[Swan] Libreswan and USER FQDN IKE IDs

Wed Mar 18 13:08:22 UTC 2020

Hi,

This is my first message to the list so sorry in advance if the answer is obvious or well-known.
Also, sorry if my terminology is messed up, hopefully you will understand my issue.

I have a Juniper ScreenOS gateway that does IKEv1 VPNs with PSK and XAuth towards an RSA SecurID
box. SecurID is a MFA implementation with hardware tokens that display a new 6-digit number every
60 seconds.

Clients can connect to it from Mac OS X with a client called NCP Secure Entry and from Windows
with the Shrewsoft client. In the past vpnc on Linux was working but as it is not developed
since a long time and doesn't support newer algorithms, I'm looking for an alternative and
Libreswan looks promising especially since it has a plugin for NetworkManager.

My testing is done on Ubuntu 19.10 with libreswan 3.29 and the plugin built from the GNOME github
repository.

My problem is that the GW expects a USER FQDN IKE ID in the form user at example.com but it looks
as if libreswan is sending a regular FQDN. I've also tried with Strongswan's charon-cmd whith
which I'm getting a little further. Here are thew relevant lines from the GW log:

charon-cmd:
## 2020-03-18 12:30:28 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2020-03-18 12:30:28 : IKE<1.2.3.4> Catcher: get 479 bytes. src port 15906
## 2020-03-18 12:30:28 : IKE<0.0.0.0        >   ISAKMP msg: len 475, nxp 1[SA], exch 4[AG], flag 00 
## 2020-03-18 12:30:28 : IKE<1.2.3.4  > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] 
## 2020-03-18 12:30:28 : valid id checking, id type:U-FQDN, len:23.
## 2020-03-18 12:30:28 : IKE<1.2.3.4> Receive Id in AG mode, id-type=3, id=user at example.com, idlen = 15

libreswan:
## 2020-03-17 17:09:21 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2020-03-17 17:09:21 : IKE<1.2.3.4> Catcher: get 540 bytes. src port 500
## 2020-03-17 17:09:21 : IKE<0.0.0.0        >   ISAKMP msg: len 540, nxp 1[SA], exch 4[AG], flag 00 
## 2020-03-17 17:09:21 : IKE<1.2.3.4  > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] 
## 2020-03-17 17:09:21 : [VID] [VID] 
## 2020-03-17 17:09:21 : valid id checking, id type:FQDN, len:23.
## 2020-03-17 17:09:21 : IKE<0.0.0.0        >     Validate (512): SA/60 KE/260 NONCE/36 ID/23 VID/20 VID/12 VID/20 VID/20 VID/20 
## 2020-03-17 17:09:21 : IKE<1.2.3.4> Receive Id in AG mode, id-type=2, id=user at example.com, idlen = 15

My question is if Libreswan supports USER FQDN IKE IDs in an IKEv1 PSK scenario and if so, how to specify it
in the leftid (client side) parameter?

Many thanks,
/Mikael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200318/736ffd70/attachment.sig>