On Wed, 18 Mar 2020, MN Lists wrote:
Typically, as soon as I sent the message some progress was made. I was able to
get phase1 up with
'ipsec auto --up <conn>' and the IKE ID was recognized as a USER FQDN. It seems
as if it is the
NetworkManager plugin that is not able to send it as the correct type.
I'll have to check into this. Could you perhaps file a separate bug
report for that on bugs.libreswan.org (or github)
Now, I'm having XAuth problems; I can get ipsec to prompt for a username by
leaving out leftusername
but it doesn't prompt for a password.
try: ipsec whack --initiate --name <conn>
You can also, if you put the leftusername= back, add the password to
/etc/ipsec.secrets using:
@yourxauthname : XAUTH "password"
I have tried to modify the remote-peer-type parameter but only the value
'cisco' seems to be recognized.
Here are some messages from ipsec:
004 "conn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
041 "conn" #1: Synapse_libre prompt for Username:
Enter username: user
002 "conn" #1: XAUTH: Answering XAUTH challenge with user='user'
004 "conn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
010 "conn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for
response
Seems the other end did not send a password request. Something else
might be wrong. You have to ask the other endpoint what error they
see.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
