[Swan] Libreswan and USER FQDN IKE IDs

Paul Wouters paul at nohats.ca
Thu Mar 19 18:02:17 UTC 2020

On Wed, 18 Mar 2020, MN Lists wrote:

> Typically, as soon as I sent the message some progress was made. I was able to get phase1 up with
> 'ipsec auto --up <conn>' and the IKE ID was recognized as a USER FQDN. It seems as if it is the
> NetworkManager plugin that is not able to send it as the correct type.

I'll have to check into this. Could you perhaps file a separate bug
report for that on bugs.libreswan.org (or github)

> Now, I'm having XAuth problems; I can get ipsec to prompt for a username by leaving out leftusername
> but it doesn't prompt for a password.

try: ipsec whack --initiate --name <conn>

You can also, if you put the leftusername= back, add the password to
/etc/ipsec.secrets using:

 	@yourxauthname : XAUTH "password"

> I have tried to modify the remote-peer-type parameter but only the value 'cisco' seems to be recognized.
> Here are some messages from ipsec:
> 004 "conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> 041 "conn" #1: Synapse_libre prompt for Username:
> Enter username:   user
> 002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
> 004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> 010 "conn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response

Seems the other end did not send a password request. Something else
might be wrong. You have to ask the other endpoint what error they


More information about the Swan mailing list