[Openswan Users] XAUTH network extension mode?

Brian Candler B.Candler at pobox.com
Mon Mar 13 14:28:21 CET 2006 

Has anybody looked into the possibility of implementing Network Extension
Mode for XAUTH, at least as a client?

We use it where I work, with Cisco 851 routers as clients and PIX as
concentrator. Unlike mode config, where each client gets a single IP
address, this lets a whole routable subnet be pushed from the concentrator.
It works well where you have a large number of satellite sites; all the
config data can be stored in RADIUS, so you don't need to configure each
site-to-site tunnel separately in the concentrator, and it works happy with
dynamic IP addresses.

Having said that, I'm having difficulty locating an internet-draft where the
spec is actually published.

If I try to connect using openswan 2.4.5rc5 to the concentrator using a
network-extension account, here's what I see:

root at OpenWrt:~# ipsec auto --verbose --up nem
002 "nem" #3: initiating Aggressive Mode #3, connection "nem"
112 "nem" #3: STATE_AGGR_I1: initiate
003 "nem" #3: received Vendor ID payload [Cisco-Unity]
003 "nem" #3: received Vendor ID payload [XAUTH]
003 "nem" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "nem" #3: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
003 "nem" #3: ignoring unknown Vendor ID payload [c48decb3ace2178b7c41512652f2c0f0]
003 "nem" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "nem" #3: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
002 "nem" #3: Aggressive mode peer ID is ID_IPV4_ADDR: 'p.p.p.p'
003 "nem" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "nem" #3: Aggressive mode peer ID is ID_IPV4_ADDR: 'p.p.p.p'
003 "nem" #3: received Hash Payload does not match computed value
223 "nem" #3: STATE_AGGR_I1: INVALID_HASH_INFORMATION
002 "nem" #3: sending notification INVALID_HASH_INFORMATION to p.p.p.p:500

with this config:

conn nem
        ike=3des-md5-modp1024
        aggrmode=yes
        authby=secret
        left=%defaultroute
        leftid=@nemgroup
        leftxauthclient=yes
        #leftmodecfgclient=yes
        leftsubnet=10.82.0.0/28
        right=p.p.p.p
        rightxauthserver=yes
        #rightmodecfgserver=yes
        pfs=no
        auto=add

It doesn't even get as far as prompting me for the XAUTH username and
password. Setting pfs=yes or uncommenting the modecfgclient/modecfgserver
lines doesn't make any difference.

Regards,

Brian.

More information about the Users mailing list