[Openswan Users] Xauth configuration with IOS

Bart Smink bartsmink at gmail.com
Fri Oct 7 12:13:02 EDT 2011 

Greetings Openswan Users,

Configuring openswan to work with an Iphone has lead to some problems.

Currently I have made a few changes to ipsec.conf to enable Xauth, which IOS
apparently requires to connect. It looks like Apple is using Cisco software
to connect. I am using the standard IPSec software of IOS.

My configuration is IPSec with Xl2tpd and now with Xauth.I have never worked
with Xauth before, so I have no point of reference with a working situation.
It could be that most settings are incorrect or inappropriate.

The Iphone is giving the following warning: Could not validate the server
certificate.
I don't know what this means, because I have installed the certificate of
the client  and I have installed the Root CA.

The server is telling that there is an malformed payload in packet, byte 2
of ISAKMP Hash Payload must be zero, but is not.

The phone is connecting through an telecom provider, when using the same
connection with an Android device it works just fine. I come to the
conclusion that i have made some mistakes in my configuration with Xauth.

If anyone could take a look at it, it would be appreciated.

Greetings,

Bart Smink


The config files:

/etc/ipsec.conf:
config setup
        nat_traversal=yes
        virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16,%v4:!172.28.0.0/16
        oe=off
        protostack=netkey
        dumpdir=/var/tmp
conn l2tp-X.509-Iphone
        #
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        #
        # Use a certificate. Disable Perfect Forward Secrecy.
        #
        authby=rsasig
        pfs=no
        auto=add
        # we cannot rekey for %any, let client rekey
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=129.125.xxx.yyy
        leftid=%fromcert
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/HeliosnetGateway.pem
        leftprotoport=17/0
        leftxauthserver=yes
        leftmodecfgserver=yes
        leftxauthusername=user1
        # The remote user.
        right=%any
        rightid="E=bartsmink at gmail.com, CN=Iphone, O=heliosnet.nl,
L=Groningen, ST=Groningen, C=Netherlands"
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        rightmodecfgclient=yes
        modecfgpull=yes
        rightxauthclient=yes

/etc/ipsec.secrets:
: RSA /etc/ipsec.d/private/HeliosnetGateway.pem.new "AM0mUuia9L"
@user1 : XAUTH "password1"

