[Openswan Users] Openswan XAUTH client with SA using Vendor ID(VID-13)
Rodrigo Costa
rlvcosta at hotmail.com
Wed Nov 28 14:38:45 EST 2007
Hello Users e-mail list,
I'm trying to use Openswan as a XAUTH client with PSK but I'm having some difficulties. I have a proprietary Windows client which performs correctly the association. Now I'm trying to use Openswan in Linux for the same thing.
The configuration I'm using in /etc/ipsec.conf is :
conn roadwarrior
compress=yes
xauth=yes
left=192.168.223.128
leftsubnet=192.168.0.0/24
leftnexthop=%defaultroute
leftid="LVC7.1.2:XPL"
right=xxx.xxx.xxx.xxx
rightsubnet=0.0.0.0/0
rightnexthop=%defaultroute
auto=add
keyexchange=ike
ike=3des-sha1
aggrmode=yes
auth=esp
type=tunnel
authby=secret
pfs=no
Snooping the Windows client I get the package contents below :
-----------------------------------------------------------------------------------------------
No. Time Source Destination Protocol Info
6 6.125933 192.168.1.100 xxx.xxx.xxx.xxx ISAKMP Aggressive
Frame 6 (462 bytes on wire, 462 bytes captured)
Arrival Time: Nov 21, 2007 23:34:52.741078000
[Time delta from previous packet: 1.006724000 seconds]
[Time since reference or first frame: 6.125933000 seconds]
Frame Number: 6
Packet Length: 462 bytes
Capture Length: 462 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: 00:18:de:ca:45:6a (00:18:de:ca:45:6a), Dst: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
Destination: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
Address: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:18:de:ca:45:6a (00:18:de:ca:45:6a)
Address: 00:18:de:ca:45:6a (00:18:de:ca:45:6a)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 448
Identification: 0x9fc6 (40902)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x2f68 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.100 (192.168.1.100)
Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 57713 (57713), Dst Port: 500 (500)
Source port: 57713 (57713)
Destination port: 500 (500)
Length: 428
Checksum: 0x2295 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 203109707FBD28E1
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Aggressive (4)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 420
Security Association payload
Next payload: Vendor ID (13)
Payload length: 164
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 152
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 4
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): PSK (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (864000)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): PSK (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (864000)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): PSK (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (864000)
Transform payload # 4
Next payload: NONE (0)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): PSK (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (864000)
Vendor ID payload
Next payload: Key Exchange (4)
Payload length: 15
Vendor ID: unknown vendor ID: 0x4C5643372E312E323A5850
Key Exchange payload
Next payload: Nonce (10)
Payload length: 132
Key Exchange Data (128 bytes / 1024 bits)
Nonce payload
Next payload: Identification (5)
Payload length: 68
Nonce Data
Identification payload
Next payload: NONE (0)
Payload length: 13
ID type: 3
ID type: USER_FQDN (3)
Protocol ID: Unused
Port: Unused
Identification data: !@#$%
-----------------------------------------------------------------------------------------------
Where some important points are :
Security Association payload
Next payload: Vendor ID (13)
and
Authentication-Method (3): PSK (1)
and
Vendor ID payload
Next payload: Key Exchange (4)
Payload length: 15
Vendor ID: unknown vendor ID: 0x4C5643372E312E323A5850
But with my Openswan configuration above I have the following package data :
-----------------------------------------------------------------------------------------------
No. Time Source Destination Protocol Info
1 0.000000 192.168.1.100 xxx.xxx.xxx.xxx ISAKMP Aggressive
Frame 1 (482 bytes on wire, 482 bytes captured)
Arrival Time: Nov 28, 2007 11:43:01.668306000
[Time delta from previous packet: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Packet Length: 482 bytes
Capture Length: 482 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: 00:18:de:ca:45:6a (00:18:de:ca:45:6a), Dst: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
Destination: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
Address: 00:0f:66:b9:30:da (00:0f:66:b9:30:da)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:18:de:ca:45:6a (00:18:de:ca:45:6a)
Address: 00:18:de:ca:45:6a (00:18:de:ca:45:6a)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 468
Identification: 0x4b20 (19232)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x83fa [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.100 (192.168.1.100)
Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 1018 (1018), Dst Port: 500 (500)
Source port: 1018 (1018)
Destination port: 500 (500)
Length: 448
Checksum: 0x6791 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 0CF4F88E40528977
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Aggressive (4)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 440
Security Association payload
Next payload: Key Exchange (4)
Payload length: 52
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 0
Next payload: NONE (0)
Payload length: 40
Proposal number: 0
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Transform payload # 0
Next payload: NONE (0)
Payload length: 32
Transform number: 0
Transform ID: KEY_IKE (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (3600)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): XAUTHInitPreShared (65001)
Group-Description (4): 1536 bit MODP group (5)
Key Exchange payload
Next payload: Nonce (10)
Payload length: 196
Key Exchange Data (192 bytes / 1536 bits)
Nonce payload
Next payload: Identification (5)
Payload length: 20
Nonce Data
Identification payload
Next payload: Vendor ID (13)
Payload length: 12
ID type: 1
ID type: IPV4_ADDR (1)
Protocol ID: Unused
Port: Unused
Identification data: 192.168.223.128
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: RFC 3706 Detecting Dead IKE Peers (DPD)
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Vendor ID payload
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Vendor ID payload
Next payload: NONE (0)
Payload length: 12
Vendor ID: draft-beaulieu-ike-xauth-02.txt
-----------------------------------------------------------------------------------------------
Where IPSec concentrator is not even responding client requests.
I was wondering if there is a way in OpenSwan where I can change the Security Association -> Next payload from Key Exchange (4) to Vendor ID (13)?
Also how can I configure Authentication-Method (3) from XAUTHInitPreShared (65001) to PSK (1)?
And the Vendor ID to the value 0x4C5643372E312E323A5850?
I believe if the initial ISAKMP phase 1 could be configured just like the original Windows IPSec client this flow could work.
I compiled Linux kernel and all modules are working. I'm using the latest stable Openswan version 2.4.9 with kernel 2.6.15.7 compiled for my IPSec tentative.
I do not know anymore where to go and I'm stuck now. Any direction or configuration suggestion would be very welcome.
Thanks in advance!
Rodrigo.
_________________________________________________________________
Conheça o Windows Live Spaces, a rede de relacionamentos conectada ao Messenger!
http://spaces.live.com/signup.aspx
More information about the Users
mailing list