[Swan] Libreswan and USER FQDN IKE IDs
Paul Wouters
paul at nohats.ca
Thu Mar 19 18:02:17 UTC 2020
On Wed, 18 Mar 2020, MN Lists wrote:
> Typically, as soon as I sent the message some progress was made. I was able to get phase1 up with
> 'ipsec auto --up <conn>' and the IKE ID was recognized as a USER FQDN. It seems as if it is the
> NetworkManager plugin that is not able to send it as the correct type.
I'll have to check into this. Could you perhaps file a separate bug
report for that on bugs.libreswan.org (or github)
> Now, I'm having XAuth problems; I can get ipsec to prompt for a username by leaving out leftusername
> but it doesn't prompt for a password.
try: ipsec whack --initiate --name <conn>
You can also, if you put the leftusername= back, add the password to
/etc/ipsec.secrets using:
@yourxauthname : XAUTH "password"
> I have tried to modify the remote-peer-type parameter but only the value 'cisco' seems to be recognized.
> Here are some messages from ipsec:
> 004 "conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> 041 "conn" #1: Synapse_libre prompt for Username:
> Enter username: user
> 002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
> 004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> 010 "conn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
Seems the other end did not send a password request. Something else
might be wrong. You have to ask the other endpoint what error they
see.
Paul
More information about the Swan
mailing list