Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi, Just a short update on this issue. Today I managed to setup a SecurID authenticated IKEv2 tunnel from my Strongswan Linux client to our ScreenOS gateway. I've been struggling a lot with this over the last days mostly because I have limited knowledge of RADIUS and EAP. Anyway after testing different EAP methods one by one, it has shown that the missing piece was the EAP-GTC method and plugin which seems to deal with token passwords. I still have to find a way to implement dynamic prompting for the OTP, maybe a wrapper script could deal with that... Cheers, /Mikael On 2020-04-01 19:35, Noel Kuntze wrote: > Hi, > > AFAIR it doesn't/can't. I'm not sure though. You'd have to check. > > Kind regards > > Noel > > Am 01.04.20 um 19:26 schrieb mnli...@frimail.net: >> Hi, >> >> But the NetworkManager plugin could prompt for a passcode couldn't it? >> >> Best regards, >> >> /Mikael >> >> On 2020-04-01 19:19, Noel Kuntze wrote: >>> Hi, >>> >>> Yw. >>> >>> There's also no support for dynamic prompting for EAP credentials. >>> I envisioned to implement that using VICI some time later. It'd be the >>> natural choice. >>> Switching to IKEv2 won't solve the problem for you right now. >>> >>> Kind regards >>> >>> Noel >>> >>> Am 01.04.20 um 19:10 schrieb Mikael Nordstrom: OK, Thanks anyway for the quick reply. The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius server so maybe that is the way to go with this. Thanks again, /Mikael On 2020-04-01 18:30, Noel Kuntze wrote: > Hi, > > There's just no frontend to ask dynamically for such credentials yet. > You'd need to implement that, then you can dynamically prompt for the > passcode (after hooking up X_CODE the same way as X_USER is). Other than > that, there are no provisions for X_CODE or anything else. The code base > wouldn't be extended particularly for X_CODE because IKEv1 is deprecated. > > Kind regards > > Noel > > Am 01.04.20 um 18:22 schrieb MN Lists: >> Hi, >> >> This is my first message to the list so sorry in advance if the answer >> is obvious or well-known. >> Also, sorry if my terminology is messed up, hopefully you will >> understand my issue. >> >> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then >> XAuth authentication >> towards an RSA SecurID box. SecurID is an MFA implementation with >> hardware tokens that display >> a new 6-digit number every 60 seconds. >> >> Clients can connect to it from Mac OS X with a client called NCP Secure >> Entry and from Windows >> with the Shrewsoft client. In the past vpnc on Linux was working but as >> it has not been developed >> since a long time and doesn't support newer algorithms, I'm looking for >> an alternative and >> Strongswan looks promising. >> >> So far I have been able to get IKE phase1 up but it fails on XAuth. It >> looks as if the gateway >> is sending a request for X_USER and X_CODE but charon is responding with >> just X_USER. Here is >> a log excerpt: >> >> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of >> 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful >> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks >> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: >> from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes) >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID >> 3123281050 => 16 bytes @ 0x7f0304001ed0 >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC >> D7 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+ >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION >> request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ] >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ >> 0x7f03040026b0 >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 >> F3 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 >> 8C 1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`.. >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID >> 3123281050 => 16 bytes @ 0x7f02f8005600 >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C >> 64 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ >> 0x7f0304001ed0 >> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F >> 3F E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p... >> apr 01 17:48:11 phoenix
Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi, AFAIR it doesn't/can't. I'm not sure though. You'd have to check. Kind regards Noel Am 01.04.20 um 19:26 schrieb mnli...@frimail.net: > Hi, > > But the NetworkManager plugin could prompt for a passcode couldn't it? > > Best regards, > > /Mikael > > On 2020-04-01 19:19, Noel Kuntze wrote: >> Hi, >> >> Yw. >> >> There's also no support for dynamic prompting for EAP credentials. >> I envisioned to implement that using VICI some time later. It'd be the >> natural choice. >> Switching to IKEv2 won't solve the problem for you right now. >> >> Kind regards >> >> Noel >> >> Am 01.04.20 um 19:10 schrieb Mikael Nordstrom: >>> OK, >>> >>> Thanks anyway for the quick reply. >>> >>> The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius >>> server >>> so maybe that is the way to go with this. >>> >>> Thanks again, >>> >>> /Mikael >>> >>> On 2020-04-01 18:30, Noel Kuntze wrote: Hi, There's just no frontend to ask dynamically for such credentials yet. You'd need to implement that, then you can dynamically prompt for the passcode (after hooking up X_CODE the same way as X_USER is). Other than that, there are no provisions for X_CODE or anything else. The code base