Marc-Christian,
If I refer to what I document in the URL you pointed us to, the
Libreswan configuration in Mutual PSK + XAuth + DHCP + PAM mode is:
# Mutual PSK + XAuth + Fixed IP
conn Philippe_XAUTH_PSK
authby=secret
*aggrmode=yes*
leftxauthserver=yes
rightxauthclient=yes
rightid=@[GroupVPN]
xauthby=pam
also=FIXED_RIGHT_IP
# Mutual PSK + XAuth + DHCP
conn Philippe_XAUTH_PSK_DHCP
authby=secret
leftxauthserver=yes
rightxauthclient=yes
rightid=@[GroupVPN]
*aggrmode=yes*
also=DHCP_RIGHT_IP
xauthby=pam
So I would say racoon on your iPhone is only configured to negotiate
Hybrid PSK + XAuth with Exchange type "aggresive" instead of the
Libreswan expected Mutual PSK + XAuth with Exchange type "aggressive"
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:[email protected]
On 03/28/2014 05:09 PM, Paul Wouters wrote:
On Fri, 28 Mar 2014, Marc-Christian Petersen wrote:
yep, I know about the bug but it doesn't happen here.
for whatever reason iOS is using hybrid mode when using
cisco ipsec mode with group name and PSK.
Maybe the problem is Libreswan not offering XAUTH when in
aggressive mode and iOS is falling back to hybrid?
Does it not send the XAUTH vendor id in Aggressive Mode?
btw. There is unmaintained code in contrib/checkpoint-hybrid/ to support
Hybrid Mode. If someone wants to merge in that code, and provide some
interop testing (eg with Shrew Soft) we could pull that code into the
main code base.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
