[Openswan Users] RSA and RSA with XAUTH at the same machine?

Tue Dec 16 01:15:04 EST 2008

Hi Paul!

> Aggressive Mode sends the ID in the first packet of phase 1, so
> openswan can immediately pick the right connection, and will
> not need to switch later.

Ok, I've to discover configuration for Aggressive Mode. (Never
interested in before.)

(But is it really possible at the same time with RSASIG Main Mode
conns?)

And what's about MITM risks?

> There are many people who tried to get the iphone to work. Most try
> using l2tp/ipsec. I haven't heard anyone getting it to work. (nor
> anyone who offered me an iphone to work on it :)

;-)

Additionally "Cisco/IPSec" is offered with new 2.x firmware only
(I suppose with the second generation "iPhone 3G" and second
generation "iPod touch", too). (Perhaps first generatiion models
with firmware updates.)

But there will be the next problem if we get RSASIG and RSASIG with
XAUTH working at the same time: a malformed packet (see last
lines below at the snippet).

(I hadn't created more verbose logs - first I've to get a working
setup.)

Harald

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Dec 15 11:17:35 cggw5 pluto[18336]: packet from
MY.ROAD.WARRIOR.IP:62024: received Vendor ID payload [RFC 3947] method
set to=110
Dec 15 11:17:35 cggw5 pluto[18336]: packet from
MY.ROAD.WARRIOR.IP:62024: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike] meth=109, but already using method 110
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: ignoring unknown
Vendor ID payload [<SEVERAL-NUMBERS-AND-CHARACTERS>]
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: ignoring unknown
Vendor ID payload [<SEVERAL-NUMBERS-AND-CHARACTERS>]
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: ignoring unknown
Vendor ID payload [<SEVERAL-NUMBERS-AND-CHARACTERS>]
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: ignoring unknown
Vendor ID payload [<SEVERAL-NUMBERS-AND-CHARACTERS>]
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: ignoring unknown
Vendor ID payload [<SEVERAL-NUMBERS-AND-CHARACTERS>]
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 110
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 110
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 110
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: received Vendor ID
payload [XAUTH]
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: received Vendor ID
payload [Cisco-Unity]
pluto[18336]: packet from MY.ROAD.WARRIOR.IP:62024: received Vendor ID
payload [Dead Peer Detection]
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: responding to
Main Mode from unknown peer MY.ROAD.WARRIOR.IP
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: STATE_MAIN_R1:
sent MR1, expecting MI2
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: NAT-Traversal:
Result using 3: peer is NATed
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: STATE_MAIN_R2:
sent MR2, expecting MI3
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: Main mode peer
ID is ID_DER_ASN1_DN: 'C=**, L=********, O=********, OU=********,
CN=********, E=********'
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: crl update for
"'C=**, L=********, O=********, OU=********, CN=********, E=********'"
is overdue since <SOME DATE>
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: I am sending my
cert
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[18336]: | NAT-T: new mapping MY.ROAD.WARRIOR.IP:62024/62025)
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256
prf=oakley_sha group=modp1536}
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: XAUTH: Sending
XAUTH Login/Password Request
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: XAUTH: Sending
Username/Password request (XAUTH_R0)
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: next payload
type of ISAKMP Hash Payload has an unknown value: 228
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: malformed
payload in packet
pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: sending
notification PAYLOAD_MALFORMED to MY.ROAD.WARRIOR.IP:62025
  [30 seconds later]
pluto[18336]: ERROR: asynchronous network error report on eth1
(sport=4500) for message to MY.ROAD.WARRIOR.IP port 62025, complainant
MY.ROAD.WARRIOR.IP: No route to host [errno 113, origin ICMP type 3 code
13 (not authenticated)]
pluto[18336]: ERROR: asynchronous network error report on eth1
(sport=4500) for message to MY.ROAD.WARRIOR.IP port 62025, complainant
MY.ROAD.WARRIOR.IP: No route to host [errno 113, origin ICMP type 3 code
13 (not authenticated)]
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

#adBox3 {display:none;}