[Openswan Users] Ike Mode Config and virtual IP
Marco Berizzi
pupilla at hotmail.com
Fri Feb 10 14:56:56 CET 2006
Paul Wouters <paul at xelerance.com>
>On Thu, 9 Feb 2006, Marco Berizzi wrote:
>
> > Thanks for the reply Andreas.
> > I have added leftsubnet=x.x.x.x/32 to ipsec.conf:
> >
> > conn IMCFG
> > left=%any
> > leftsourceip=172.31.254.55
> > leftsubnet=172.31.254.55/32
> > right=10.1.2.10
> > rightid=10.1.2.10
> > rightsubnet=172.16.1.0/24
> > authby=secret
> > auto=add
> > pfs=yes
> > compress=yes
> > leftrsasigkey=none
> > rightrsasigkey=none
> > keyingtries=0
> > rightupdown=/usr/local/lib/ipsec/_updown_x509
>
>This is not good enough. Openswan has a newer implementation of
>ModeConfig that works with XAUTH. Please see the README.XAUTH* files
>or the example conns in testing/pluto/xauth-*
>
> > Feb 9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: received
> > MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
>
>That's because you are missing leftxauthclient=yes and
>rightxauthserver=yes.
Ok. Thanks for the tip. I have added leftxauthclient=yes
and rightxauthserver=yes to ipsec.conf. Then I have created
/etc/ipsec.d/passwd with the following command
'htpasswd -m -c /etc/ipsec.d/passwd mio'. This is my
/etc/ipsec.d/passwd contents:
mio:$apr1$OD80T/..$t/xwgTZjXRpHJpIZLpxF41:IMCFG
When I run sentinel 1.4.1 I always get this log on the swan
box:
packet from 10.1.2.1:500: Cannot do Quick Mode until XAUTH done.
"IMCFG"[1] 10.1.2.1 #1: XAUTH: User mio: Attempting to login
"IMCFG"[1] 10.1.2.1 #1: XAUTH: md5 authentication being called to
authenticate user mio
"IMCFG"[1] 10.1.2.1 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
"IMCFG"[1] 10.1.2.1 #1: XAUTH: checking user(mio:IMCFG)
"IMCFG"[1] 10.1.2.1 #1: XAUTH: nope
"IMCFG"[1] 10.1.2.1 #1: XAUTH: User mio: Authentication Failed: Incorrect
Username or Password
What is wrong?
More information about the Users
mailing list