[Swan] Libreswan and USER FQDN IKE IDs

MN Lists mnlists at frimail.net
Wed Mar 18 15:32:40 UTC 2020 

On 2020-03-18 14:08, MN Lists wrote:
> Hi,
>
> This is my first message to the list so sorry in advance if the answer is obvious or well-known.
> Also, sorry if my terminology is messed up, hopefully you will understand my issue.
>
> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with PSK and XAuth towards an RSA SecurID
> box. SecurID is a MFA implementation with hardware tokens that display a new 6-digit number every
> 60 seconds.
>
> Clients can connect to it from Mac OS X with a client called NCP Secure Entry and from Windows
> with the Shrewsoft client. In the past vpnc on Linux was working but as it is not developed
> since a long time and doesn't support newer algorithms, I'm looking for an alternative and
> Libreswan looks promising especially since it has a plugin for NetworkManager.
>
> My testing is done on Ubuntu 19.10 with libreswan 3.29 and the plugin built from the GNOME github
> repository.
>
> My problem is that the GW expects a USER FQDN IKE ID in the form user at example.com but it looks
> as if libreswan is sending a regular FQDN. I've also tried with Strongswan's charon-cmd whith
> which I'm getting a little further. Here are thew relevant lines from the GW log:
>
> charon-cmd:
> ## 2020-03-18 12:30:28 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
> ## 2020-03-18 12:30:28 : IKE<1.2.3.4> Catcher: get 479 bytes. src port 15906
> ## 2020-03-18 12:30:28 : IKE<0.0.0.0        >   ISAKMP msg: len 475, nxp 1[SA], exch 4[AG], flag 00 
> ## 2020-03-18 12:30:28 : IKE<1.2.3.4  > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] 
> ## 2020-03-18 12:30:28 : valid id checking, id type:U-FQDN, len:23.
> ## 2020-03-18 12:30:28 : IKE<1.2.3.4> Receive Id in AG mode, id-type=3, id=user at example.com, idlen = 15
>
> libreswan:
> ## 2020-03-17 17:09:21 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
> ## 2020-03-17 17:09:21 : IKE<1.2.3.4> Catcher: get 540 bytes. src port 500
> ## 2020-03-17 17:09:21 : IKE<0.0.0.0        >   ISAKMP msg: len 540, nxp 1[SA], exch 4[AG], flag 00 
> ## 2020-03-17 17:09:21 : IKE<1.2.3.4  > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] 
> ## 2020-03-17 17:09:21 : [VID] [VID] 
> ## 2020-03-17 17:09:21 : valid id checking, id type:FQDN, len:23.
> ## 2020-03-17 17:09:21 : IKE<0.0.0.0        >     Validate (512): SA/60 KE/260 NONCE/36 ID/23 VID/20 VID/12 VID/20 VID/20 VID/20 
> ## 2020-03-17 17:09:21 : IKE<1.2.3.4> Receive Id in AG mode, id-type=2, id=user at example.com, idlen = 15
>
> My question is if Libreswan supports USER FQDN IKE IDs in an IKEv1 PSK scenario and if so, how to specify it
> in the leftid (client side) parameter?
>
> Many thanks,
> /Mikael
>
Typically, as soon as I sent the message some progress was made. I was able to get phase1 up with
'ipsec auto --up <conn>' and the IKE ID was recognized as a USER FQDN. It seems as if it is the
NetworkManager plugin that is not able to send it as the correct type.

Now, I'm having XAuth problems; I can get ipsec to prompt for a username by leaving out leftusername
but it doesn't prompt for a password. Also, it looks as if ipsec beleives that the gateway is a cisco.
I have tried to modify the remote-peer-type parameter but only the value 'cisco' seems to be recognized.
Here are some messages from ipsec:
|004 "conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 041 "conn" #1: Synapse_libre prompt for Username:|
Enter username:   user
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
010 "conn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: Received Cisco XAUTH status: FAIL
002 "conn" #1: xauth: xauth_client_ackstatus() returned STF_OK
002 "conn" #1: XAUTH: aborting entire IKE Exchange
036 "conn" #1: encountered fatal error in state STATE_XAUTH_I1

Here is my conf for completeness:
conn conn
	left=%defaultroute
	right=5.6.7.8
	initial-contact=yes
	auto=add
	ike=aes256-sha2;modp2048
	ikev2=no
	phase2=esp
	phase2alg=aes256-sha2;modp2048
	leftid=[user at example.com]
	authby=secret
	leftxauthclient=yes
	rightxauthserver=yes
#	leftusername=user
	leftmodecfgclient=yes
	rightmodecfgserver=yes
	aggressive=yes
	salifetime=1d
	ikelifetime=24h
	ike-frag=yes

Any advice on how to continue troubleshooting this is greatly appriciated.

/Mikael

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200318/0fefbaf1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200318/0fefbaf1/attachment.sig>

More information about the Swan mailing list