[Swan] Libreswan and USER FQDN IKE IDs
paul at nohats.ca
Sat Mar 21 01:32:51 UTC 2020
On Fri, 20 Mar 2020, MN Lists wrote:
>> try: ipsec whack --initiate --name <con>
>> You can also, if you put the leftusername= back, add the password to
>> /etc/ipsec.secrets using:
>> @yourxauthname : XAUTH "password"
> Both these actions gave the same result.
>> Seems the other end did not send a password request. Something else
>> might be wrong. You have to ask the other endpoint what error they
> After diving in to the logs, I found the following:
> Mar 20 11:07:49.073524: | Received Cisco XAUTH type: Generic
> Mar 20 11:07:49.073529: | ****parse ISAKMP ModeCfg attribute:
> Mar 20 11:07:49.073533: | ModeCfg attr type: XAUTH-USER-NAME (0x4089)
> Mar 20 11:07:49.073538: | length/value: 0 (0x0)
> Mar 20 11:07:49.073542: | Received Cisco XAUTH username
> Mar 20 11:07:49.073547: | ****parse ISAKMP ModeCfg attribute:
> Mar 20 11:07:49.073551: | ModeCfg attr type: XAUTH-PASSCODE (0x408b)
> Mar 20 11:07:49.073556: | length/value: 0 (0x0)
> Mar 20 11:07:49.073561: | Unsupported XAUTH (inI0) long attribute XAUTH-PASSCODE received.
> It looks like the gateway is sending a request for an XAUTH-PASSCODE attribute which ipsec does
> not support.
Based on https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02#section-6.2
it looks like it is expecting some kind of OTP reply from a hardware or
software token, and not a static password? So in that case you cannot
store the password in the secrets file.
Is your password static? We could patch the code to handle
XAUTH-PASSCODE the same as XAUTH-USER-PASSWORD ? That would
allow you to put it in the secrets file if static, and allow
you to type it in uing ipsec whack --initiate --name <conn>
> I have a lot of logs from the gateway and pluto on this exchange but wasn't sure how you prefer to
> get them on this mailing list, attachments, pastebin or just paste them in the mail?
That is not needed, you picked out the right information above.
More information about the Swan