Hi, This is my first message to the list so sorry in advance if the answer is obvious or well-known. Also, sorry if my terminology is messed up, hopefully you will understand my issue.
I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then XAuth
authentication
towards an RSA SecurID box. SecurID is an MFA implementation with hardware
tokens that display
a new 6-digit number every 60 seconds.
Clients can connect to it from Mac OS X with a client called NCP Secure Entry
and from Windows
with the Shrewsoft client. In the past vpnc on Linux was working but as it has
not been developed
since a long time and doesn't support newer algorithms, I'm looking for an
alternative and
Strongswan looks promising.
So far I have been able to get IKE phase1 up but it fails on XAuth. It looks as
if the gateway
is sending a request for X_USER and X_CODE but charon is responding with just
X_USER. Here is
a log excerpt:
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of
'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from
212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050
=> 16 bytes @ 0x7f0304001ed0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 0: 51 2C 54 DC D7 31 2D
5F 5D 84 00 10 81 42 88 2B Q,T..1-_]....B.+
apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION request
3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ]
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
0x7f03040026b0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 0: 87 1C CA 53 F3 1A 81
40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x....
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C 1B E7
F3 CA DD 50 DC F7 60 97 DD .S........P..`..
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050
=> 16 bytes @ 0x7f02f8005600
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 0: 33 C2 3E 9C 64 14 4C
87 85 C2 1B 26 45 84 2D FF 3.>.d.L....&E.-.
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @
0x7f0304001ed0
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 0: CB A7 62 8F 3F E0 98
7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p...
apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 79 63
45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\....._.
apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION
response 3123281050 [ HASH CPRP(X_USER) ]
Relevant swanctl authentication and secret sections are:
connections {
conn1 {
local-2 {
auth = xauth-generic
xauth_id = xauthuser
}
}
}
secrets {
xauth-1 {
id-1 = xauthuser
secret = 1234556677
}
Is this a well known deficiency in strongswan or is there some configuration
that can make
this work?
I'm happy to supply any further information that could help resolve this.
Many thanks,
/Mikael
signature.asc
Description: OpenPGP digital signature
