(from a "debug ike basic" command, please see below for the "debug ike
detail command")# 07:45:05 : IKE<1.2.3.4  > Phase 1: Completed for ip <x.x.x.x>,
user<user at company.com>## 07:45:05 : IKE<1.2.3.4  > Phase 1: Completed Aggressive mode
negotiation with a <28800>-second lifetime.## 07:45:05 : IKE<1.2.3.4  > Construct ISAKMP header.
## 07:45:05 : IKE<1.2.3.4  > Construct [HASH]
## 07:45:05 : IKE<1.2.3.4  > Xmit*: [HASH] [IKECFG]
## 07:45:11 : IKE<1.2.3.4  > ****** Recv packet if <ethernet3> of vsys
<Root> ******## 07:45:11 : IKE<1.2.3.4  > Recv*: [HASH] [IKECFG]
## 07:45:11 : IKE<1.2.3.4  > Process [IKECFG]:
## 07:45:11 : IKE<1.2.3.4  > Construct ISAKMP header.
## 07:45:11 : IKE<1.2.3.4  > Construct [HASH]
## 07:45:11 : IKE<1.2.3.4  > Xmit*: [HASH] [IKECFG]
## 07:46:18 : IKE<1.2.3.4  > Construct ISAKMP header.
## 07:46:18 : IKE<1.2.3.4  > Construct [HASH]
## 07:46:18 : IKE<1.2.3.4  > Xmit*: [HASH] [IKECFG]
## 07:46:19 : IKE<1.2.3.4  > ****** Recv packet if <ethernet3> of vsys
<Root> ******## 07:46:19 : IKE<1.2.3.4  > Recv*: [HASH] [DELETE]
## 07:46:19 : IKE<1.2.3.4  > Process [DELETE]:
</snip>

