[Openswan Users] openswan 1.0.10rc2 and greenbow vpn client interop problem

Sandor Geller wildy at balabit.hu
Tue Sep 13 15:38:30 CEST 2005 

Hi,

Today I tried to set up a connection between an openswan 1.0.10rc2
gateway and a greenbow vpn client (available from
http://www.thegreenbow.com/). Unfortunately I have to use XAUTH because
I have to authenticate the users without X.509 certificates.

NAT-T is enabled in ipsec.conf, the configuration of the tunnel is:

conn rw-xauth
        type=tunnel
        auto=add
        authby=secret
        xauth=yes
        left=aaa.bbb.ccc.ddd
        leftnexthop=aaa.bbb.ccc.eee
        leftsubnet=192.168.30.0/24
        right=%any
        pfs=no

Everything works well until the openswan gateway reaches STATE_MAIN_R3
and sends the authentication request to the other side:

2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: "rw-xauth"[8]
194.149.60.118 #5483: sent MR3, ISAKMP SA established
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: "rw-xauth"[8]
194.149.60.118 #5483: XAUTH: Sending XAUTH Login/Password Request
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: "rw-xauth"[8]
194.149.60.118 #5483: XAUTH: Sending Username/Password request (XAUTH_R0)

Then the greenbow client replies with:

2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: | *received 92 bytes from
194.149.60.118:500 on eth0
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |   90 82 80 ad  70 f6 bb
3a  5e f7 8b ed  d4 77 c7 3e
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |   08 10 06 01  ac d1 42
a9  00 00 00 5c  e6 f1 e6 99
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |   5b 7b c3 fc  74 dc 36
e5  d8 07 8a fb  46 d6 91 d8
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |   02 00 58 1b  31 2c 02
cd  49 f7 39 8c  f8 e9 ce 26
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |   15 45 27 b1  06 55 c8
fb  db f3 1c ab  29 78 24 cd
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |   7c 45 db 05  5f d9 99
81  05 6a 72 a6
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: | **parse ISAKMP Message:
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |    initiator cookie:
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |   90 82 80 ad  70 f6 bb 3a
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |    responder cookie:
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |   5e f7 8b ed  d4 77 c7 3e
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |    next payload type:
ISAKMP_NEXT_HASH
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |    ISAKMP version:
ISAKMP Version 1.0
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |    exchange type:
ISAKMP_XCHG_MODE_CFG
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |    flags:
ISAKMP_FLAG_ENCRYPTION
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |    message ID:  ac d1 42 a9
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: |    length: 92
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: | The xchg type is
ISAKMP_XCHG_MODE_CFG (6)
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: packet from
194.149.60.118:500: unsupported exchange type ISAKMP_XCHG_MODE_CFG in
message
2005-09-13T12:20:21+0100 gsb-fw pluto[30858]: packet from
194.149.60.118:500: sending notification UNSUPPORTED_EXCHANGE_TYPE to
194.149.60.118:500

After this there are only two retransmissions, and the deletion of the
ISAKMP SA.

Is there any client which works with openswan 1.x using XAUTH?

Unfortunately the gateway is a production server and I can't upgrade to
openswan 2.4. I tried the Cisco VPN client without success (openswan
complied that the size of the ISAKMP packet differed by 16 bytes from
the size specified by the ISAKMP header - the last 16 bytes were zeroes
in the packet).

Regards,

-- 
Sandor Geller
wildy at balabit.hu

More information about the Users mailing list