On 2020-03-18 14:08, MN Lists wrote: > Hi, > > This is my first message to the list so sorry in advance if the answer is > obvious or well-known. > Also, sorry if my terminology is messed up, hopefully you will understand my > issue. > > I have a Juniper ScreenOS gateway that does IKEv1 VPNs with PSK and XAuth > towards an RSA SecurID > box. SecurID is a MFA implementation with hardware tokens that display a new > 6-digit number every > 60 seconds. > > Clients can connect to it from Mac OS X with a client called NCP Secure Entry > and from Windows > with the Shrewsoft client. In the past vpnc on Linux was working but as it is > not developed > since a long time and doesn't support newer algorithms, I'm looking for an > alternative and > Libreswan looks promising especially since it has a plugin for NetworkManager. > > My testing is done on Ubuntu 19.10 with libreswan 3.29 and the plugin built > from the GNOME github > repository. > > My problem is that the GW expects a USER FQDN IKE ID in the form > [email protected] but it looks > as if libreswan is sending a regular FQDN. I've also tried with Strongswan's > charon-cmd whith > which I'm getting a little further. Here are thew relevant lines from the GW > log: > > charon-cmd: > ## 2020-03-18 12:30:28 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of > vsys <Root> ****** > ## 2020-03-18 12:30:28 : IKE<1.2.3.4> Catcher: get 479 bytes. src port 15906 > ## 2020-03-18 12:30:28 : IKE<0.0.0.0 > ISAKMP msg: len 475, nxp > 1[SA], exch 4[AG], flag 00 > ## 2020-03-18 12:30:28 : IKE<1.2.3.4 > Recv : [SA] [KE] [NONCE] [ID] [VID] > [VID] [VID] [VID] > ## 2020-03-18 12:30:28 : valid id checking, id type:U-FQDN, len:23. > ## 2020-03-18 12:30:28 : IKE<1.2.3.4> Receive Id in AG mode, id-type=3, > [email protected], idlen = 15 > > libreswan: > ## 2020-03-17 17:09:21 : IKE<1.2.3.4> ****** Recv packet if <ethernet0/0> of > vsys <Root> ****** > ## 2020-03-17 17:09:21 : IKE<1.2.3.4> Catcher: get 540 bytes. src port 500 > ## 2020-03-17 17:09:21 : IKE<0.0.0.0 > ISAKMP msg: len 540, nxp > 1[SA], exch 4[AG], flag 00 > ## 2020-03-17 17:09:21 : IKE<1.2.3.4 > Recv : [SA] [KE] [NONCE] [ID] [VID] > [VID] [VID] [VID] [VID] > ## 2020-03-17 17:09:21 : [VID] [VID] > ## 2020-03-17 17:09:21 : valid id checking, id type:FQDN, len:23. > ## 2020-03-17 17:09:21 : IKE<0.0.0.0 > Validate (512): SA/60 > KE/260 NONCE/36 ID/23 VID/20 VID/12 VID/20 VID/20 VID/20 > ## 2020-03-17 17:09:21 : IKE<1.2.3.4> Receive Id in AG mode, id-type=2, > [email protected], idlen = 15 > > My question is if Libreswan supports USER FQDN IKE IDs in an IKEv1 PSK > scenario and if so, how to specify it > in the leftid (client side) parameter? > > Many thanks, > /Mikael > Typically, as soon as I sent the message some progress was made. I was able to get phase1 up with 'ipsec auto --up <conn>' and the IKE ID was recognized as a USER FQDN. It seems as if it is the NetworkManager plugin that is not able to send it as the correct type.
Now, I'm having XAuth problems; I can get ipsec to prompt for a username by
leaving out leftusername
but it doesn't prompt for a password. Also, it looks as if ipsec beleives that
the gateway is a cisco.
I have tried to modify the remote-peer-type parameter but only the value
'cisco' seems to be recognized.
Here are some messages from ipsec:
|004 "conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 041
"conn" #1: Synapse_libre prompt for Username:|
Enter username: user
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
010 "conn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for
response
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "conn" #1: Received Cisco XAUTH status: FAIL
002 "conn" #1: xauth: xauth_client_ackstatus() returned STF_OK
002 "conn" #1: XAUTH: aborting entire IKE Exchange
036 "conn" #1: encountered fatal error in state STATE_XAUTH_I1
Here is my conf for completeness:
conn conn
left=%defaultroute
right=5.6.7.8
initial-contact=yes
auto=add
ike=aes256-sha2;modp2048
ikev2=no
phase2=esp
phase2alg=aes256-sha2;modp2048
leftid=[[email protected]]
authby=secret
leftxauthclient=yes
rightxauthserver=yes
# leftusername=user
leftmodecfgclient=yes
rightmodecfgserver=yes
aggressive=yes
salifetime=1d
ikelifetime=24h
ike-frag=yes
Any advice on how to continue troubleshooting this is greatly appriciated.
/Mikael
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
