Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi,
Just a short update on this issue. Today I managed to setup a SecurID
authenticated IKEv2 tunnel
from my Strongswan Linux client to our ScreenOS gateway.
I've been struggling a lot with this over the last days mostly because I have
limited knowledge
of RADIUS and EAP. Anyway after testing different EAP methods one by one, it
has shown that
the missing piece was the EAP-GTC method and plugin which seems to deal with
token passwords.
I still have to find a way to implement dynamic prompting for the OTP, maybe a
wrapper script
could deal with that...
Cheers,
/Mikael
On 2020-04-01 19:35, Noel Kuntze wrote:
> Hi,
>
> AFAIR it doesn't/can't. I'm not sure though. You'd have to check.
>
> Kind regards
>
> Noel
>
> Am 01.04.20 um 19:26 schrieb mnli...@frimail.net:
>> Hi,
>>
>> But the NetworkManager plugin could prompt for a passcode couldn't it?
>>
>> Best regards,
>>
>> /Mikael
>>
>> On 2020-04-01 19:19, Noel Kuntze wrote:
>>> Hi,
>>>
>>> Yw.
>>>
>>> There's also no support for dynamic prompting for EAP credentials.
>>> I envisioned to implement that using VICI some time later. It'd be the
>>> natural choice.
>>> Switching to IKEv2 won't solve the problem for you right now.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 01.04.20 um 19:10 schrieb Mikael Nordstrom:
OK,
Thanks anyway for the quick reply.
The Juniper has IKEv2 support and the RSA SecurID box has a built-in
radius server
so maybe that is the way to go with this.
Thanks again,
/Mikael
On 2020-04-01 18:30, Noel Kuntze wrote:
> Hi,
>
> There's just no frontend to ask dynamically for such credentials yet.
> You'd need to implement that, then you can dynamically prompt for the
> passcode (after hooking up X_CODE the same way as X_USER is). Other than
> that, there are no provisions for X_CODE or anything else. The code base
> wouldn't be extended particularly for X_CODE because IKEv1 is deprecated.
>
> Kind regards
>
> Noel
>
> Am 01.04.20 um 18:22 schrieb MN Lists:
>> Hi,
>>
>> This is my first message to the list so sorry in advance if the answer
>> is obvious or well-known.
>> Also, sorry if my terminology is messed up, hopefully you will
>> understand my issue.
>>
>> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then
>> XAuth authentication
>> towards an RSA SecurID box. SecurID is an MFA implementation with
>> hardware tokens that display
>> a new 6-digit number every 60 seconds.
>>
>> Clients can connect to it from Mac OS X with a client called NCP Secure
>> Entry and from Windows
>> with the Shrewsoft client. In the past vpnc on Linux was working but as
>> it has not been developed
>> since a long time and doesn't support newer algorithms, I'm looking for
>> an alternative and
>> Strongswan looks promising.
>>
>> So far I have been able to get IKE phase1 up but it fails on XAuth. It
>> looks as if the gateway
>> is sending a request for X_USER and X_CODE but charon is responding with
>> just X_USER. Here is
>> a log excerpt:
>>
>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of
>> 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet:
>> from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
>> 3123281050 => 16 bytes @ 0x7f0304001ed0
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC
>> D7 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION
>> request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ]
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
>> 0x7f03040026b0
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53
>> F3 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6
>> 8C 1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`..
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
>> 3123281050 => 16 bytes @ 0x7f02f8005600
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C
>> 64 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
>> 0x7f0304001ed0
>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F
>> 3F E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p...
>> apr 01 17:48:11 phoenix
Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi,
AFAIR it doesn't/can't. I'm not sure though. You'd have to check.
Kind regards
Noel
Am 01.04.20 um 19:26 schrieb mnli...@frimail.net:
> Hi,
>
> But the NetworkManager plugin could prompt for a passcode couldn't it?
>
> Best regards,
>
> /Mikael
>
> On 2020-04-01 19:19, Noel Kuntze wrote:
>> Hi,
>>
>> Yw.
>>
>> There's also no support for dynamic prompting for EAP credentials.
>> I envisioned to implement that using VICI some time later. It'd be the
>> natural choice.
>> Switching to IKEv2 won't solve the problem for you right now.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 01.04.20 um 19:10 schrieb Mikael Nordstrom:
>>> OK,
>>>
>>> Thanks anyway for the quick reply.
