[Swan] Multiple xauth rounds and Libreswan as a client

Paul Wouters paul at nohats.ca
Wed Apr 8 21:42:54 EEST 2015


On Tue, 24 Mar 2015, LAmbono Bono wrote:

>     I know that it is possible to configure Libreswan to be a VPN server supporting multiple xauth rounds. But does it work also when
> Libreswan is in the client role?

Yes. I use it daily to connect to the redhat.com Cisco :)

We also have test cases, look at xauth-pluto-13 to xauth-pluto-16 at:

https://github.com/libreswan/libreswan/tree/master/testing/pluto

> My VPN server is Cisco ASA and my client is Libreswan version 3.12. Server is using OTP, and generated OTP password is sent to me by
> email.
>     I think that during first xauth round a user password is automatically used after which OTP password is required. I'm stuck at this
> step, as I do not get prompt from Libreswan to enter that  OTP password.

> I initiate VPN connection using:
> ipsec auto --up cisco

That should prompt, unless you have specified an XAUTH password in
ipsec.secrets.

> conn cisco
>     # fill in your groupname and username
>     leftid=@mygroupname
>     leftxauthusername=myusername
>     #
>     # The proposals have to match exactly or the cisco stops talking
>     ike=aes128-sha1;modp1024
>     esp=aes128-sha1;modp1024
>     right=IP_address_of_Cisco_ASA
>     initial_contact=yes
>     aggrmode=yes
>     authby=secret
>     left=%defaultroute
>     leftxauthclient=yes
>     leftmodecfgclient=yes
>     remote_peer_type=cisco
>     rightxauthserver=yes
>     rightmodecfgserver=yes
>     salifetime=24h
>     ikelifetime=1h
>     dpdaction=restart
>     dpdtimeout=60
>     dpddelay=30

That looks correct. You can try adding ike-frag=force and ikepad=no

> Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC 3706): enabled
> Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
> Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH username
> Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH password
> Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH challenge with user='myusername'
> Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
> Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC 3706): enabled
> Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
> Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH password
> Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH message
> Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH type: Generic
> Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH username
> Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH password
> Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH message
> Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: XAUTH Message: Enter your MAIL one-time password
> Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH challenge with user='myusername'
> Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
> Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC 3706): enabled

Odd. it should have prompted you. Can you try leaving out
leftxauthusername= and see if you get prompted?

If this is wrapped in a script, be sure you have stdin/stdout or else
whack will detect you cannot input the values and skip it.

Paul


More information about the Swan mailing list