[Openswan Users] RSA and RSA with XAUTH at the same machine?
Paul Wouters
paul at xelerance.com
Tue Dec 16 09:02:57 EST 2008
On Tue, 16 Dec 2008, harald.meyer7 at freenet.de wrote:
> > Aggressive Mode sends the ID in the first packet of phase 1, so
> > openswan can immediately pick the right connection, and will
> > not need to switch later.
>
> Ok, I've to discover configuration for Aggressive Mode. (Never
> interested in before.)
aggrmode=yes
> (But is it really possible at the same time with RSASIG Main Mode
> conns?)
It should be possible.
> And what's about MITM risks?
If you do not use PSK+aggressive mode, you should be fine.
> sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256
> prf=oakley_sha group=modp1536}
> pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: XAUTH: Sending
> XAUTH Login/Password Request
> pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: XAUTH: Sending
> Username/Password request (XAUTH_R0)
> pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: next payload
> type of ISAKMP Hash Payload has an unknown value: 228
> pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: malformed
> payload in packet
odd.
> pluto[18336]: "IPHONE_CONN"[2] MY.ROAD.WARRIOR.IP #102: sending
> notification PAYLOAD_MALFORMED to MY.ROAD.WARRIOR.IP:62025
> [30 seconds later]
> pluto[18336]: ERROR: asynchronous network error report on eth1
> (sport=4500) for message to MY.ROAD.WARRIOR.IP port 62025, complainant
> MY.ROAD.WARRIOR.IP: No route to host [errno 113, origin ICMP type 3 code
> 13 (not authenticated)]
ipsec on iphone disabled itself?
Paul
More information about the Users
mailing list