[Openswan Users] Netscreen roadwarrior with XAUTH problems

Paul Wouters paul at xelerance.com
Thu Sep 7 12:15:45 EDT 2006

On Thu, 7 Sep 2006, Wojciech 'arab' Arabczyk wrote:

> The trace shows:
> ipsec auto --up homenet
> 112 "homenet" #3: STATE_AGGR_I1: initiate
> 003 "homenet" #3: received Vendor ID payload [XAUTH]
> 003 "homenet" #3: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> 003 "homenet" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> method set to=106
> 003 "homenet" #3: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> 004 "homenet" #3: STATE_AGGR_I2: sent AI2, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> 041 "homenet" #3: homenet prompt for Username:
> Name enter:   someuser
> 040 "homenet" #3: homenet prompt for Password:
> Enter secret:
> 004 "homenet" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> The problem is as i think that openswan is trying to get a certificate for the
> netscreen device wich i don't use (as the whole authorization is based on the
> PSK keys).

Using aggressive mode, plus PSK, plus XAUTH is really a flawed insecure setup.
Any client can pretend to be the gateway and steal the user/password of any
other client. It can also brute force the psk because aggressive mode leaks
some plaintext information to 'speed up' the IPsec negiotiation.

I am not sure what your problem is however. We have testcases for xauth with
psk and aggressive mode using modecfg, so perhaps it is something specific
to your server end?

See openswan-2/testing/xauth-pluto-8 for example.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list