wouldn't be extended particularly for X_CODE because IKEv1 is deprecated. Kind regards Noel Am 01.04.20 um 18:22 schrieb MN Lists: > Hi, > > This is my first message to the list so sorry in advance if the answer is > obvious or well-known. > Also, sorry if my terminology is messed up, hopefully you will understand > my issue. > > I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then > XAuth authentication > towards an RSA SecurID box. SecurID is an MFA implementation with > hardware tokens that display > a new 6-digit number every 60 seconds. > > Clients can connect to it from Mac OS X with a client called NCP Secure > Entry and from Windows > with the Shrewsoft client. In the past vpnc on Linux was working but as > it has not been developed > since a long time and doesn't support newer algorithms, I'm looking for > an alternative and > Strongswan looks promising. > > So far I have been able to get IKE phase1 up but it fails on XAuth. It > looks as if the gateway > is sending a request for X_USER and X_CODE but charon is responding with > just X_USER. Here is > a log excerpt: > > apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of > 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful > apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks > apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate > apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: > from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes) > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID > 3123281050 => 16 bytes @ 0x7f0304001ed0 > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7 > 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+ > apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION > request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ] > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ > 0x7f03040026b0 > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3 > 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C > 1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`.. > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID > 3123281050 => 16 bytes @ 0x7f02f8005600 > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64 > 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ > 0x7f0304001ed0 > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F > E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p... > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 > 79 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._. > apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating > TRANSACTION response 3123281050 [ HASH CPRP(X_USER) ] > > Relevant swanctl authentication and secret sections are: > > connections { > conn1 { > local-2 { > auth = xauth-generic > xauth_id = xauthuser > } > } > } > > secrets { > xauth-1 { > id-1 = xauthuser > secret = 1234556677 > } > > Is this a well known deficiency in strongswan or is there some > configuration that can make > this work?
Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi, Yw. There's also no support for dynamic prompting for EAP credentials. I envisioned to implement that using VICI some time later. It'd be the natural choice. Switching to IKEv2 won't solve the problem for you right now. Kind regards Noel Am 01.04.20 um 19:10 schrieb Mikael Nordstrom: > OK, > > Thanks anyway for the quick reply. > > The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius > server > so maybe that is the way to go with this. > > Thanks again, > > /Mikael > > On 2020-04-01 18:30, Noel Kuntze wrote: >> Hi, >> >> There's just no frontend to ask dynamically for such credentials yet. You'd >> need to implement that, then you can dynamically prompt for the passcode >> (after hooking up X_CODE the same way as X_USER is). Other than that, there >> are no provisions for X_CODE or anything else. The code base wouldn't be >> extended particularly for X_CODE because IKEv1 is deprecated. >> >> Kind regards >> >> Noel >> >> Am 01.04.20 um 18:22 schrieb MN Lists: >>> Hi, >>> >>> This is my first message to the list so sorry in advance if the answer is >>> obvious or well-known. >>> Also, sorry if my terminology is messed up, hopefully you will understand >>> my issue. >>> >>> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then >>> XAuth authentication >>> towards an RSA SecurID box. SecurID is an MFA implementation with hardware >>> tokens that display >>> a new 6-digit number every 60 seconds. >>> >>> Clients can connect to it from Mac OS X with a client called NCP Secure >>> Entry and from Windows >>> with the Shrewsoft client. In the past vpnc on Linux was working but as it >>> has not been developed >>> since a long time and doesn't support newer algorithms, I'm looking for an >>> alternative and >>> Strongswan looks promising. >>> >>> So far I have been able to get IKE phase1 up but it fails on XAuth. It >>> looks as if the gateway >>> is sending a request for X_USER and X_CODE but charon is responding with >>> just X_USER. Here is >>> a log excerpt: >>> >>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of >>> 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful >>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks >>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from >>> 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes) >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID >>> 3123281050 => 16 bytes @ 0x7f0304001ed0 >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7 >>> 