Hi, AFAIR it doesn't/can't. I'm not sure though. You'd have to check.
Kind regards Noel Am 01.04.20 um 19:26 schrieb mnli...@frimail.net: > Hi, > > But the NetworkManager plugin could prompt for a passcode couldn't it? > > Best regards, > > /Mikael > > On 2020-04-01 19:19, Noel Kuntze wrote: >> Hi, >> >> Yw. >> >> There's also no support for dynamic prompting for EAP credentials. >> I envisioned to implement that using VICI some time later. It'd be the >> natural choice. >> Switching to IKEv2 won't solve the problem for you right now. >> >> Kind regards >> >> Noel >> >> Am 01.04.20 um 19:10 schrieb Mikael Nordstrom: >>> OK, >>> >>> Thanks anyway for the quick reply. >>> >>> The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius >>> server >>> so maybe that is the way to go with this. >>> >>> Thanks again, >>> >>> /Mikael >>> >>> On 2020-04-01 18:30, Noel Kuntze wrote: >>>> Hi, >>>> >>>> There's just no frontend to ask dynamically for such credentials yet. >>>> You'd need to implement that, then you can dynamically prompt for the >>>> passcode (after hooking up X_CODE the same way as X_USER is). Other than >>>> that, there are no provisions for X_CODE or anything else. The code base >>>> wouldn't be extended particularly for X_CODE because IKEv1 is deprecated. >>>> >>>> Kind regards >>>> >>>> Noel >>>> >>>> Am 01.04.20 um 18:22 schrieb MN Lists: >>>>> Hi, >>>>> >>>>> This is my first message to the list so sorry in advance if the answer is >>>>> obvious or well-known. >>>>> Also, sorry if my terminology is messed up, hopefully you will understand >>>>> my issue. >>>>> >>>>> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then >>>>> XAuth authentication >>>>> towards an RSA SecurID box. SecurID is an MFA implementation with >>>>> hardware tokens that display >>>>> a new 6-digit number every 60 seconds. >>>>> >>>>> Clients can connect to it from Mac OS X with a client called NCP Secure >>>>> Entry and from Windows >>>>> with the Shrewsoft client. In the past vpnc on Linux was working but as >>>>> it has not been developed >>>>> since a long time and doesn't support newer algorithms, I'm looking for >>>>> an alternative and >>>>> Strongswan looks promising. >>>>> >>>>> So far I have been able to get IKE phase1 up but it fails on XAuth. It >>>>> looks as if the gateway >>>>> is sending a request for X_USER and X_CODE but charon is responding with >>>>> just X_USER. Here is >>>>> a log excerpt: >>>>> >>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of >>>>> 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful >>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks >>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: >>>>> from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes) >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID >>>>> 3123281050 => 16 bytes @ 0x7f0304001ed0 >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 0: 51 2C 54 DC D7 >>>>> 31 2D 5F 5D 84 00 10 81 42 88 2B Q,T..1-_]....B.+ >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION >>>>> request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ] >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ >>>>> 0x7f03040026b0 >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 0: 87 1C CA 53 F3 >>>>> 1A 81 40 E3 68 E8 78 EA 1C CF CE ...S...@.h.x.... >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: B3 53 17 C6 8C >>>>> 1B E7 F3 CA DD 50 DC F7 60 97 DD .S........P..`.. >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID >>>>> 3123281050 => 16 bytes @ 0x7f02f8005600 >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 0: 33 C2 3E 9C 64 >>>>> 14 4C 87 85 C2 1B 26 45 84 2D FF 3.>.d.L....&E.-. >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ >>>>> 0x7f0304001ed0 >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 0: CB A7 62 8F 3F >>>>> E0 98 7B 92 75 7F AE 70 B6 E4 0C ..b.?..{.u..p... >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] 16: 9E B8 66 14 91 >>>>> 79 63 45 5C 9E B1 EF FD B3 5F B9 ..f..ycE\....._. >>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating >>>>> TRANSACTION response 3123281050 [ HASH CPRP(X_USER) ] >>>>> >>>>> Relevant swanctl authentication and secret sections are: >>>>> >>>>> connections { >>>>> conn1 { >>>>> local-2 { >>>>> auth = xauth-generic >>>>> xauth_id = xauthuser >>>>> } >>>>> } >>>>> } >>>>> >>>>> secrets { >>>>> xauth-1 { >>>>> id-1 = xauthuser >>>>> secret = 1234556677 >>>>> } >>>>> >>>>> Is this a well known deficiency in strongswan or is there some >>>>> configuration that can make >>>>> this work? >>>>> >>>>> I'm happy to supply any further information that could help resolve this. >>>>> >>>>> Many thanks, >>>>> /Mikael >>>>> >>>> >>
signature.asc
Description: OpenPGP digital signature