My Logs:
/var/log/secure


Oct  7 17:57:46 gateway pluto[7032]: Starting Pluto (Openswan Version
2.6.36; Vendor ID OEqltr]KZl]_) pid:7032
Oct  7 17:57:46 gateway pluto[7032]: LEAK_DETECTIVE support [disabled]
Oct  7 17:57:46 gateway pluto[7032]: OCF support for IKE [disabled]
Oct  7 17:57:46 gateway pluto[7032]: SAref support [disabled]: Protocol not
available
Oct  7 17:57:46 gateway pluto[7032]: SAbind support [disabled]: Protocol not
available
Oct  7 17:57:46 gateway pluto[7032]: NSS support [disabled]
Oct  7 17:57:46 gateway pluto[7032]: HAVE_STATSD notification support not
compiled in
Oct  7 17:57:46 gateway pluto[7032]: Setting NAT-Traversal port-4500
floating to on
Oct  7 17:57:46 gateway pluto[7032]:    port floating activation criteria
nat_t=1/port_float=1
Oct  7 17:57:46 gateway pluto[7032]:    NAT-Traversal support  [enabled]
Oct  7 17:57:46 gateway pluto[7032]: using /dev/urandom as source of random
entropy
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Oct  7 17:57:46 gateway pluto[7032]: starting up 1 cryptographic helpers
Oct  7 17:57:46 gateway pluto[7032]: started helper pid=7038 (fd:6)
Oct  7 17:57:46 gateway pluto[7032]: Using Linux 2.6 IPsec interface code on
2.6.18-194.8.1.v5 (experimental code)
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already
exists
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already
exists
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already
exists
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already
exists
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_add(): ERROR: Algorithm already
exists
Oct  7 17:57:46 gateway pluto[7032]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Oct  7 17:57:46 gateway pluto[7038]: using /dev/urandom as source of random
entropy
Oct  7 17:57:46 gateway pluto[7032]: Changed path to directory
'/etc/ipsec.d/cacerts'
Oct  7 17:57:46 gateway pluto[7032]:   loaded CA cert file
'HeliosnetRootCA.pem' (1270 bytes)
Oct  7 17:57:46 gateway pluto[7032]: Changed path to directory
'/etc/ipsec.d/aacerts'
Oct  7 17:57:46 gateway pluto[7032]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Oct  7 17:57:46 gateway pluto[7032]: Changing to directory
'/etc/ipsec.d/crls'
Oct  7 17:57:46 gateway pluto[7032]:   loaded crl file
'heliosnetnlRootCertificate.crl' (733 bytes)
Oct  7 17:57:47 gateway pluto[7032]: loading certificate from
/etc/ipsec.d/certs/HeliosnetGateway.pem
Oct  7 17:57:47 gateway pluto[7032]:   loaded host cert file
'/etc/ipsec.d/certs/HeliosnetGateway.pem' (1396 bytes)
Oct  7 17:57:47 gateway pluto[7032]:   no subjectAltName matches ID
'%fromcert', replaced by subject DN
Oct  7 17:57:47 gateway pluto[7032]: added connection description
"l2tp-X.509-Iphone"
Oct  7 17:57:47 gateway pluto[7032]: loading certificate from
/etc/ipsec.d/certs/HeliosnetGateway.pem
Oct  7 17:57:47 gateway pluto[7032]:   loaded host cert file
'/etc/ipsec.d/certs/HeliosnetGateway.pem' (1396 bytes)
Oct  7 17:57:47 gateway pluto[7032]:   no subjectAltName matches ID
'%fromcert', replaced by subject DN
Oct  7 17:57:47 gateway pluto[7032]: added connection description
"l2tp-X.509"
Oct  7 17:57:47 gateway pluto[7032]: loading certificate from
/etc/ipsec.d/certs/HeliosnetGateway.pem
Oct  7 17:57:47 gateway pluto[7032]:   loaded host cert file
'/etc/ipsec.d/certs/HeliosnetGateway.pem' (1396 bytes)
Oct  7 17:57:47 gateway pluto[7032]:   no subjectAltName matches ID
'%fromcert', replaced by subject DN
Oct  7 17:57:47 gateway pluto[7032]: added connection description
"l2tp-X.509-Android"
Oct  7 17:57:47 gateway pluto[7032]: listening for IKE messages
Oct  7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0
129.125.102.34:500
Oct  7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0
129.125.102.34:4500
Oct  7 17:57:47 gateway pluto[7032]: adding interface eth1/eth1
172.28.1.1:500
Oct  7 17:57:47 gateway pluto[7032]: adding interface eth1/eth1
172.28.1.1:4500
Oct  7 17:57:47 gateway pluto[7032]: adding interface lo/lo 127.0.0.1:500
Oct  7 17:57:47 gateway pluto[7032]: adding interface lo/lo 127.0.0.1:4500
Oct  7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0
2002:817d:68ab:b:204:75ff:fee5:5b18:500
Oct  7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0
fec0::b:204:75ff:fee5:5b18:500
Oct  7 17:57:47 gateway pluto[7032]: adding interface eth0/eth0
2002:817d:65a6:b:204:75ff:fee5:5b18:500
Oct  7 17:57:47 gateway pluto[7032]: adding interface lo/lo ::1:500
Oct  7 17:57:47 gateway pluto[7032]: loading secrets from
"/etc/ipsec.secrets"
Oct  7 17:57:47 gateway pluto[7032]:   loaded private key file
'/etc/ipsec.d/private/HeliosnetGateway.pem.new' (1743 bytes)
Oct  7 17:57:47 gateway pluto[7032]: loaded private key for keyid:
PPK_RSA:AwEAAYWrN
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
received Vendor ID payload [RFC 3947] method set to=109
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 110
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 110
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
received Vendor ID payload [XAUTH]
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
received Vendor ID payload [Cisco-Unity]
Oct  7 17:57:51 gateway pluto[7032]: packet from 62.140.137.81:53742:
received Vendor ID payload [Dead Peer Detection]
Oct  7 17:57:51 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: responding to Main Mode from unknown peer 62.140.137.81
Oct  7 17:57:51 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct  7 17:57:51 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Oct  7 17:57:52 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer
is NATed
Oct  7 17:57:52 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct  7 17:57:52 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
msgid=00000000
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: Main mode peer ID is ID_DER_ASN1_DN: 'E=bartsmink at gmail.com, CN=Iphone,
O=heliosnet.nl, L=Groningen, ST=Groningen, C=Netherlands'
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: crl update for "CN=heliosnet.nl Root Certificate, O=heliosnet.nl, C=NL"
is overdue since Feb 24 16:18:33 UTC 2011
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: I am sending my cert
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: new NAT mapping for #1, was 62.140.137.81:53742, now 62.140.137.81:53598
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp1536}
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: XAUTH: Sending XAUTH Login/Password Request
Oct  7 17:57:53 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: XAUTH: Sending Username/Password request (XAUTH_R0)
Oct  7 17:57:54 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: byte 2 of ISAKMP Hash Payload must be zero, but is not
Oct  7 17:57:54 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: malformed payload in packet
Oct  7 17:57:54 gateway pluto[7032]: | payload malformed after IV
Oct  7 17:57:54 gateway pluto[7032]: |   b1 4b 37 18  e6 58 1d a1  88 57 93
05  b5 23 6b d2
Oct  7 17:57:54 gateway pluto[7032]: "l2tp-X.509-Iphone"[1] 62.140.137.81
#1: sending notification PAYLOAD_MALFORMED to 62.140.137.81:53598
Oct  7 17:57:54 gateway pluto[7032]: ERROR: asynchronous network error
report on eth0 (sport=4500) for message to 62.140.137.81 port 53598,
complainant 62.140.137.81: Connection refused [errno 111, origin ICMP type 3
code 3 (not authenticated)]


-- 
**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is
confidential and/or protected by intellectual property rights and are
intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either
by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111007/638d9bc5/attachment-0001.html

More information about the Users mailing list