[Openswan Users] Netscreen roadwarrior with XAUTH problems

Rob Hasselbaum rhasselbaum at comcast.net
Fri Oct 6 11:55:55 EDT 2006 

I have a very similar problem. Trying to use XAUTH+PSK with a NetScreen 
firewall, and I keep getting a CERTIFICATE_UNAVAILABLE message. I 
understand why XAUTH+PSK is a bad idea, but I don't have any control 
over the NetScreen box. Here is what I see. Any help is much appreciated!

041 "netscreen" #1: netscreen prompt for Username:
Name enter:   myusername
040 "netscreen" #1: netscreen prompt for Password:
Enter secret:
004 "netscreen" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
003 "netscreen" #1: discarding duplicate packet; already STATE_XAUTH_I1
228 "netscreen" #1: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
003 "netscreen" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 248
003 "netscreen" #1: malformed payload in packet
003 "netscreen" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 248
003 "netscreen" #1: malformed payload in packet
003 "netscreen" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 248
003 "netscreen" #1: malformed payload in packet




On Sep 7 12:15:45 EDT 2006, Paul Wouters wrote:

> On Thu, 7 Sep 2006, Wojciech 'arab' Arabczyk wrote:
>
> >/ The trace shows:
> />/ ipsec auto --up homenet
> />/ 112 "homenet" #3: STATE_AGGR_I1: initiate
> />/ 003 "homenet" #3: received Vendor ID payload [XAUTH]
> />/ 003 "homenet" #3: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> />/ 003 "homenet" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> />/ method set to=106
> />/ 003 "homenet" #3: NAT-Traversal: Result using
> />/ draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> />/ 004 "homenet" #3: STATE_AGGR_I2: sent AI2, ISAKMP SA established
> />/ {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> />/ group=modp1024}
> />/ 041 "homenet" #3: homenet prompt for Username:
> />/ Name enter:   someuser
> />/ 040 "homenet" #3: homenet prompt for Password:
> />/ Enter secret:
> />/ 004 "homenet" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> />/ 228 "homenet" #3: STATE_XAUTH_I1: CERTIFICATE_UNAVAILABLE
> />/
> />/ The problem is as i think that openswan is trying to get a certificate for the
> />/ netscreen device wich i don't use (as the whole authorization is based on the
> />/ PSK keys).
> /
> Using aggressive mode, plus PSK, plus XAUTH is really a flawed insecure setup.
> Any client can pretend to be the gateway and steal the user/password of any
> other client. It can also brute force the psk because aggressive mode leaks
> some plaintext information to 'speed up' the IPsec negiotiation.
>
> I am not sure what your problem is however. We have testcases for xauth with
> psk and aggressive mode using modecfg, so perhaps it is something specific
> to your server end?
>
> See openswan-2/testing/xauth-pluto-8 for example.
>
> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list