[Openswan Users] OpenSWAN question on XAUTH clients
paul at xelerance.com
Sun Aug 9 13:37:19 EDT 2009
On Sat, 8 Aug 2009, Diego Rivera wrote:
> Hello, everyone! I'd like to implement IPSec for roadwarriors using x509
> certificates. I already was able to achieve this with racoon but due to
> some very big bugs in racoon we've been forced to move away from it. The
Out of curiosity, what were those bugs?
> configuration we had in place was compatible with Cisco VPN clients using
> XAUTH against PAM (and thus LDAP or whatever backend auth we chose).
> My questions for OpenSWAN are these:
> * What's the PAM service name used when performing authentication?
PAM authentication is only supported via system. You will likely need
to reomcpile openswan and enable it specifically in Makefile.inc.
> * How do I tell OpenSWAN in the configurations that it should
> authenticate via PAM for IPSec+XAUTH users?
leftxauthserver, rightxauthclient. See the XAUTH and modeConfig options
in 'man ipsec.conf'. For a client, you either run a manual 'ipsec auto
--up connname' that will prompt for the user/passwd, or you can add
leftxauthusername= and an XAUTH password entry in /etc/ipsec.secrets
(see man ipsec.secrets)
> * Is it possible to configure OpenSWAN as a server for the Cisco VPN
> client? (yeah - I know Cisco does some gnarly things but still ...
> someone likely has tried it before and perhaps even succeeded)
> + If it is indeed possible, can anyone offer up sample
> configs/guides/reference material/etc?
It should be possible. You might need to de-obfuscate the Group Secret
in the pcf file, but there are tools in the contrib/ directory for that.
Note that it might be a license violation with cisco to do this though.
More information about the Users