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+ >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION >>> request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ] >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ >>> 0x7f03040026b0 >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3 >>> 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C >>> 1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`.. >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID >>> 3123281050 => 16 bytes @ 0x7f02f8005600 >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64 >>> 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ >>> 0x7f0304001ed0 >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F >>> E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p... >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 >>> 79 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._. >>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION >>> response 3123281050 [ HASH CPRP(X_USER) ] >>> >>> Relevant swanctl authentication and secret sections are: >>> >>> connections { >>> conn1 { >>> local-2 { >>> auth = xauth-generic >>> xauth_id = xauthuser >>> } >>> } >>> } >>> >>> secrets { >>> xauth-1 { >>> id-1 = xauthuser >>> secret = 1234556677 >>> } >>> >>> Is this a well known deficiency in strongswan or is there some >>> configuration that can make >>> this work? >>> >>> I'm happy to supply any further information that could help resolve this. >>> >>> Many thanks, >>> /Mikael >>> >> signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi, But the NetworkManager plugin could prompt for a passcode couldn't it? Best regards, /Mikael On 2020-04-01 19:19, Noel Kuntze wrote: > Hi, > > Yw. > > There's also no support for dynamic prompting for EAP credentials. > I envisioned to implement that using VICI some time later. It'd be the > natural choice. > Switching to IKEv2 won't solve the problem for you right now. > > Kind regards > > Noel > > Am 01.04.20 um 19:10 schrieb Mikael Nordstrom: >> OK, >> >> Thanks anyway for the quick reply. >> >> The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius >> server >> so maybe that is the way to go with this. >> >> Thanks again, >> >> /Mikael >> >> On 2020-04-01 18:30, Noel Kuntze wrote: >>> Hi, >>> >>> There's just no frontend to ask dynamically for such credentials yet. You'd >>> need to implement that, then you can dynamically prompt for the passcode >>> (after hooking up X_CODE the same way as X_USER is). Other than that, there >>> are no provisions for X_CODE or anything else. The code base wouldn't be >>> extended particularly for X_CODE because IKEv1 is deprecated. >>> >>> Kind regards >>> >>> Noel >>> >>> Am 01.04.20 um 18:22 schrieb MN Lists: Hi, This is my first message to the list so sorry in advance if the answer is obvious or well-known. Also, sorry if my terminology is messed up, hopefully you will understand my issue. I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then XAuth authentication towards an RSA SecurID box. SecurID is an MFA implementation with hardware tokens that display a new 6-digit number every 60 seconds. Clients can connect to it from Mac OS X with a client called NCP Secure Entry and from Windows with the Shrewsoft client. In the past vpnc on Linux was working but as it has not been developed since a long time and doesn't support newer algorithms, I'm looking for an alternative and Strongswan looks promising. So far I have been able to get IKE phase1 up but it fails on XAuth. It looks as if the gateway is sending a request for X_USER and X_CODE but charon is responding with just X_USER. Here is a log excerpt: apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes) apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050 => 16 bytes @ 0x7f0304001ed0 apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+ apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ] apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ 0x7f03040026b0 apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C 1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`.. apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050 => 16 bytes @ 0x7f02f8005600 apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ 0x7f0304001ed0 apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p... apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 79 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._. apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION response 3123281050 [ HASH CPRP(X_USER) ] Relevant swanctl authentication and secret sections are: connections { conn1 { local-2 { auth = xauth-generic xauth_id = xauthuser } } } secrets { xauth-1 { id-1 = xauthuser secret = 1234556677 } Is this a well known deficiency in strongswan or is there some configuration that can make this work? I'm happy to supply any further information that could help resolve this. Many thanks, /Mikael >>> >
