[Swan] XAUTH oddity

[Nels Lindquist]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anything else I can provide for troubleshooting?  Pluto logs, etc.?
Any suggestions?

- ----
Nels Lindquist
<nlindq at maei.ca>

On 2017/03/16 11:30 AM, Nels Lindquist wrote:
> So I was working on trying to set up A/D integrated RADIUS 
> authentication for XAUTH on our production gateway; pure pam 
> systemauth authentication was working fine.  However, at a certain 
> point (without making any changes to libreswan config) the XAUTH 
> connections stopped working entirely, and I haven't been able to 
> resolve the issue.
> 
> All other tunnels (including L2TP roadwarriors) continue to work
> fine, but all incoming XAUTH connections fail at the point when the
> request for XAUTH credentials is made:
> 
> Mar 16 11:24:07 yeggate pluto[21352]: "xauth-rsa"[1] 184.151.222.0 
> #15: XAUTH: Sending Username/Password request (XAUTH_R0)
> 
> No response is received from the client (Shrew Soft VPN on Windows
> 7).
> 
> I've restarted clients, restarted ipsec, deleted and re-added 
> connection definitions, etc. all to no avail.  The clients are able
> to connect to two other test setups on different networks with no 
> difficulty, and I can find no relevant differences
> configuration-wise. I tried setting xauthby to "alwaysok" but the
> behaviour is the same.
> 
> I'm leaning toward some odd kernel state which might be resolved by
> a reboot, but it's our production gateway and that will be
> problematic. In the event anyone has any other ideas, I'm game to
> try them...
> 
> LibreSWAN 3.19 running on CentOS 6, by the way.
> 
> ---- Nels Lindquist <nlindq at maei.ca> 
> _______________________________________________ Swan mailing list 
> Swan at lists.libreswan.org 
> https://lists.libreswan.org/mailman/listinfo/swan
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAljRYY0ACgkQh6z5POoOLgQBZgCfa9BwFARLN76BpZXF3gUu0buk
uToAn1r6vmYVlIX8pSbApo4/Ul5oyNiw
=jOXk
-----END PGP SIGNATURE-----