Hi,
Just a short update on this issue. Today I managed to setup a SecurID
authenticated IKEv2 tunnel
from my Strongswan Linux client to our ScreenOS gateway.
I've been struggling a lot with this over the last days mostly because I have
limited knowledge
of RADIUS and EAP. Anyway after testing different EAP methods one by one, it
has shown that
the missing piece was the EAP-GTC method and plugin which seems to deal with
token passwords.
I still have to find a way to implement dynamic prompting for the OTP, maybe a
wrapper script
could deal with that...
Cheers,
/Mikael
On 2020-04-01 19:35, Noel Kuntze wrote:
> Hi,
>
> AFAIR it doesn't/can't. I'm not sure though. You'd have to check.
>
> Kind regards
>
> Noel
>
> Am 01.04.20 um 19:26 schrieb mnli...@frimail.net:
>> Hi,
>>
>> But the NetworkManager plugin could prompt for a passcode couldn't it?
>>
>> Best regards,
>>
>> /Mikael
>>
>> On 2020-04-01 19:19, Noel Kuntze wrote:
>>> Hi,
>>>
>>> Yw.
>>>
>>> There's also no support for dynamic prompting for EAP credentials.
>>> I envisioned to implement that using VICI some time later. It'd be the
>>> natural choice.
>>> Switching to IKEv2 won't solve the problem for you right now.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 01.04.20 um 19:10 schrieb Mikael Nordstrom:
>>>> OK,
>>>>
>>>> Thanks anyway for the quick reply.
>>>>
>>>> The Juniper has IKEv2 support and the RSA SecurID box has a built-in
>>>> radius server
>>>> so maybe that is the way to go with this.
>>>>
>>>> Thanks again,
>>>>
>>>> /Mikael
>>>>
>>>> On 2020-04-01 18:30, Noel Kuntze wrote:
>>>>> Hi,
>>>>>
>>>>> There's just no frontend to ask dynamically for such credentials yet.
>>>>> You'd need to implement that, then you can dynamically prompt for the
>>>>> passcode (after hooking up X_CODE the same way as X_USER is). Other than
>>>>> that, there are no provisions for X_CODE or anything else. The code base
>>>>> wouldn't be extended particularly for X_CODE because IKEv1 is deprecated.
>>>>>
>>>>> Kind regards
>>>>>
>>>>> Noel
>>>>>
>>>>> Am 01.04.20 um 18:22 schrieb MN Lists:
>>>>>> Hi,
>>>>>>
>>>>>> This is my first message to the list so sorry in advance if the answer
>>>>>> is obvious or well-known.
>>>>>> Also, sorry if my terminology is messed up, hopefully you will
>>>>>> understand my issue.
>>>>>>
>>>>>> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then
>>>>>> XAuth authentication
>>>>>> towards an RSA SecurID box. SecurID is an MFA implementation with
>>>>>> hardware tokens that display
>>>>>> a new 6-digit number every 60 seconds.
>>>>>>
>>>>>> Clients can connect to it from Mac OS X with a client called NCP Secure
>>>>>> Entry and from Windows
>>>>>> with the Shrewsoft client. In the past vpnc on Linux was working but as
>>>>>> it has not been developed
>>>>>> since a long time and doesn't support newer algorithms, I'm looking for
>>>>>> an alternative and
>>>>>> Strongswan looks promising.
>>>>>>
>>>>>> So far I have been able to get IKE phase1 up but it fails on XAuth. It
>>>>>> looks as if the gateway
>>>>>> is sending a request for X_USER and X_CODE but charon is responding with
>>>>>> just X_USER. Here is
>>>>>> a log excerpt:
>>>>>>
>>>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of
>>>>>> 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
>>>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
>>>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
>>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet:
>>>>>> from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
>>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
>>>>>> 3123281050 => 16 bytes @ 0x7f0304001ed0
>>>>>>