Re: [strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi, There's just no frontend to ask dynamically for such credentials yet. You'd need to implement that, then you can dynamically prompt for the passcode (after hooking up X_CODE the same way as X_USER is). Other than that, there are no provisions for X_CODE or anything else. The code base wouldn't be extended particularly for X_CODE because IKEv1 is deprecated. Kind regards Noel Am 01.04.20 um 18:22 schrieb MN Lists: > Hi, > > This is my first message to the list so sorry in advance if the answer is > obvious or well-known. > Also, sorry if my terminology is messed up, hopefully you will understand my > issue. > > I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then > XAuth authentication > towards an RSA SecurID box. SecurID is an MFA implementation with hardware > tokens that display > a new 6-digit number every 60 seconds. > > Clients can connect to it from Mac OS X with a client called NCP Secure Entry > and from Windows > with the Shrewsoft client. In the past vpnc on Linux was working but as it > has not been developed > since a long time and doesn't support newer algorithms, I'm looking for an > alternative and > Strongswan looks promising. > > So far I have been able to get IKE phase1 up but it fails on XAuth. It looks > as if the gateway > is sending a request for X_USER and X_CODE but charon is responding with just > X_USER. Here is > a log excerpt: > > apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of > 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful > apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks > apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate > apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from > 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes) > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID > 3123281050 => 16 bytes @ 0x7f0304001ed0 > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7 31 > 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+ > apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION > request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ] > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ > 0x7f03040026b0 > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3 1A > 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C 1B > E7 F3 CA DD 50 DC F7 60 97 DD .SP..`.. > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID > 3123281050 => 16 bytes @ 0x7f02f8005600 > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64 14 > 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ > 0x7f0304001ed0 > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F E0 > 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p... > apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 79 > 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._. > apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION > response 3123281050 [ HASH CPRP(X_USER) ] > > Relevant swanctl authentication and secret sections are: > > connections { > conn1 { > local-2 { > auth = xauth-generic > xauth_id = xauthuser > } > } > } > > secrets { > xauth-1 { > id-1 = xauthuser > secret = 1234556677 > } > > Is this a well known deficiency in strongswan or is there some configuration > that can make > this work? > > I'm happy to supply any further information that could help resolve this. > > Many thanks, > /Mikael > signature.asc Description: OpenPGP digital signature
[strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute
Hi, This is my first message to the list so sorry in advance if the answer is obvious or well-known. Also, sorry if my terminology is messed up, hopefully you will understand my issue. I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then XAuth authentication towards an RSA SecurID box. SecurID is an MFA implementation with hardware tokens that display a new 6-digit number every 60 seconds. Clients can connect to it from Mac OS X with a client called NCP Secure Entry and from Windows with the Shrewsoft client. In the past vpnc on Linux was working but as it has not been developed since a long time and doesn't support newer algorithms, I'm looking for an alternative and Strongswan looks promising. So far I have been able to get IKE phase1 up but it fails on XAuth. It looks as if the gateway is sending a request for X_USER and X_CODE but charon is responding with just X_USER. Here is a log excerpt: apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes) apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050 => 16 bytes @ 0x7f0304001ed0 apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 51 2C 54 DC D7 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]B.+ apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ] apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ 0x7f03040026b0 apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 87 1C CA 53 F3 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C 1B E7 F3 CA DD 50 DC F7 60 97 DD .SP..`.. apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050 => 16 bytes @ 0x7f02f8005600 apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: 33 C2 3E 9C 64 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ 0x7f0304001ed0 apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]0: CB A7 62 8F 3F E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p... apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 79 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\._. apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION response 3123281050 [ HASH CPRP(X_USER) ] Relevant swanctl authentication and secret sections are: connections { conn1 { local-2 { auth = xauth-generic xauth_id = xauthuser } } } secrets { xauth-1 { id-1 = xauthuser secret = 1234556677 } Is this a well known deficiency in strongswan or is there some configuration that can make this work? I'm happy to supply any further information that could help resolve this. Many thanks, /Mikael signature.asc Description: OpenPGP digital signature