[Swan] Libreswan and USER FQDN IKE IDs
MN Lists
mnlists at frimail.net
Wed Mar 18 15:32:40 UTC 2020
On 2020-03-18 14:08, MN Lists wrote:
> Hi,
>
> This is my first message to the list so sorry in advance if the answer is obvious or well-known.
> Also, sorry if my terminology is messed up, hopefully you will understand my issue.
>
> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with PSK and XAuth towards an RSA SecurID
> box. SecurID is a MFA implementation with hardware tokens that display a new 6-digit number every
> 60 seconds.
>
> Clients can connect to it from Mac OS X with a client called NCP Secure Entry and from Windows
> with the Shrewsoft client. In the past vpnc on Linux was working but as it is not developed
> since a long time and doesn't support newer algorithms, I'm looking for an alternative and
> Libreswan looks promising especially since it has a plugin for NetworkManager.
>
> My testing is done on Ubuntu 19.10 with libreswan 3.29 and the plugin built from the GNOME github
> repository.
>
> My problem is that the GW expects a USER FQDN IKE ID in the form user at example.com but it looks
> as if libreswan is sending a regular FQDN. I've also tried with Strongswan's charon-cmd whith
> which I'm getting a little further. Here are thew relevant lines from the GW log:
>
> charon-cmd:
> ## 2020-03-18 12:30:28 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
> ## 2020-03-18 12:30:28 : IKE<1.2.3.4> Catcher: get 479 bytes. src port 15906
> ## 2020-03-18 12:30:28 : IKE<0.0.0.0 > ISAKMP msg: len 475, nxp 1[SA], exch 4[AG], flag 00
> ## 2020-03-18 12:30:28 : IKE<1.2.3.4 > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID]
> ## 2020-03-18 12:30:28 : valid id checking, id type:U-FQDN, len:23.
> ## 2020-03-18 12:30:28 : IKE<1.2.3.4> Receive Id in AG mode, id-type=3, id=user at example.com, idlen = 15
>
> libreswan:
> ## 2020-03-17 17:09:21 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
> ## 2020-03-17 17:09:21 : IKE<1.2.3.4> Catcher: get 540 bytes. src port 500
> ## 2020-03-17 17:09:21 : IKE<0.0.0.0 > ISAKMP msg: len 540, nxp 1[SA], exch 4[AG], flag 00
> ## 2020-03-17 17:09:21 : IKE<1.2.3.4 > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
> ## 2020-03-17 17:09:21 : [VID] [VID]
> ## 2020-03-17 17:09:21 : valid id checking, id type:FQDN, len:23.
> ## 2020-03-17 17:09:21 : IKE<0.0.0.0 > Validate (512): SA/60 KE/260 NONCE/36 ID/23 VID/20 VID/12 VID/20 VID/20 VID/20
> ## 2020-03-17 17:09:21 : IKE<1.2.3.4> Receive Id in AG mode, id-type=2, id=user at example.com, idlen = 15
>
> My question is if Libreswan supports USER FQDN IKE IDs in an IKEv1 PSK scenario and if so, how to specify it
> in the leftid (client side) parameter?
>
> Many thanks,
> /Mikael
>
Typically, as soon as I sent the message some progress was made. I was able to get phase1 up with
'ipsec auto --up <conn>' and the IKE ID was recognized as a USER FQDN. It seems as if it is the
NetworkManager plugin that is not able to send it as the correct type.
Now, I'm having XAuth problems; I can get ipsec to prompt for a username by leaving out leftusername
but it doesn't prompt for a password. Also, it looks as if ipsec beleives that the gateway is a cisco.
I have tried to modify the remote-peer-type parameter but only the value 'cisco' seems to be recognized.
Here are some messages from ipsec:
|004 "conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 041 "conn" #1: Synapse_libre prompt for Username:|
Enter username: user
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
010 "conn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: Received Cisco XAUTH status: FAIL
002 "conn" #1: xauth: xauth_client_ackstatus() returned STF_OK
002 "conn" #1: XAUTH: aborting entire IKE Exchange
036 "conn" #1: encountered fatal error in state STATE_XAUTH_I1
Here is my conf for completeness:
conn conn
left=%defaultroute
right=5.6.7.8
initial-contact=yes
auto=add
ike=aes256-sha2;modp2048
ikev2=no
phase2=esp
phase2alg=aes256-sha2;modp2048
leftid=[user at example.com]
authby=secret
leftxauthclient=yes
rightxauthserver=yes
# leftusername=user
leftmodecfgclient=yes
rightmodecfgserver=yes
aggressive=yes
salifetime=1d
ikelifetime=24h
ike-frag=yes
Any advice on how to continue troubleshooting this is greatly appriciated.
/Mikael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200318/0fefbaf1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200318/0fefbaf1/attachment.sig>
More information about the Swan
mailing list