[Openswan Users] RSA and RSA with XAUTH at the same machine?
harald.meyer7 at freenet.de
harald.meyer7 at freenet.de
Mon Dec 15 04:41:55 EST 2008
Hi Paul!
> > I'm using Openswan 2.4.6 at a Debian machine as a "VPN concentrator"
> successfully with some road warriors with certificate authentication in Main
> Mode. (No policy groups.)
> >
> > Now I want to add a Cisco alike client with certificate and XAUTH
> (iPhone).
> >
> > For XAUTH I've to insert "leftxauthserver=yes" to my "conn %default"
> because it'll be ignored if it's placed in my "conn iPhone" (one of several
> conn descriptions).
>
> Why do you think it is ignored?
If you have several RSASIG (without xauth) conn entries in your ipsec.conf,
the first one (denpends on order of adding) welcomes the road warrior
in IKE phase 1.
Within this conn section the road warriors identity/cert is checked, and
only then it will be switched to the matching conn section - but too late:
the xauth road warrior is declined at this point already. (See snippets
below.)
> Putting it in the default section is wrong, as you found out.
Yes, but I didn't get "leftxauthserver=yes" within a conn section (only) working.
> Did you also put in rightxauthclient=yes?
Of course! (Thank you for the hint.)
Harald
Log xauth road warrior with xauth with locally (his conn section) set "leftxauthserver=yes":
---------------------------------------------------------------------------------------------
[...]
pluto[10878]: packet from MY.ROAD.WARRIOR.IP:62559: received Vendor ID payload [XAUTH]
pluto[10878]: packet from MY.ROAD.WARRIOR.IP:62559: received Vendor ID payload [Cisco-Unity]
pluto[10878]: packet from MY.ROAD.WARRIOR.IP:62559: received Vendor ID payload [Dead Peer Detection]
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: responding to Main Mode from unknown peer MY.ROAD.WARRIOR.IP
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are resp
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are resp
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are resp
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are resp
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are resp
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are resp
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are resp
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are resp
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: no acceptable Oakley Transform
pluto[10878]: "FIRST_CONN"[4] MY.ROAD.WARRIOR.IP #690: sending notification NO_PROPOSAL_CHOSEN to MY.ROAD.WARRIOR.IP:62559
[...]
---------------------------------------------------------------------------------------------
Log non-xauth road warrior with globally set "leftxauthserver=yes":
---------------------------------------------------------------------------------------------
pluto[10522]: "FIRST_CONN"[1] MY.ROAD.WARRIOR.IP #1: responding to Main Mode from unknown peer MY.ROAD.WARRIOR.IP
pluto[10522]: "FIRST_CONN"[1] MY.ROAD.WARRIOR.IP #1: policy mandates Extended Authentication (XAUTH) with RSA of initiator (we are respon
der). Attribute OAKLEY_AUTHENTICATION_METHOD
pluto[10522]: "FIRST_CONN"[1] MY.ROAD.WARRIOR.IP #1: policy mandates Extended Authentication (XAUTH) with RSA of initiator (we are respon
der). Attribute OAKLEY_AUTHENTICATION_METHOD
pluto[10522]: "FIRST_CONN"[1] MY.ROAD.WARRIOR.IP #1: policy mandates Extended Authentication (XAUTH) with RSA of initiator (we are respon
der). Attribute OAKLEY_AUTHENTICATION_METHOD
pluto[10522]: "FIRST_CONN"[1] MY.ROAD.WARRIOR.IP #1: policy mandates Extended Authentication (XAUTH) with RSA of initiator (we are respon
der). Attribute OAKLEY_AUTHENTICATION_METHOD
pluto[10522]: "FIRST_CONN"[1] MY.ROAD.WARRIOR.IP #1: no acceptable Oakley Transform
pluto[10522]: "FIRST_CONN"[1] MY.ROAD.WARRIOR.IP #1: sending notification NO_PROPOSAL_CHOSEN to MY.ROAD.WARRIOR.IP:500
pluto[10522]: "FIRST_CONN"[1] MY.ROAD.WARRIOR.IP: deleting connection ""FIRST_CONN"" instance with peer MY.ROAD.WARRIOR.IP {isakmp=#0/ipse
c=#0}
---------------------------------------------------------------------------------------------
#adBox3 {display:none;}
More information about the Users
mailing list