[Swan] Problem with iPhone/iPad and XAUTH Group ID
Philippe Vouters
philippe.vouters at laposte.net
Fri Mar 28 16:45:55 EET 2014
Dear Marc-Christian,
The document you draw the attention onto on my Web site describes
Shrew/Libreswan running in Mutual PSK/RSA + XAuth + DHCP + PAM. Your
trace left by racoon on your iPhone says:
racoon[16654]: [16654] ERROR: No SIG was passed, hybrid auth is enabled, but peer is no Xauth compliant
So I would set Shrew in hybrid mode and check whether this mode is
indeed implemented in today's Libreswan V3.8.
A long time ago when I tested Shrew's hybrid mode, Libreswan was saying
in my Fedora /var/log/secure:
#
# Hybrid RSA. Leads to
# Oct 11 16:53:00 victor pluto[12408]: "Philippe"[6] 192.168.1.3 #3:
Pluto does not support HybridInitRSA authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
# Oct 11 16:53:00 victor pluto[12408]: "Philippe"[6] 192.168.1.3 #3: no
acceptable Oakley Transform
# Oct 11 16:53:00 victor pluto[12408]: | complete state transition with
(null)
#
Yours truly,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
On 03/28/2014 02:48 PM, Marc-Christian Petersen wrote:
> Hi all,
>
> I'm using Libreswan v3.8 and trying to use XAUTH with GroupID, like
> described here: http://vouters.dyndns.org/tima/Linux-Libreswan-Shrew-VPN-Testing_PAM_XAUTH_DHCP_with_Shrew.html
>
> it works with ShrewVPN but not on iPhone/iPad (iOS v4.x-v7.x)
>
> at least on one iPhone I see this log entry:
>
> racoon[16654]: [16654] ERROR: No SIG was passed, hybrid auth is enabled, but peer is no Xauth compliant
>
> I know aggressive mode is insecure and I don't use it but a customer
> has to use it, so please don't tell me aggressive mode is insecure ;)
>
> XAUTH with PSK just works fine.
>
> Thanks!
>
More information about the Swan
mailing list