[Openswan Users] Openswan reporting XAUTH problem in client mode

Thu Sep 8 12:37:13 CEST 2005

Dear all,

I've compiled Openswan 2.3.0 with both (USE_XAUTH ?= true) and
(USE_XAUTHPAM ?= true) under 2.6.10 kernel successfully.

I've then tried to establish IPSec connections between the Openswan and
Cisco PIX 501 Firewall. I could successfully establish a
3DES-MD5-DH2(modp1024) tunnel between Openswan and Cisco PIX firewall
under both Aggressive mode and Main modes using PSK but WITHOUT XAUTH
enable. After that I could ping/ftp between networks behind the Cisco
box and the Openswan Linux box using the IPSec channel between them.

I really wanted to run the Openswan in client mode with Cisco IPX box
for some testing. So I enabled XAUTH with (leftxauthclient=yes) &
(rightxauthserver=yes) and tried to connect to the Cisco box. Openswan
went through some state transitions. The final state it reported was
STATE_MAIN_I4: ISAKMP SA esabblished. After that it displayed the
following bit on the screen

Ignoring informational payload, type IPSEC_INITIAL_CONTACT
received and ignored informational payload
XAUTH: unsupported attribute: SUPPORTED_ATTRIBUTES
XAUTH: unsupported attribute: INTERNAL_IP6_SUBNET
XAUTH: No username/password request received

After that I checked the /var/log/auth.log file. Here is what I noticed.
After Openswan has reported that it has not received XAUTH
username/password, it received a 76 bytes packet from Cisco PIX box.
Then after decrypting the received message Openswan reported the
following error in the log file.

"message ignored because it contains an unexpected payload type
(ISAKMP_NEXT_HASH)
"sending encrypted notification INVALID_PAYLOAD_TYPE to 129.97.157.140

After that, it seems to me that Openswan keep on sending this
INVALID_PAYLOAD_TYPE message to Cisco box. But I could clearly see from
PIX 501 debug messages that it has forwarded the XAUTH request. Here is
the bit I've observed in Cisco box relavent to this.

ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD

Do I have to activate any other compilation options to get Openswan
working with Cisco with XAUTH option? Is there any specific option to be
set in the ipsec.conf file to set Openswan as xauth client? Or do I've
to setup anything in my Linux box for XAUTH?

Pls. help me get over this xauth problem.

Here is important bits from my ipsec.conf file

conn testconn
   left=129.97.157.138
   leftid=@nicta
   leftxauthclient=yes
   leftsubnet=192.168.10.0/24
   right=129.97.157.140
   rightxauthserver=yes
   rightsubnet=192.168.1.0/24
   authby=secret
   pfs=no
   auto=add

Here is my ipsec.secrets
@nicta 129.97.157.140 : PSK "testpass"

Many thanks

Ravindra

--------------------------------------------------------------------------
This email and any attachments may be confidential. They may contain legally
privileged information or copyright material. You should not read, copy,
use or disclose them without authorisation. If you are not an intended
recipient, please contact us at once by return email and then delete both
messages. We do not accept liability in connection with computer virus,
data corruption, delay, interruption, unauthorised access or unauthorised
amendment. This notice should not be removed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050908/d8be9f51/attachment.htm