Hi,
I'm trying to get iPads onto our OpenBSD 5.0 wlan which uses IPsec.
In testing, I've noticed the connection is immediately refused during
Phase I (transcript pasted below). Apparently, iPad's in-built VPN
client requests XAUTH authentication, and won't negotiate for anything
else.
After checking man pages and searching online I still haven't found a
way forward. So, my questions here are:
1) Does OpenBSD 5.0 have support for IPsec with XAUTH (65001)
authentication?
1a) If so, will you please point me to a howto, or explain how to
configure IPsec with XAUTH?
1b) If no XAUTH support in 5.0, does OpenBSD 5.1 have it? (We're going
to upgrade our servers to 5.1 pretty soon anyway.)
2) Do we need to use iked(8) instead of isakmpd(8)? Maybe IPsec with
XAUTH is exclusively a feature of IKEv2?
Any help is greatly appreciated!
Ray
############## BEGIN TRANSCRIPT (apologies for the long line length)
$ sudo /sbin/isakmpd -d -L
095834.610716 Default isakmpd: starting [priv]
095834.733211 Default log_packet_init: starting IKE packet capture to
file "/var/run/isakmpd.pcap"
095848.154648 Default message_negotiate_sa: no compatible proposal found
095848.155047 Default dropped message from 192.168.2.128 port 500 due to
notification type NO_PROPOSAL_CHOSEN
^C
095951.010447 Default isakmpd: shutting down...
095951.010546 Default log_packet_stop: stopped capture
095951.010563 Default isakmpd: exit
$ sudo tcpdump -nvs1400 -r /var/run/isakmpd.pcap
09:58:48.154272 192.168.2.128.500 > 192.168.2.254.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 768578d464216a7b->0000000000000000 msgid: 00000000 len: 572
payload: SA len: 292 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 280 proposal: 1 proto: ISAKMP spisz:
0 xforms: 8
payload: TRANSFORM len: 36
transform: 1 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute AUTHENTICATION_METHOD = 65001 (unknown)
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
payload: TRANSFORM len: 36
transform: 2 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 128
attribute AUTHENTICATION_METHOD = 65001 (unknown)
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
payload: TRANSFORM len: 36
transform: 3 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute AUTHENTICATION_METHOD = 65001 (unknown)
attribute HASH_ALGORITHM = MD5
attribute GROUP_DESCRIPTION = MODP_1024
payload: TRANSFORM len: 36
transform: 4 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 128
attribute AUTHENTICATION_METHOD = 65001 (unknown)
attribute HASH_ALGORITHM = MD5
attribute GROUP_DESCRIPTION = MODP_1024
payload: TRANSFORM len: 32
transform: 5 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute AUTHENTICATION_METHOD = 65001 (unknown)
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
payload: TRANSFORM len: 32
transform: 6 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute AUTHENTICATION_METHOD = 65001 (unknown)
attribute HASH_ALGORITHM = MD5
attribute GROUP_DESCRIPTION = MODP_1024
payload: TRANSFORM len: 32
transform: 7 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = DES_CBC
attribute AUTHENTICATION_METHOD = 65001 (unknown)
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
payload: TRANSFORM len: 32
transform: 8 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = DES_CBC
attribute AUTHENTICATION_METHOD = 65001 (unknown)
attribute HASH_ALGORITHM = MD5
attribute GROUP_DESCRIPTION = MODP_1024
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v8 NAT-T,
draft-ietf-ipsec-nat-t-ike-08)
payload: VENDOR len: 20 (supports v7 NAT-T,
draft-ietf-ipsec-nat-t-ike-07)
payload: VENDOR len: 20 (supports v6 NAT-T,
draft-ietf-ipsec-nat-t-ike-06)
payload: VENDOR len: 20 (supports v5 NAT-T,
draft-ietf-ipsec-nat-t-ike-05)
payload: VENDOR len: 20 (supports v4 NAT-T,
draft-ietf-ipsec-nat-t-ike-04)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02\n)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 12 (supports
draft-ietf-ipsra-isakmp-xauth-06.txt)
payload: VENDOR len: 20 (supports Cisco Unity)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 600)
09:58:48.155198 192.168.2.254.500 > 192.168.2.128.500: [udp sum ok]
isakmp v1.0 exchange INFO
cookie: 2903c1c84721433e->0000000000000000 msgid: 00000000 len: 40
payload: NOTIFICATION len: 12
notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 68)
############## END TRANSCRIPT
