<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 2020-03-18 14:08, MN Lists wrote:<br>
</div>
<blockquote type="cite"
cite="mid:28669cf7-759a-7256-e3e8-3b5c8b5d9221@frimail.net">
<pre class="moz-quote-pre" wrap="">Hi,
This is my first message to the list so sorry in advance if the answer is obvious or well-known.
Also, sorry if my terminology is messed up, hopefully you will understand my issue.
I have a Juniper ScreenOS gateway that does IKEv1 VPNs with PSK and XAuth towards an RSA SecurID
box. SecurID is a MFA implementation with hardware tokens that display a new 6-digit number every
60 seconds.
Clients can connect to it from Mac OS X with a client called NCP Secure Entry and from Windows
with the Shrewsoft client. In the past vpnc on Linux was working but as it is not developed
since a long time and doesn't support newer algorithms, I'm looking for an alternative and
Libreswan looks promising especially since it has a plugin for NetworkManager.
My testing is done on Ubuntu 19.10 with libreswan 3.29 and the plugin built from the GNOME github
repository.
My problem is that the GW expects a USER FQDN IKE ID in the form <a class="moz-txt-link-abbreviated" href="mailto:user@example.com">user@example.com</a> but it looks
as if libreswan is sending a regular FQDN. I've also tried with Strongswan's charon-cmd whith
which I'm getting a little further. Here are thew relevant lines from the GW log:
charon-cmd:
## 2020-03-18 12:30:28 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2020-03-18 12:30:28 : IKE<1.2.3.4> Catcher: get 479 bytes. src port 15906
## 2020-03-18 12:30:28 : IKE<0.0.0.0 > ISAKMP msg: len 475, nxp 1[SA], exch 4[AG], flag 00
## 2020-03-18 12:30:28 : IKE<1.2.3.4 > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID]
## 2020-03-18 12:30:28 : valid id checking, id type:U-FQDN, len:23.
## 2020-03-18 12:30:28 : IKE<1.2.3.4> Receive Id in AG mode, id-type=3, <a class="moz-txt-link-abbreviated" href="mailto:id=user@example.com">id=user@example.com</a>, idlen = 15
libreswan:
## 2020-03-17 17:09:21 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2020-03-17 17:09:21 : IKE<1.2.3.4> Catcher: get 540 bytes. src port 500
## 2020-03-17 17:09:21 : IKE<0.0.0.0 > ISAKMP msg: len 540, nxp 1[SA], exch 4[AG], flag 00
## 2020-03-17 17:09:21 : IKE<1.2.3.4 > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 2020-03-17 17:09:21 : [VID] [VID]
## 2020-03-17 17:09:21 : valid id checking, id type:FQDN, len:23.
## 2020-03-17 17:09:21 : IKE<0.0.0.0 > Validate (512): SA/60 KE/260 NONCE/36 ID/23 VID/20 VID/12 VID/20 VID/20 VID/20
## 2020-03-17 17:09:21 : IKE<1.2.3.4> Receive Id in AG mode, id-type=2, <a class="moz-txt-link-abbreviated" href="mailto:id=user@example.com">id=user@example.com</a>, idlen = 15
My question is if Libreswan supports USER FQDN IKE IDs in an IKEv1 PSK scenario and if so, how to specify it
in the leftid (client side) parameter?
Many thanks,
/Mikael
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Typically, as soon as I sent the message some progress was made. I was able to get phase1 up with
'ipsec auto --up <conn>' and the IKE ID was recognized as a USER FQDN. It seems as if it is the
NetworkManager plugin that is not able to send it as the correct type.
Now, I'm having XAuth problems; I can get ipsec to prompt for a username by leaving out leftusername
but it doesn't prompt for a password. Also, it looks as if ipsec beleives that the gateway is a cisco.
I have tried to modify the remote-peer-type parameter but only the value 'cisco' seems to be recognized.
Here are some messages from ipsec:
<code>004 "conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
041 "conn" #1: Synapse_libre prompt for Username:</code>
Enter username: user
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
010 "conn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: Received Cisco XAUTH status: FAIL
002 "conn" #1: xauth: xauth_client_ackstatus() returned STF_OK
002 "conn" #1: XAUTH: aborting entire IKE Exchange
036 "conn" #1: encountered fatal error in state STATE_XAUTH_I1
Here is my conf for completeness:
conn conn
left=%defaultroute
right=5.6.7.8
initial-contact=yes
auto=add
ike=aes256-sha2;modp2048
ikev2=no
phase2=esp
phase2alg=aes256-sha2;modp2048
leftid=[<a class="moz-txt-link-abbreviated" href="mailto:user@example.com">user@example.com</a>]
authby=secret
leftxauthclient=yes
rightxauthserver=yes
# leftusername=user
leftmodecfgclient=yes
rightmodecfgserver=yes
aggressive=yes
salifetime=1d
ikelifetime=24h
ike-frag=yes
Any advice on how to continue troubleshooting this is greatly appriciated.
/Mikael</pre>
</body>
</html>