Dear Marc-Christian,
The document you draw the attention onto on my Web site describes
Shrew/Libreswan running in Mutual PSK/RSA + XAuth + DHCP + PAM. Your
trace left by racoon on your iPhone says:
racoon[16654]: [16654] ERROR: No SIG was passed, hybrid auth is enabled, but
peer is no Xauth compliant
So I would set Shrew in hybrid mode and check whether this mode is
indeed implemented in today's Libreswan V3.8.
A long time ago when I tested Shrew's hybrid mode, Libreswan was saying
in my Fedora /var/log/secure:
#
# Hybrid RSA. Leads to
# Oct 11 16:53:00 victor pluto[12408]: "Philippe"[6] 192.168.1.3 #3:
Pluto does not support HybridInitRSA authentication. Attribute
OAKLEY_AUTHENTICATION_METHOD
# Oct 11 16:53:00 victor pluto[12408]: "Philippe"[6] 192.168.1.3 #3: no
acceptable Oakley Transform
# Oct 11 16:53:00 victor pluto[12408]: | complete state transition with
(null)
#
Yours truly,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:[email protected]
On 03/28/2014 02:48 PM, Marc-Christian Petersen wrote:
Hi all,
I'm using Libreswan v3.8 and trying to use XAUTH with GroupID, like
described here:
http://vouters.dyndns.org/tima/Linux-Libreswan-Shrew-VPN-Testing_PAM_XAUTH_DHCP_with_Shrew.html
it works with ShrewVPN but not on iPhone/iPad (iOS v4.x-v7.x)
at least on one iPhone I see this log entry:
racoon[16654]: [16654] ERROR: No SIG was passed, hybrid auth is enabled, but
peer is no Xauth compliant
I know aggressive mode is insecure and I don't use it but a customer
has to use it, so please don't tell me aggressive mode is insecure ;)
XAUTH with PSK just works fine.
Thanks!
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
