[Swan] Libreswan and USER FQDN IKE IDs

MN Lists mnlists at frimail.net
Sat Mar 21 18:38:07 UTC 2020

On 2020-03-21 02:32, Paul Wouters wrote:
> On Fri, 20 Mar 2020, MN Lists wrote:
>>> try: ipsec whack --initiate --name <con>
>>> You can also, if you put the leftusername= back, add the password to
>>> /etc/ipsec.secrets using:
>>>     @yourxauthname : XAUTH "password"
>> Both these actions gave the same result.
>>> Seems the other end did not send a password request. Something else
>>> might be wrong. You have to ask the other endpoint what error they
>>> see.
>> After diving in to the logs, I found the following:
>> Mar 20 11:07:49.073524: | Received Cisco XAUTH type: Generic
>> Mar 20 11:07:49.073529: | ****parse ISAKMP ModeCfg attribute:
>> Mar 20 11:07:49.073533: |    ModeCfg attr type: XAUTH-USER-NAME (0x4089)
>> Mar 20 11:07:49.073538: |    length/value: 0 (0x0)
>> Mar 20 11:07:49.073542: | Received Cisco XAUTH username
>> Mar 20 11:07:49.073547: | ****parse ISAKMP ModeCfg attribute:
>> Mar 20 11:07:49.073551: |    ModeCfg attr type: XAUTH-PASSCODE (0x408b)
>> Mar 20 11:07:49.073556: |    length/value: 0 (0x0)
>> Mar 20 11:07:49.073561: | Unsupported XAUTH (inI0) long attribute
>> XAUTH-PASSCODE received.
>> It looks like the gateway is sending a request for an XAUTH-PASSCODE
>> attribute which ipsec does
>> not support.
> Based on
> https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02#section-6.2
> it looks like it is expecting some kind of OTP reply from a hardware or
> software token, and not a static password? So in that case you cannot
> store the password in the secrets file.

Correct, in our case the OTP is a concatenation of a 4-8 character
PIN/alphanumeric password and a 6-digit number from an RSA SecurID
hardware token, like this one:
https://en.wikipedia.org/wiki/RSA_SecurID. The number changes every 60
seconds so the passcode entry should preferably be done interactively.
> Is your password static? We could patch the code to handle
> allow you to put it in the secrets file if static, and allow
> you to type it in uing ipsec whack --initiate --name <conn>

The passcode is not static. As described above, it consists of a static
part and a dynamic part. If we had to enter it into the secrets file,
it would have to be done within 60 seconds of it changing on the token.
It could be done but it would be rather inconvenient.


More information about the Swan mailing list