>>>
>>> The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius
>>> server
>>> so maybe that is the way to go with this.
>>>
>>> Thanks again,
>>>
>>> /Mikael
>>>
>>> On 2020-04-01 18:30, Noel Kuntze wrote:
Hi,
There's just no frontend to ask dynamically for such credentials yet.
You'd need to implement that, then you can dynamically prompt for the
passcode (after hooking up X_CODE the same way as X_USER is). Other than
that, there are no provisions for X_CODE or anything else. The code base
wouldn't be extended particularly for X_CODE because IKEv1 is deprecated.
Kind regards
Noel
Am 01.04.20 um 18:22 schrieb MN Lists:
> Hi,
>
> This is my first message to the list so sorry in advance if the answer is
> obvious or well-known.
> Also, sorry if my terminology is messed up, hopefully you will understand
> my issue.
>
> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then
> XAuth authentication
> towards an RSA SecurID box. SecurID is an MFA implementation with
> hardware tokens that display
> a new 6-digit number every 60 seconds.
>
> Clients can connect to it from Mac OS X with a client called NCP Secure
> Entry and from Windows
> with the Shrewsoft client. In the past vpnc on Linux was working but as
> it has not been developed
> since a long time and doesn't support newer algorithms, I'm looking for
> an alternative and
> Strongswan looks promising.
>
> So far I have been able to get IKE phase1 up but it fails on XAuth. It
> looks as if the gateway
> is sending a request for X_USER and X_CODE but charon is responding with
> just X_USER. Here is
> a log excerpt:
>
> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of
> 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet:
> from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
> 3123281050 => 16 bytes @ 0x7f0304001ed0
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7
> 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION
> request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ]
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
> 0x7f03040026b0
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3
> 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C
> 1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`..
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
> 3123281050 => 16 bytes @ 0x7f02f8005600
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64
> 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
> 0x7f0304001ed0
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F
> E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p...
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91
> 79 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._.
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating
> TRANSACTION response 3123281050 [ HASH CPRP(X_USER) ]
>
> Relevant swanctl authentication and secret sections are:
>
> connections {
> conn1 {
> local-2 {
> auth = xauth-generic
> xauth_id = xauthuser
> }
> }
> }
>
> secrets {
> xauth-1 {
> id-1 = xauthuser
> secret = 1234556677
> }
>
> Is this a well known deficiency in strongswan or is there some
> configuration that can make
> this work?
Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi,
Yw.
There's also no support for dynamic prompting for EAP credentials.
I envisioned to implement that using VICI some time later. It'd be the natural
choice.
Switching to IKEv2 won't solve the problem for you right now.
Kind regards
Noel
Am 01.04.20 um 19:10 schrieb Mikael Nordstrom:
> OK,
>
> Thanks anyway for the quick reply.
>
> The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius
> server
> so maybe that is the way to go with this.
>
> Thanks again,
>
> /Mikael
>
> On 2020-04-01 18:30, Noel Kuntze wrote:
>> Hi,
>>
>> There's just no frontend to ask dynamically for such credentials yet. You'd
>> need to implement that, then you can dynamically prompt for the passcode
>> (after hooking up X_CODE the same way as X_USER is). Other than that, there
>> are no provisions for X_CODE or anything else. The code base wouldn't be
>> extended particularly for X_CODE because IKEv1 is deprecated.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 01.04.20 um 18:22 schrieb MN Lists:
>>> Hi,
>>>
>>> This is my first message to the list so sorry in advance if the answer is
>>> obvious or well-known.
>>> Also, sorry if my terminology is messed up, hopefully you will understand
>>> my issue.
>>>
>>> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then
>>> XAuth authentication
>>> towards an RSA SecurID box. SecurID is an MFA implementation with hardware
>>> tokens that display
>>> a new 6-digit number every 60 seconds.
>>>
>>> Clients can connect to it from Mac OS X with a client called NCP Secure
>>> Entry and from Windows
>>> with the Shrewsoft client. In the past vpnc on Linux was working but as it
>>> has not been developed
>>> since a long time and doesn't support newer algorithms, I'm looking for an
>>> alternative and
>>> Strongswan looks promising.
