Dear Marc-Christian,
If you succeed to make racoon in your iPhone work in *Mutual RSA* mode,
then the document you pointed out should apply to the iPhone/Libreswan
pair and SSL certificates.
Yours truly,
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:[email protected]
On 03/28/2014 04:06 PM, Marc-Christian Petersen wrote:
Hi Philippe,
Libreswan does not support Hybrid mode:
Mar 28 16:04:51 vpn pluto[28426]: "XAUTH-GROUP"[2] 1.2.3.4 #2: Pluto does not
support HybridInitRSA authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
so the iPhone lies.
Am 28.03.2014 um 15:45:55 Uhr schrieb Philippe Vouters
<[email protected]>:
The document you draw the attention onto on my Web site describes
Shrew/Libreswan running in Mutual PSK/RSA + XAuth + DHCP + PAM
Your trace left by racoon on your iPhone says:
racoon[16654]: [16654] ERROR: No SIG was passed, hybrid auth is enabled, but
peer is no Xauth compliant
So I would set Shrew in hybrid mode and check whether this mode is indeed
implemented in today's Libreswan V3.8.
A long time ago when I tested Shrew's hybrid mode, Libreswan was saying in my
Fedora /var/log/secure:
#
# Hybrid RSA. Leads to
# Oct 11 16:53:00 victor pluto[12408]: "Philippe"[6] 192.168.1.3 #3: Pluto does
not support HybridInitRSA authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
# Oct 11 16:53:00 victor pluto[12408]: "Philippe"[6] 192.168.1.3 #3: no
acceptable Oakley Transform
# Oct 11 16:53:00 victor pluto[12408]: | complete state transition with (null)
#
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
