[Openswan Users] OpenSWAN question on XAUTH clients

[Paul Wouters]

On Sat, 8 Aug 2009, Diego Rivera wrote:

> Hello, everyone! I'd like to implement IPSec for roadwarriors using x509
> certificates.  I already was able to achieve this with racoon but due to
> some very big bugs in racoon we've been forced to move away from it.  The

Out of curiosity, what were those bugs?

> configuration we had in place was compatible with Cisco VPN clients using
> XAUTH against PAM (and thus LDAP or whatever backend auth we chose).
> 
> My questions for OpenSWAN are these:
>  *  What's the PAM service name used when performing authentication?

PAM authentication is only supported via system. You will likely need
to reomcpile openswan and enable it specifically in Makefile.inc.

>  *  How do I tell OpenSWAN in the configurations that it should
>     authenticate via PAM for IPSec+XAUTH users?

leftxauthserver, rightxauthclient. See the XAUTH and modeConfig options
in 'man ipsec.conf'. For a client, you either run a manual 'ipsec auto
--up connname' that will prompt for the user/passwd, or you can add
leftxauthusername= and an XAUTH password entry in /etc/ipsec.secrets
(see man ipsec.secrets)

>  *  Is it possible to configure OpenSWAN as a server for the Cisco VPN
>     client? (yeah - I know Cisco does some gnarly things but still ...
>     someone likely has tried it before and perhaps even succeeded)
>      +  If it is indeed possible, can anyone offer up sample
>         configs/guides/reference material/etc?

It should be possible. You might need to de-obfuscate the Group Secret
in the pcf file, but there are tools in the contrib/ directory for that.
Note that it might be a license violation with cisco to do this though.

Paul