[Openswan Users] Using XAuth

Rajitha Reddy RReddy at mocana.com
Wed Jul 9 11:50:38 EDT 2008

Basically, I want to test my Xauth client using Openswan as Xauth Server. But, before I could do that, I was trying to see the working of Xauth using 2 openswan installations.

Today, my Openswan Xauth client asked me for a username and password.

[root]# /usr/local/sbin/ipsec auto --up machine1
104 "machine1" #1: STATE_MAIN_I1: initiate
003 "machine1" #1: received Vendor ID payload [Openswan (this version) 2.6.14 ]
003 "machine1" #1: received Vendor ID payload [Dead Peer Detection]
003 "machine1" #1: received Vendor ID payload [XAUTH]
106 "machine1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "machine1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "machine1" #1: received Vendor ID payload [CAN-IKEv2]
004 "machine1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
041 "machine1" #1: machine1 prompt for Username:
Name enter:   sample
040 "machine1" #1: machine1 prompt for Password:
Enter secret:
004 "machine1" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
037 "machine1" #1: encountered fatal error in state STATE_XAUTH_I1

I created a file /etc/ipsec.d/passwd on both machines (xauth server and client) to contain the following:


And I entered these credentials when it asked me for username and password. Can you please tell me what I am missing? Is this the way to configure the credentials?

Also, the openswan xauth client will ask me for the user credentials only if I don't bring the connection up on the xauth server(but ipsec should be up). How does it work?

Thanks for your time.

- Rajitha.
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Tuesday, July 08, 2008 8:19 PM
To: Rajitha Reddy
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Using XAuth

> I have installed openswan on 2 linux machines. I am using one as the server and the other as the client and have got ipsec working.

I assume that is a test for something else? There is no reason to use XAUTH
between linux systems

> 4.       Configure single shared secret (PSK) in /etc/ipsec.secrets like
>  : PSK "a secret for the xauth users"

If you enroll this on a larger scale, the compromise of one client could
lead to the compromise of all clients (since anyone with the PSK can fake
to be the server to which you will give your xauth user/password credentials)

Using X.509 would be much better.

> [root]# ipsec auto --up aragon

> 108 "aragon" #2: STATE_MAIN_I3: sent MI3, expecting MR3
> 010 "aragon" #2: STATE_MAIN_I3: retransmission; will wait 20s for response

The other end rejected the connection, check the logs on that end.


More information about the Users mailing list