[Openswan Users] Using XAUTH against Checkpoint firewall

Thu Dec 17 05:49:32 EST 2009

Hi All,

I am trying to test 2 phase authentication for RoadWarrior client with 
Checkpoint R95 firewall using XAUTH.
My setup:

conn "Prague"
         left=%defaultroute
         leftcert=ondrejv-unix
         leftrsasigkey=%cert
         leftprotoport=tcp/http
         leftxauthclient=yes

         right=193.85.188.83
#       rightsubnet=192.168.60.0/24
         rightcert=openswan-cert
         rightrsasigkey=%cert
         rightprotoport=tcp/http
         rightxauthserver=yes

Now, when I comment out the xauth stuff, I am able to establish the 
tunnel using my certificates. When I uncomment the xauth stuff, I am not 
able to finish even the first (IKE) stage of the negotiation:

104 "Prague" #1: STATE_MAIN_I1: initiate
003 "Prague" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN 
msgid=00000000
003 "Prague" #1: received and ignored informational message

And the firewall complains: "Reason: unsupported authentication method 
65005".

Question:
Who is right here? According to 
http://tools.ietf.org/id/draft-ietf-ipsec-isakmp-xauth-06.txt the 
extended authentication should be required AFTER successfully finished 
stage 1. So OpenSwan should authenticate stage 1 using certificate and 
THEN expect/require ISAKMP authentication request with XAUTH.

Can someone shed some light into this?
Many thanks,

Ondrej

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091217/6151cf76/attachment.html 