[Openswan Users] Apparent XAUTH failre iPhone to Openswan, ipsec w/ identitycertificates
Michael Rightmire
rightmire at team-datentechnik.de
Mon Oct 17 07:08:26 EDT 2011
OK...seems a pretty significant bug with the emerge openswan install (at least on gentoo)
For some reason, the ../programs/pluto/Makefile.options file in the openswan distribution does not read the USE_XAUTHPAM environment variable correctly and sets USE_XAUTHPAM=1 (USE_XAUTHPAM?=false in the Makefile.inc). I changed the following code in the Makefile.options ...
# compile with PAM support will increase the size of the distribution
# and thus it may not be the best solution for embeded systems. XAUTH
# will use MD5/DES crypt() lib and a password file by default.
ifeq ($(USE_XAUTHPAM),true)
XAUTH_USEPAM=1
endif
endif
...to...
ifeq ($(USE_XAUTHPAM),true)
XAUTH_USEPAM=0
endif
endif
...And now its using the MD5 authentication.
HOWEVER, I AM STILL GETTING THE ERROR...
Expected MODE_CFG_REPLY did not contain username or password attribute
... in the ipsec.log and the login is still failing. I DO have a username and password set in the iPhones ipsec section of the VPN config...ao I'm not sure why its sending an empty user/pass response???
Thanks!
(from ipsec.log)
"just-ipsec"[4] 89.xxx.xxx.126 #2: XAUTH: Sending XAUTH Login/Password Request
"just-ipsec"[4] 89.xxx.xxx.126 #2: XAUTH: Sending Username/Password request (XAUTH_R0)
"just-ipsec"[4] 89.xxx.xxx.126 #2: XAUTH: User mrightmi: Attempting to login
"just-ipsec"[4] 89.xxx.xxx.126 #2: XAUTH: md5 authentication being called to authenticate user mrightmi
"just-ipsec"[4] 89.xxx.xxx.126 #2: XAUTH: password file (/etc/ipsec.d/passwd) open.
"just-ipsec"[4] 89.xxx.xxx.126 #2: XAUTH: User mrightmi: Authentication Failed: Incorrect Username or Password
"just-ipsec"[4] 89.xxx.xxx.126 #2: Expected MODE_CFG_REPLY did not contain username or password attribute
"just-ipsec"[4] 89.xxx.xxx.126 #2: XAUTH: Sending Username/Password request (XAUTH_R0)
"just-ipsec"[4] 89.xxx.xxx.126 #2: XAUTH: User <unknown>: Authentication Failed (retry 1)
"just-ipsec"[4] 89.xxx.xxx.126 #2: received Delete SA payload: deleting ISAKMP State #2
"just-ipsec"[4] 89.xxx.xxx.126: deleting connection "just-ipsec" instance with peer 89.xxx.xxx.126 {isakmp=#0/ipsec=#0}
-----Ursprüngliche Nachricht-----
Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im Auftrag von users-request at openswan.org
Gesendet: Samstag, 15. Oktober 2011 18:00
An: users at openswan.org
Betreff: Users Digest, Vol 95, Issue 25
Send Users mailing list submissions to
users at openswan.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.openswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at openswan.org
You can reach the person managing the list at
users-owner at openswan.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Users digest..."
Today's Topics:
1. Re: Apparent XAUTH failre iPhone to Openswan, ipsec w/
identity certificates (Andreas Sch?fer)
----------------------------------------------------------------------
Message: 1
Date: Sat, 15 Oct 2011 06:15:47 +0000 (UTC)
From: Andreas Sch?fer <as at schaefer-bs.com>
Subject: Re: [Openswan Users] Apparent XAUTH failre iPhone to
Openswan, ipsec w/ identity certificates
To: users at lists.openswan.org
Message-ID: <loom.20111015T081158-960 at post.gmane.org>
Content-Type: text/plain; charset=us-ascii
Have a similar problem, did you recompile OpenSWAN with XAUTH_PAM=true??
Did you found out something meanwhile???
Oct 14 17:19:11 vm-vpn pluto[7689]: "iphone-ipsec"[1] 80.187.96.2 #1:
XAUTH: Sending XAUTH Login/Password Request
Oct 14 17:19:11 vm-vpn pluto[7689]: "iphone-ipsec"[1] 80.187.96.2 #1:
XAUTH: Sending Username/Password request (XAUTH_R0)
Oct 14 17:19:13 vm-vpn pluto[7689]: "iphone-ipsec"[1] 80.187.96.2 #1:
discarding duplicate packet; already STATE_XAUTH_R0
Oct 14 17:19:21 vm-vpn pluto[7689]: last message repeated 2 times
Oct 14 17:19:21 vm-vpn pluto[7689]: "iphone-ipsec"[1] 80.187.96.2 #1:
DPD: could not find newest phase 1 state
Oct 14 17:19:31 vm-vpn pluto[7689]: "iphone-ipsec"[1] 80.187.96.2 #1:
discarding duplicate packet; already STATE_XAUTH_R0
------------------------------
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
End of Users Digest, Vol 95, Issue 25
*************************************
More information about the Users
mailing list