[Swan] Problem with iPhone/iPad and XAUTH Group ID
Philippe Vouters
philippe.vouters at laposte.net
Fri Mar 28 18:29:13 EET 2014
Marc-Christian,
If I refer to what I document in the URL you pointed us to, the
Libreswan configuration in Mutual PSK + XAuth + DHCP + PAM mode is:
# Mutual PSK + XAuth + Fixed IP
conn Philippe_XAUTH_PSK
authby=secret
*aggrmode=yes*
leftxauthserver=yes
rightxauthclient=yes
rightid=@[GroupVPN]
xauthby=pam
also=FIXED_RIGHT_IP
# Mutual PSK + XAuth + DHCP
conn Philippe_XAUTH_PSK_DHCP
authby=secret
leftxauthserver=yes
rightxauthclient=yes
rightid=@[GroupVPN]
*aggrmode=yes*
also=DHCP_RIGHT_IP
xauthby=pam
So I would say racoon on your iPhone is only configured to negotiate
Hybrid PSK + XAuth with Exchange type "aggresive" instead of the
Libreswan expected Mutual PSK + XAuth with Exchange type "aggressive"
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
On 03/28/2014 05:09 PM, Paul Wouters wrote:
> On Fri, 28 Mar 2014, Marc-Christian Petersen wrote:
>
>> yep, I know about the bug but it doesn't happen here.
>>
>> for whatever reason iOS is using hybrid mode when using
>> cisco ipsec mode with group name and PSK.
>>
>> Maybe the problem is Libreswan not offering XAUTH when in
>> aggressive mode and iOS is falling back to hybrid?
>
> Does it not send the XAUTH vendor id in Aggressive Mode?
>
> btw. There is unmaintained code in contrib/checkpoint-hybrid/ to support
> Hybrid Mode. If someone wants to merge in that code, and provide some
> interop testing (eg with Shrew Soft) we could pull that code into the
> main code base.
>
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140328/2931b0bb/attachment.html>
More information about the Swan
mailing list