[Swan] Problem with iPhone/iPad and XAUTH Group ID
Philippe Vouters
philippe.vouters at laposte.net
Fri Mar 28 18:01:21 EET 2014
Marc-Christian,
Apparently this does not apply to the iPhone and a cisco ipsec mode.
However between Cisco IOS
*Version 15.1(4)M4, RELEASE SOFTWARE (fc1)*
and Shrew in PSK mode, I have explicitly set Shrew running with *Mutual
PSK + XAuth* with a local identifier being a KeyID and the remote
identifier being an FQDN. With this Cisco IOS version, aggressive mode
has to be set while for PSK authentication.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
On 03/28/2014 04:33 PM, Marc-Christian Petersen wrote:
> Hi Paul,
>
> yep, I know about the bug but it doesn't happen here.
>
> for whatever reason iOS is using hybrid mode when using
> cisco ipsec mode with group name and PSK.
>
> Maybe the problem is Libreswan not offering XAUTH when in
> aggressive mode and iOS is falling back to hybrid?
>
>
> Am 28.03.2014 um 16:25:33 Uhr schrieb Paul Wouters <paul at nohats.ca>:
>
>> On Fri, 28 Mar 2014, Marc-Christian Petersen wrote:
>>
>>> Libreswan does not support Hybrid mode:
>>>
>>> Mar 28 16:04:51 vpn pluto[28426]: "XAUTH-GROUP"[2] 1.2.3.4 #2: Pluto does not support HybridInitRSA authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
>> The iphone should not be using hybrid mode. Be aware if you switch from
>> PSK to CERT configurations on your iphone, and you don't wipe the
>> PSK/ID information, your CERT connection will fail.
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140328/41f21a5c/attachment.html>
More information about the Swan
mailing list