(From debug ike detail):
## 07:56:48 : IKE<210.86.87.196  > Phase 1: Completed for ip
<210.86.87.196>, us                                             
er<user at company.com>## 07:56:48 : IKE<210.86.87.196  > Phase 1: Completed Aggressive mode
negotiation with a <28800>-second lifetime.## 07:56:48 : IKE<210.86.87.196  >   xauth is started: server,
p1responder, aggr                                               mode.## 07:56:48 : IKE<210.86.87.196  >   start_xauth()
## 07:56:48 : IKE<210.86.87.196  >   xauth status entering state machine: 20
## 07:56:48 : IKE<210.86.87.196  >   xauth status updated by state
machine: 20## 07:56:48 : IKE<210.86.87.196  >   ikecfg basic attr type 16520, val 0
added.## 07:56:48 : IKE<210.86.87.196  >   ikecfg TVL attr type 16521, val NULL
added, len 0.## 07:56:48 : IKE<210.86.87.196  >   ikecfg TVL attr type 16522, val NULL
added, len 0.## 07:56:48 : IKE<210.86.87.196  >   Create conn entry...
## 07:56:48 : IKE<210.86.87.196  >     ...done(new 6b7299e8)
## 07:56:48 : IKE<210.86.87.196  > Construct ISAKMP header.
## 07:56:48 : IKE<210.86.87.196  >   Msg header built (next payload #8)
## 07:56:48 : IKE<210.86.87.196  > Construct [HASH]
## 07:56:48 : IKE<210.86.87.196  >   ikecfg basic attr type 16520, val 0
constructed.## 07:56:48 : IKE<210.86.87.196  >   ikecfg TLV attr type 16521, len 0
constructed.## 07:56:48 : IKE<210.86.87.196  >   ikecfg TLV attr type 16522, len 0
constructed.## 07:56:48 : IKE<210.86.87.196  >   construct QM HASH
## 07:56:48 : IKE<210.86.87.196  > Xmit*: [HASH] [IKECFG]
## 07:56:48 : IKE<210.86.87.196  >   Encrypt P2 payload (len 72)
## 07:56:48 : IKE<210.86.87.196  >   send_request to peer
## 07:56:48 : IKE<210.86.87.196  >   Send Phase 2 packet (len=76)
## 07:56:48 : IKE<210.86.87.196  >   ikecfg packet sent. msgid 6b7299e8,
len: 72, peer<210.86.87.196>## 07:56:48 : IKE<210.86.87.196  >   IKE msg done: PKI state<0> IKE
state<6/182f>## 07:56:54 : IKE<210.86.87.196  >   ikecfg transmit timer expired. re-trans
## 07:56:54 : IKE<210.86.87.196  >   send_request to peer
## 07:56:54 : IKE<210.86.87.196  >   Send Phase 2 packet (len=76)
## 07:56:54 : IKE<210.86.87.196  >   ike packet, len 120, action 0
## 07:56:54 : IKE<210.86.87.196  > ****** Recv packet if <ethernet3> of
vsys <Root> ******## 07:56:54 : IKE<210.86.87.196  >   Catcher: get 92 bytes. src port 500
## 07:56:54 : IKE<210.86.87.196  >   SA: (Root, local 203.118.128.130,
state 6/182f +, r):## 07:56:54 : IKE<210.86.87.196  >   ISAKMP msg: len 92, nxp 8[HASH], exch
6[XACT_EXCH], flag 01  E## 07:56:54 : IKE<210.86.87.196  >   Decrypting payload (length 64)
## 07:56:54 : IKE<210.86.87.196  > Recv*: [HASH] [IKECFG]
## 07:56:54 : IKE<210.86.87.196  > Process [IKECFG]:
## 07:56:54 : IKE<210.86.87.196  >   processing IKECFG payload. msgid
6b7299e8, msgtype 2, payload ID 111## 07:56:54 : IKE<210.86.87.196  >   ikecfg basic attr type 16520, val 0
added.## 07:56:54 : IKE<210.86.87.196  >   ikecfg TVL attr type 16521, val
<myusername> added, len 6.## 07:56:54 : IKE<210.86.87.196  >   ikecfg TVL attr type 16522, val
<mypassword> added, len 8.## 07:56:54 : IKE<210.86.87.196  >   xauth status entering state machine: 20
## 07:56:54 : IKE<210.86.87.196  >   xauth_auth_pap: authing externally:
uname <myusername>, passwd <mypassword>         WAITING## 07:56:54 : IKE<210.86.87.196  >   xauth auth with external server, wait...
## 07:56:54 : IKE<210.86.87.196  >   IKE msg done: PKI state<0> IKE
state<6/182f>## 07:56:54 : IKE<210.86.87.196  >   IKE: xauth_auth_ext_callback()
retcode: 1## 07:56:54 : IKE<210.86.87.196  >   xauth_auth_ext_callback() state: 70
## 07:56:54 : IKE<210.86.87.196  >   xauth status entering state machine: 70
## 07:56:54 : IKE<210.86.87.196  >   xauth status updated by state
machine: 90## 07:56:54 : IKE<210.86.87.196  >   ikecfg_assign_client_cfg()
## 07:56:54 : IKE<210.86.87.196  >   getting xauth local user IP from pool
<Dialup Users>## 07:56:54 : IKE<210.86.87.196  >   ikecfg_send_client_cfg: ip
192.168.79.2, dns1 192.168.0.1, dns2 192.168.0.8, win1 192.168.0.12, win2
0.0.0.0## 07:56:54 : IKE<210.86.87.196  >   ikecfg TVL attr type 1, val (O(
added, len 4.kecfg TVL attr type 2, val  added, len 4.
## 07:56:54 : IKE<210.86.87.196  >   ikecfg TVL attr type 3, val ( added,
len 4.## 07:56:54 : IKE<210.86.87.196  >   ikecfg TVL attr type 3, val ( added,
len 4.## 07:56:54 : IKE<210.86.87.196  >   ikecfg TVL attr type 4, val ( added,
len 4.## 07:56:54 : IKE<210.86.87.196  >   Create conn entry...
## 07:56:54 : IKE<210.86.87.196  >     ...done(new d9521f8a)
## 07:56:54 : IKE<210.86.87.196  > Construct ISAKMP header.
## 07:56:54 : IKE<210.86.87.196  >   Msg header built (next payload #8)
## 07:56:54 : IKE<210.86.87.196  > Construct [HASH]
## 07:56:54 : IKE<210.86.87.196  >   ikecfg TLV attr type 1, len 4
constructed.## 07:56:54 : IKE<210.86.87.196  >   ikecfg TLV attr type 2, len 4
constructed.## 07:56:54 : IKE<210.86.87.196  >   ikecfg TLV attr type 3, len 4
constructed.## 07:56:54 : IKE<210.86.87.196  >   ikecfg TLV attr type 3, len 4
constructed.## 07:56:54 : IKE<210.86.87.196  >   ikecfg TLV attr type 4, len 4
constructed.## 07:56:54 : IKE<210.86.87.196  >   construct QM HASH
## 07:56:54 : IKE<210.86.87.196  > Xmit*: [HASH] [IKECFG]
## 07:56:54 : IKE<210.86.87.196  >   Encrypt P2 payload (len 100)
## 07:56:54 : IKE<210.86.87.196  >   send_request to peer
## 07:56:54 : IKE<210.86.87.196  >   Send Phase 2 packet (len=108)
## 07:56:54 : IKE<210.86.87.196  >   ikecfg packet sent. msgid d9521f8a,
len: 100, peer<210.86.87.196>## 07:57:01 : IKE<210.86.87.196  >   ikecfg transmit timer expired. re-trans
## 07:57:01 : IKE<210.86.87.196  >   send_request to peer
## 07:57:01 : IKE<210.86.87.196  >   Send Phase 2 packet (len=108)
## 07:57:07 : IKE<210.86.87.196  >   ikecfg transmit timer expired. re-trans
## 07:57:07 : IKE<210.86.87.196  >   send_request to peer
## 07:57:07 : IKE<210.86.87.196  >   Send Phase 2 packet (len=108)
## 07:57:13 : IKE<210.86.87.196  >   ikecfg transmit timer expired. re-trans
## 07:57:13 : IKE<210.86.87.196  >   send_request to peer
## 07:57:13 : IKE<210.86.87.196  >   Send Phase 2 packet (len=108)
## 07:57:19 : IKE<210.86.87.196  >   ikecfg transmit timer expired. re-trans
## 07:57:19 : IKE<210.86.87.196  >   send_request to peer
## 07:57:19 : IKE<210.86.87.196  >   Send Phase 2 packet (len=108)

</snip>

>From this it would look like the phase2 hashes don't match. I'll try some
other options for esp to see what happens.
>
>> Another question: does openswan support "CHAP" for Xauth?
>
> No, XAUTH currently only supports passwords in /etc/ipsec.d/passwd or
> PAM. You should be able to hook up PAM to other things, such as radius
> though. See docs/README.XAUTH
What I had meant to ask is does openswan *as a client* support chap for
xauth? From the debug it looks like it uses PAP by default.
>
> Paul

More information about the Users mailing list