[Openswan Users] Xauth client Fatal error

Rajitha Reddy RReddy at mocana.com
Wed Jul 16 14:40:30 EDT 2008 

Hi,

I used the following command and my xauth client fails when answering the challenge to the server.

ipsec whack --xauthname 'server1' --xauthpass 'xauth' --name bison2 --initiate

=========================================================================================
002 "bison2" #2: initiating Main Mode
104 "bison2" #2: STATE_MAIN_I1: initiate
003 "bison2" #2: received Vendor ID payload [Openswan (this version) 2.6.14 ]
003 "bison2" #2: received Vendor ID payload [Dead Peer Detection]
003 "bison2" #2: received Vendor ID payload [XAUTH]
002 "bison2" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "bison2" #2: STATE_MAIN_I2: sent MI2, expecting MR2
002 "bison2" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "bison2" #2: STATE_MAIN_I3: sent MI3, expecting MR3
003 "bison2" #2: received Vendor ID payload [CAN-IKEv2]
002 "bison2" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.3.38'
002 "bison2" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "bison2" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
040 "bison2" #2: bison2 prompt for Password:
002 "bison2" #2: XAUTH: Answering XAUTH challenge with user='server1'
002 "bison2" #2: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "bison2" #2: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
037 "bison2" #2: encountered fatal error in state STATE_XAUTH_I1
[root at aragon openswan-2.6.14_xauth]#
=========================================================================================

Can you please tell me where am I supposed to configure the challenge? The documentation online does seem to say anything about answering challenges or proceeding to phase2.. What is the client expecting from the server or from the user?

It says the following and I can't seem to find configuration details after this:

Configure normal in /etc/ipsec.secrets - eg:
0.0.0.0 1.2.3.4 : PSK "a secret for the xauth users"

On your conn block, simply add "{left|right}xauthserver=yes" to enable XAUTH, and "{right|left}xauthclient=yes" for the client side.

Can you please point me to the right place if I am missing something?

Thanks,
Rajitha.

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
Sent: Wednesday, July 16, 2008 10:57 AM
To: Paul Wouters
Cc: users at lists.openswan.org
Subject: [Openswan Users] Fatal error

Should I configure the server too with the leftxauthname in ipsec.conf and username: XAUTH "passwd' in ipsec.secrets? So far, I have done it only on the client.

If yes, I guess the leftxauthname on both client and server should be the same?

Thank you.

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Rajitha Reddy
Sent: Tuesday, July 15, 2008 10:45 PM
To: Paul Wouters
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Does Xauth client work? - Fatal error

I added the following to ipsec.conf on the client:

leftxauthname=server1

and the ipsec.secrets looks like this now:

192.168.3.38 10.8.10.244 : PSK "mocana"
server1 : XAUTH "xauth"

And then, I did the following:

==========================================================================================
[root at aragon openswan-2.6.14_xauth]# /usr/local/sbin/ipsec auto --up bison2
104 "bison2" #1: STATE_MAIN_I1: initiate
003 "bison2" #1: received Vendor ID payload [Openswan (this version) 2.6.14 ]
003 "bison2" #1: received Vendor ID payload [Dead Peer Detection]
003 "bison2" #1: received Vendor ID payload [XAUTH]
106 "bison2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "bison2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "bison2" #1: received Vendor ID payload [CAN-IKEv2]
004 "bison2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
040 "bison2" #1: bison2 prompt for Password:
Enter secret:
004 "bison2" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
037 "bison2" #1: encountered fatal error in state STATE_XAUTH_I1
==========================================================================================

I entered "xauth" when it asked for secret and then it gave a fatal error. I also tried using whack just to see how it goes:

====================================================================================
[root at aragon openswan-2.6.14_xauth]# /usr/local/sbin/ipsec whack --xauthname 'server1' --xauthpass 'xauth' --name bison2 --initiate
002 "bison2" #2: initiating Main Mode
104 "bison2" #2: STATE_MAIN_I1: initiate
003 "bison2" #2: received Vendor ID payload [Openswan (this version) 2.6.14 ]
003 "bison2" #2: received Vendor ID payload [Dead Peer Detection]
003 "bison2" #2: received Vendor ID payload [XAUTH]
002 "bison2" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "bison2" #2: STATE_MAIN_I2: sent MI2, expecting MR2
002 "bison2" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "bison2" #2: STATE_MAIN_I3: sent MI3, expecting MR3
003 "bison2" #2: received Vendor ID payload [CAN-IKEv2]
002 "bison2" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.3.38'
002 "bison2" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "bison2" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
040 "bison2" #2: bison2 prompt for Password:
002 "bison2" #2: XAUTH: Answering XAUTH challenge with user='server1'
002 "bison2" #2: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "bison2" #2: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
037 "bison2" #2: encountered fatal error in state STATE_XAUTH_I1
==========================================================================================

For all the above, I have just started ipsec on the server and not the connection. If I brought up the connection on the server, then the client would not ask me for passwd at all. Thanks in advance.

Rajitha.


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Tuesday, July 15, 2008 8:51 PM
To: Rajitha Reddy
Cc: users at lists.openswan.org
Subject: RE: [Openswan Users] Does Xauth client work? - Fatal error

On Tue, 15 Jul 2008, Rajitha Reddy wrote:

> With this, the client asks me for the user name and password. But, I haven't configured the username. But, have configured ipsec.secrets for the PSK. It is here that I am getting stuck. Can you please tell me where I should configure the username and passwd?

You can use leftxauthname= and put the password in ipsec.secrets on a line
like:

username : XAUTH "password"

(from the top of my head, check a recent openswan man page for ipsec.secrets
or check testing/pluto/*xauth*

Paul
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list