[Swan] Libreswan and USER FQDN IKE IDs

Fri Mar 20 12:58:04 UTC 2020

Thanks Paul,

On 2020-03-19 19:02, Paul Wouters wrote:
> On Wed, 18 Mar 2020, MN Lists wrote:
> 
>> Typically, as soon as I sent the message some progress was made. I was able to get phase1 up with
>> 'ipsec auto --up <conn>' and the IKE ID was recognized as a USER FQDN. It seems as if it is the
>> NetworkManager plugin that is not able to send it as the correct type.
> 
> I'll have to check into this. Could you perhaps file a separate bug
> report for that on bugs.libreswan.org (or github)

I will do that as soon as I finish debugging the ipsec procedure.

> 
>> Now, I'm having XAuth problems; I can get ipsec to prompt for a username by leaving out leftusername
>> but it doesn't prompt for a password.
> 
> try: ipsec whack --initiate --name <con> 
> You can also, if you put the leftusername= back, add the password to
> /etc/ipsec.secrets using:
> 
>     @yourxauthname : XAUTH "password"

Both these actions gave the same result.
> 
>> I have tried to modify the remote-peer-type parameter but only the value 'cisco' seems to be recognized.
>> Here are some messages from ipsec:
>> 004 "conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
>> 041 "conn" #1: Synapse_libre prompt for Username:
>> Enter username:   user
>> 002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
>> 004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
>> 010 "conn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
> 
> Seems the other end did not send a password request. Something else
> might be wrong. You have to ask the other endpoint what error they
> see.

After diving in to the logs, I found the following:
Mar 20 11:07:49.073524: | Received Cisco XAUTH type: Generic
Mar 20 11:07:49.073529: | ****parse ISAKMP ModeCfg attribute:
Mar 20 11:07:49.073533: |    ModeCfg attr type: XAUTH-USER-NAME (0x4089)
Mar 20 11:07:49.073538: |    length/value: 0 (0x0)
Mar 20 11:07:49.073542: | Received Cisco XAUTH username
Mar 20 11:07:49.073547: | ****parse ISAKMP ModeCfg attribute:
Mar 20 11:07:49.073551: |    ModeCfg attr type: XAUTH-PASSCODE (0x408b)
Mar 20 11:07:49.073556: |    length/value: 0 (0x0)
Mar 20 11:07:49.073561: | Unsupported XAUTH (inI0) long attribute XAUTH-PASSCODE received.

It looks like the gateway is sending a request for an XAUTH-PASSCODE attribute which ipsec does
not support.

I have a lot of logs from the gateway and pluto on this exchange but wasn't sure how you prefer to
get them on this mailing list, attachments, pastebin or just paste them in the mail?

> 
> Paul

/Mikael