[Swan] Multiple xauth rounds and Libreswan as a client
LAmbono Bono
lambono80 at gmail.com
Tue Mar 24 16:22:20 EET 2015
Hi,
I know that it is possible to configure Libreswan to be a VPN server
supporting multiple xauth rounds. But does it work also when Libreswan is
in the client role?
My VPN server is Cisco ASA and my client is Libreswan version 3.12. Server
is using OTP, and generated OTP password is sent to me by email.
I think that during first xauth round a user password is automatically
used after which OTP password is required. I'm stuck at this step, as I do
not get prompt from Libreswan to enter that OTP password.
I initiate VPN connection using:
ipsec auto --up cisco
My configuration is:
/etc/ipsec.conf
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf
---
/etc/ipsec.d/cisco.conf
conn cisco
# fill in your groupname and username
leftid=@mygroupname
leftxauthusername=myusername
#
# The proposals have to match exactly or the cisco stops talking
ike=aes128-sha1;modp1024
esp=aes128-sha1;modp1024
right=IP_address_of_Cisco_ASA
initial_contact=yes
aggrmode=yes
authby=secret
left=%defaultroute
leftxauthclient=yes
leftmodecfgclient=yes
remote_peer_type=cisco
rightxauthserver=yes
rightmodecfgserver=yes
salifetime=24h
ikelifetime=1h
dpdaction=restart
dpdtimeout=60
dpddelay=30
---
/etc/ipsec.secrets
IP_address_of_Cisco_ASA %any : PSK "mygrouppwd" #this is PSK for
group password
@myusername : XAUTH "myxauthpwd" #this is
password for XAuth (user myusername)
---
Then in log messages i see logs from Libreswan:
Mar 24 13:17:54 vpn pluto[2817]: loading secrets from "/etc/ipsec.secrets"
Mar 24 13:17:55 vpn pluto[2817]: added connection description "cisco"
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: initiating Aggressive Mode #1,
connection "cisco"
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[Cisco-Unity]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[XAUTH]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[Dead Peer Detection]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[RFC 3947]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[FRAGMENTATION c0000000]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: ignoring unknown Vendor ID
payload [1f12235754e37200725ee00a4c30bc57]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: ignoring Vendor ID payload
[Cisco VPN 3000 Series]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: protocol/port in Phase 1 ID
Payload MUST be 0/0 or 17/500 but are 17/0 (attempting to continue)
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Aggressive mode peer ID is
ID_IPV4_ADDR: 'IP_address_of_Cisco_ASA'
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: NAT-Traversal: Result using
RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: transition from state
STATE_AGGR_I1 to state STATE_AGGR_I2
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: STATE_AGGR_I2: sent AI2,
ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha
group=MODP1024}
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC
3706): enabled
Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH username
Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH password
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH
challenge with user='myusername'
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client -
awaiting CFG_set
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC
3706): enabled
Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH password
Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH message
Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH username
Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH password
Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH message
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: XAUTH Message: Enter your MAIL
one-time password
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH
challenge with user='myusername'
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client -
awaiting CFG_set
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC
3706): enabled
Mar 24 13:18:06 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:06 vpn pluto[2817]: | Received Cisco XAUTH username
Mar 24 13:18:06 vpn pluto[2817]: | Received Cisco XAUTH password
Mar 24 13:18:06 vpn pluto[2817]: | Received Cisco XAUTH message
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: XAUTH Message: Enter your MAIL
one-time password
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH
challenge with user='myusername'
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client -
awaiting CFG_set
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC
3706): enabled
Mar 24 13:18:08 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:08 vpn pluto[2817]: "cisco" #1: Unsupported XAUTH basic
attribute 32136?? received.
Mar 24 13:18:08 vpn pluto[2817]: | Received Cisco XAUTH message
Mar 24 13:18:08 vpn pluto[2817]: "cisco" #1: XAUTH Message: Enter your MAIL
one-time password
Mar 24 13:18:08 vpn pluto[2817]: "cisco" #1: XAUTH: No username or password
request was received.
Mar 24 13:18:16 vpn pluto[2817]: "cisco" #1: next payload type of ISAKMP
Hash Payload has an unknown value: 231
Mar 24 13:18:16 vpn pluto[2817]: "cisco" #1: malformed payload in packet
Mar 24 13:18:24 vpn pluto[2817]: "cisco" #1: next payload type of ISAKMP
Hash Payload has an unknown value: 231
Mar 24 13:18:24 vpn pluto[2817]: "cisco" #1: malformed payload in packet
Mar 24 13:18:32 vpn pluto[2817]: "cisco" #1: next payload type of ISAKMP
Hash Payload has an unknown value: 231
Mar 24 13:18:32 vpn pluto[2817]: "cisco" #1: malformed payload in packet
Mar 24 13:18:40 vpn pluto[2817]: "cisco" #1: received Delete SA payload:
self-deleting ISAKMP State #1
Mar 24 13:18:40 vpn pluto[2817]: packet from IP_address_of_Cisco_ASA:4500:
received and ignored empty informational notification payload
Previously I used vpnc, which handled OTP passwords fine in above mentioned
setup, but was unable to hold vpn connection for longer periods....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150324/3d6642b2/attachment.html>
More information about the Swan
mailing list