>>>
>>> So far I have been able to get IKE phase1 up but it fails on XAuth. It
>>> looks as if the gateway
>>> is sending a request for X_USER and X_CODE but charon is responding with
>>> just X_USER. Here is
>>> a log excerpt:
>>>
>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of
>>> 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from
>>> 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
>>> 3123281050 => 16 bytes @ 0x7f0304001ed0
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7
>>> 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION
>>> request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ]
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
>>> 0x7f03040026b0
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3
>>> 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C
>>> 1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`..
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
>>> 3123281050 => 16 bytes @ 0x7f02f8005600
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64
>>> 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
>>> 0x7f0304001ed0
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F
>>> E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p...
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91
>>> 79 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._.
>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION
>>> response 3123281050 [ HASH CPRP(X_USER) ]
>>>
>>> Relevant swanctl authentication and secret sections are:
>>>
>>> connections {
>>> conn1 {
>>> local-2 {
>>> auth = xauth-generic
>>> xauth_id = xauthuser
>>> }
>>> }
>>> }
>>>
>>> secrets {
>>> xauth-1 {
>>> id-1 = xauthuser
>>> secret = 1234556677
>>> }
>>>
>>> Is this a well known deficiency in strongswan or is there some
>>> configuration that can make
>>> this work?
>>>
>>> I'm happy to supply any further information that could help resolve this.
>>>
>>> Many thanks,
>>> /Mikael
>>>
>>
signature.asc
Description: OpenPGP digital signature
Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi,
But the NetworkManager plugin could prompt for a passcode couldn't it?
Best regards,
/Mikael
On 2020-04-01 19:19, Noel Kuntze wrote:
> Hi,
>
> Yw.
>
> There's also no support for dynamic prompting for EAP credentials.
> I envisioned to implement that using VICI some time later. It'd be the
> natural choice.
> Switching to IKEv2 won't solve the problem for you right now.
>
> Kind regards
>
> Noel
>
> Am 01.04.20 um 19:10 schrieb Mikael Nordstrom:
>> OK,
>>
>> Thanks anyway for the quick reply.
>>
>> The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius
>> server
>> so maybe that is the way to go with this.
>>
>> Thanks again,
>>
>> /Mikael
>>
>> On 2020-04-01 18:30, Noel Kuntze wrote:
>>> Hi,
>>>
>>> There's just no frontend to ask dynamically for such credentials yet. You'd
>>> need to implement that, then you can dynamically prompt for the passcode
>>> (after hooking up X_CODE the same way as X_USER is). Other than that, there
>>> are no provisions for X_CODE or anything else. The code base wouldn't be
>>> extended particularly for X_CODE because IKEv1 is deprecated.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 01.04.20 um 18:22 schrieb MN Lists:
Hi,
This is my first message to the list so sorry in advance if the answer is
obvious or well-known.
Also, sorry if my terminology is messed up, hopefully you will understand
my issue.
I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then
XAuth authentication
towards an RSA SecurID box. SecurID is an MFA implementation with hardware
tokens that display
a new 6-digit number every 60 seconds.
Clients can connect to it from Mac OS X with a client called NCP Secure
Entry and from Windows
with the Shrewsoft client. In the past vpnc on Linux was working but as it
has not been developed
since a long time and doesn't support newer algorithms, I'm looking for an
alternative and
Strongswan looks promising.
So far I have been able to get IKE phase1 up but it fails on XAuth. It
looks as if the gateway
is sending a request for X_USER and X_CODE but charon is responding with
just X_USER. Here is
a log excerpt:
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of
'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from
212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
3123281050 => 16 bytes @ 0x7f0304001ed0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7
31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+
apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION
request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ]
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
0x7f03040026b0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3
1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C
1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`..
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
3123281050 => 16 bytes @ 0x7f02f8005600
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64
14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
0x7f0304001ed0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F
E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p...
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91
79 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._.
apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating
TRANSACTION response 3123281050 [ HASH CPRP(X_USER) ]
Relevant swanctl authentication and secret sections are:
connections {
conn1 {
local-2 {
auth = xauth-generic
xauth_id = xauthuser
}
}
}
secrets {
xauth-1 {
id-1 = xauthuser
secret = 1234556677
}
Is this a well known deficiency in strongswan or is there some
configuration that can make
this work?
I'm happy to supply any further information that could help resolve this.
