[Swan] Multiple xauth rounds and Libreswan as a client

LAmbono Bono lambono80 at gmail.com
Tue Mar 24 16:22:20 EET 2015


Hi,

    I know that it is possible to configure Libreswan to be a VPN server
supporting multiple xauth rounds. But does it work also when Libreswan is
in the client role?
My VPN server is Cisco ASA and my client is Libreswan version 3.12. Server
is using OTP, and generated OTP password is sent to me by email.
    I think that during first xauth round a user password is automatically
used after which OTP password is required. I'm stuck at this step, as I do
not get prompt from Libreswan to enter that  OTP password.

I initiate VPN connection using:
ipsec auto --up cisco

My configuration is:

/etc/ipsec.conf

config setup
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
    include /etc/ipsec.d/*.conf

---

/etc/ipsec.d/cisco.conf

conn cisco
    # fill in your groupname and username
    leftid=@mygroupname
    leftxauthusername=myusername
    #
    # The proposals have to match exactly or the cisco stops talking
    ike=aes128-sha1;modp1024
    esp=aes128-sha1;modp1024
    right=IP_address_of_Cisco_ASA
    initial_contact=yes
    aggrmode=yes
    authby=secret
    left=%defaultroute
    leftxauthclient=yes
    leftmodecfgclient=yes
    remote_peer_type=cisco
    rightxauthserver=yes
    rightmodecfgserver=yes
    salifetime=24h
    ikelifetime=1h
    dpdaction=restart
    dpdtimeout=60
    dpddelay=30

---

/etc/ipsec.secrets

IP_address_of_Cisco_ASA  %any : PSK "mygrouppwd"        #this is PSK for
group password
@myusername : XAUTH "myxauthpwd"                                #this is
password for XAuth (user myusername)

---


Then in log messages i see logs from Libreswan:

Mar 24 13:17:54 vpn pluto[2817]: loading secrets from "/etc/ipsec.secrets"
Mar 24 13:17:55 vpn pluto[2817]: added connection description "cisco"
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: initiating Aggressive Mode #1,
connection "cisco"
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[Cisco-Unity]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[XAUTH]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[Dead Peer Detection]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[RFC 3947]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: received Vendor ID payload
[FRAGMENTATION c0000000]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: ignoring unknown Vendor ID
payload [1f12235754e37200725ee00a4c30bc57]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: ignoring Vendor ID payload
[Cisco VPN 3000 Series]
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: protocol/port in Phase 1 ID
Payload MUST be 0/0 or 17/500 but are 17/0 (attempting to continue)
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Aggressive mode peer ID is
ID_IPV4_ADDR: 'IP_address_of_Cisco_ASA'
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: NAT-Traversal: Result using
RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: transition from state
STATE_AGGR_I1 to state STATE_AGGR_I2
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: STATE_AGGR_I2: sent AI2,
ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha
group=MODP1024}
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC
3706): enabled
Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH username
Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH password
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH
challenge with user='myusername'
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client -
awaiting CFG_set
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC
3706): enabled
Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH password
Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH message
Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH username
Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH password
Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH message
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: XAUTH Message: Enter your MAIL
one-time password
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH
challenge with user='myusername'
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client -
awaiting CFG_set
Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC
3706): enabled
Mar 24 13:18:06 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:06 vpn pluto[2817]: | Received Cisco XAUTH username
Mar 24 13:18:06 vpn pluto[2817]: | Received Cisco XAUTH password
Mar 24 13:18:06 vpn pluto[2817]: | Received Cisco XAUTH message
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: XAUTH Message: Enter your MAIL
one-time password
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH
challenge with user='myusername'
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client -
awaiting CFG_set
Mar 24 13:18:06 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC
3706): enabled
Mar 24 13:18:08 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
Mar 24 13:18:08 vpn pluto[2817]: "cisco" #1: Unsupported XAUTH basic
attribute 32136?? received.
Mar 24 13:18:08 vpn pluto[2817]: | Received Cisco XAUTH message
Mar 24 13:18:08 vpn pluto[2817]: "cisco" #1: XAUTH Message: Enter your MAIL
one-time password
Mar 24 13:18:08 vpn pluto[2817]: "cisco" #1: XAUTH: No username or password
request was received.
Mar 24 13:18:16 vpn pluto[2817]: "cisco" #1: next payload type of ISAKMP
Hash Payload has an unknown value: 231
Mar 24 13:18:16 vpn pluto[2817]: "cisco" #1: malformed payload in packet
Mar 24 13:18:24 vpn pluto[2817]: "cisco" #1: next payload type of ISAKMP
Hash Payload has an unknown value: 231
Mar 24 13:18:24 vpn pluto[2817]: "cisco" #1: malformed payload in packet
Mar 24 13:18:32 vpn pluto[2817]: "cisco" #1: next payload type of ISAKMP
Hash Payload has an unknown value: 231
Mar 24 13:18:32 vpn pluto[2817]: "cisco" #1: malformed payload in packet
Mar 24 13:18:40 vpn pluto[2817]: "cisco" #1: received Delete SA payload:
self-deleting ISAKMP State #1
Mar 24 13:18:40 vpn pluto[2817]: packet from IP_address_of_Cisco_ASA:4500:
received and ignored empty informational notification payload


Previously I used vpnc, which handled OTP passwords fine in above mentioned
setup, but was unable to hold vpn connection for longer periods....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150324/3d6642b2/attachment.html>


More information about the Swan mailing list