[Openswan Users] RSA + XAUTH + Cisco reconnection failures

Fri Mar 5 16:43:15 EST 2010

On Fri, 5 Mar 2010, Andrew Campbell wrote:

> Linux OpenSwan U2.4.12/K2.6.29-xs5.5.0.15 (netkey)

That really needs upgrading. At the very least to 2.4.15, ideally to 2.6.24/2.6.25

> conn vpn
>    type=tunnel
>    auto=add
>    rekey=no
>    aggrmode=no
>    authby=rsasig
>    left=10.77.30.20
>    leftcert=client.domain.com
>    leftrsasigkey=%cert
>    leftsendcert=always
>    leftxauthclient=yes
>    right=<CISCO IP ADDRESS>
>    rightid="@server.domain.com"
>    rightsubnet=10.1.1.0/24
>    rightxauthserver=yes
>    rightca=%same

To make these tests non-interactive, why don't you add the user name to ipsec.conf:

 	leftxauthusername=test3

and the password to ipsec.secrets:

 	@test3 : XAUTH "password"

>
> I  toggle between the tunnel up and down with about 5 seconds
> in-between.
>
> openswan:/home/andrewc# ipsec auto --up vpn
> Name enter:   test3
> Enter secret:  *******
>
> 104 "vpn" #3: STATE_MAIN_I1: initiate
> 003 "vpn" #3: received Vendor ID payload [RFC 3947] method set to=109
> 106 "vpn" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "vpn" #3: received Vendor ID payload [Cisco-Unity]
> 003 "vpn" #3: received Vendor ID payload [Dead Peer Detection]
> 003 "vpn" #3: ignoring unknown Vendor ID payload
> [ace5a1eb2b3b52bd7b4c626ac7e48997]
> 003 "vpn" #3: received Vendor ID payload [XAUTH]
> 003 "vpn" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am
> NATed
> 108 "vpn" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "vpn" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> 041 "vpn" #3: vpn prompt for Username:
> 040 "vpn" #3: vpn prompt for Password:
> 004 "vpn" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 004 "vpn" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 117 "vpn" #4: STATE_QUICK_I1: initiate
> 003 "vpn" #4: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> 004 "vpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x2e929a7a <0xc86ffbf5 xfrm=3DES_0-HMAC_SHA1 NATD=<CISCOIP
> ADDRSS>:4500 DPD=none}

It's hard to tell what's happening here, and whether there is something
typed in or not. Openswan 2.6.x also has seen some fixes for rekeying
and xauth, and not storing typoed interactive xauth passwords.

Paul