Many thanks,
/Mikael
>>>
>
Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi,
There's just no frontend to ask dynamically for such credentials yet. You'd
need to implement that, then you can dynamically prompt for the passcode (after
hooking up X_CODE the same way as X_USER is). Other than that, there are no
provisions for X_CODE or anything else. The code base wouldn't be extended
particularly for X_CODE because IKEv1 is deprecated.
Kind regards
Noel
Am 01.04.20 um 18:22 schrieb MN Lists:
> Hi,
>
> This is my first message to the list so sorry in advance if the answer is
> obvious or well-known.
> Also, sorry if my terminology is messed up, hopefully you will understand my
> issue.
>
> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then
> XAuth authentication
> towards an RSA SecurID box. SecurID is an MFA implementation with hardware
> tokens that display
> a new 6-digit number every 60 seconds.
>
> Clients can connect to it from Mac OS X with a client called NCP Secure Entry
> and from Windows
> with the Shrewsoft client. In the past vpnc on Linux was working but as it
> has not been developed
> since a long time and doesn't support newer algorithms, I'm looking for an
> alternative and
> Strongswan looks promising.
>
> So far I have been able to get IKE phase1 up but it fails on XAuth. It looks
> as if the gateway
> is sending a request for X_USER and X_CODE but charon is responding with just
> X_USER. Here is
> a log excerpt:
>
> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of
> 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from
> 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
> 3123281050 => 16 bytes @ 0x7f0304001ed0
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7 31
> 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION
> request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ]
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
> 0x7f03040026b0
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3 1A
> 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C 1B
> E7 F3 CA DD 50 DC F7 60 97 DD .SP..`..
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID
> 3123281050 => 16 bytes @ 0x7f02f8005600
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64 14
> 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
> 0x7f0304001ed0
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F E0
> 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p...
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 79
> 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._.
> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION
> response 3123281050 [ HASH CPRP(X_USER) ]
>
> Relevant swanctl authentication and secret sections are:
>
> connections {
> conn1 {
> local-2 {
> auth = xauth-generic
> xauth_id = xauthuser
> }
> }
> }
>
> secrets {
> xauth-1 {
> id-1 = xauthuser
> secret = 1234556677
> }
>
> Is this a well known deficiency in strongswan or is there some configuration
> that can make
> this work?
>
> I'm happy to supply any further information that could help resolve this.
>
> Many thanks,
> /Mikael
>
signature.asc
Description: OpenPGP digital signature
[strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi,
This is my first message to the list so sorry in advance if the answer is
obvious or well-known.
Also, sorry if my terminology is messed up, hopefully you will understand my
issue.
I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then XAuth
authentication
towards an RSA SecurID box. SecurID is an MFA implementation with hardware
tokens that display
a new 6-digit number every 60 seconds.
Clients can connect to it from Mac OS X with a client called NCP Secure Entry
and from Windows
with the Shrewsoft client. In the past vpnc on Linux was working but as it has
not been developed
since a long time and doesn't support newer algorithms, I'm looking for an
alternative and
Strongswan looks promising.
So far I have been able to get IKE phase1 up but it fails on XAuth. It looks as
if the gateway
is sending a request for X_USER and X_CODE but charon is responding with just
X_USER. Here is
a log excerpt:
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of
'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from
212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050
=> 16 bytes @ 0x7f0304001ed0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7 31 2D
5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+
apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION request
3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ]
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
0x7f03040026b0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3 1A 81
40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C 1B E7
F3 CA DD 50 DC F7 60 97 DD .SP..`..
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050
=> 16 bytes @ 0x7f02f8005600
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64 14 4C
87 85 C2 1B 26 45 84 2D FF 3.>.d.L
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
0x7f0304001ed0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F E0 98
7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p...
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 79 63
45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._.
apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION
response 3123281050 [ HASH CPRP(X_USER) ]
Relevant swanctl authentication and secret sections are:
connections {
conn1 {
local-2 {
auth = xauth-generic
xauth_id = xauthuser
}
}
}
secrets {
xauth-1 {
id-1 = xauthuser
secret = 1234556677
}
Is this a well known deficiency in strongswan or is there some configuration
that can make
this work?
I'm happy to supply any further information that could help resolve this.
Many thanks,
/Mikael
signature.asc
Description: OpenPGP digital signature
