FYI did a new setup on a Ubuntu server with no additional software but Libreswan and the requirements, a clean setup, clean ipsec.conf, getting the same error. The password is incorrectly handled by Libreswan or some dependency somewhere, same error as I've had on Openswan too.
Is there anything I can do to help narrow this down? ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: 16521?? | length/value: 8 *<-- username is correct and 8 chars* | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: 16522?? | length/value: 12 *<-- password is correct and 12 chars* | complete state transition with STF_IGNORE | * processed 0 messages from cryptographic helpers | next event EVENT_DPD in 15 seconds for #1 | next event EVENT_DPD in 15 seconds for #1 XAUTH: User testuser: Attempting to login XAUTH: passwd file authentication being called to authenticate user testuser XAUTH: password file (/etc/ipsec.d/passwd) open. | XAUTH: found user(testuser/testuser) pass($apr1$RXWgYKAc$***********/) connid(roadwarrior/roadwarrior) | XAUTH: checking user(testuser:roadwarrior) pass (null) vs $apr1$RXWgYKAc$***********/ *<-- password is now: (null)* XAUTH: nope XAUTH: User testuser: Authentication Failed: Incorrect Username or Password On 21 August 2014 09:55, Pontus Wiberg <[email protected]> wrote: > Hi all, > > This below is what I get when using PAM (same as above) , the password is > correct though. but as you can ssee (further) below when using > xauthby=file, Libreswan interpretes the sent password as (null) even though > the modecfg reports the correct number of letters in the password. Thus it > is received but not hashed correctly or at least null is used when > comparing to the hashed password in the file. This happens to me on 3 > different VMs on different versions of Ubuntu all using Libreswan 3.9 > > XAUTH: User testuser: Attempting to login > XAUTH: pam authentication being called to authenticate user testuser > XAUTH: pam_authenticate failed with 'Permission denied' > XAUTH: User testuser: Authentication Failed: Incorrect Username or Password > > > > XAUTH: User testuser: Attempting to login > XAUTH: passwd file authentication being called to authenticate user > testuser > XAUTH: password file (/etc/ipsec.d/passwd) open. > | XAUTH: checking user(testuser:roadwarrior) pass (null) vs $apr1$mjH4.GBd$ > ***********************/ > XAUTH: nope > XAUTH: User testuser: Authentication Failed: Incorrect Username or Password > > I also added the part in PAM pluto config that was suggested but this did > not help, I will try on a fourth server with a clean setup (again), any > recommendations on OS or anything? I really need to get past this issue :( > > thanks everyone, > Pontus > > *Pontus Wiberg* > Operations Lead > Mobile: +46 70 459 9808 > universumglobal.com > ------------------------------ > [image: Universum] > > > On 21 August 2014 00:05, Matt Rogers <[email protected]> wrote: > >> On 07/21, Remy van Elst wrote: >> > Hello Paul, >> > >> > 3.9 does not seem to fix the problem, I still get login errors with >> > either PAM or a passwd file, same steps as earlier but with the new >> > packages: >> > >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) >> > sender port 61015: I am...behind NAT >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: transition from state STATE_AGGR_R1 to state >> STATE_AGGR_R2 >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: new NAT mapping for #2, was 83.162.250.46:1024, now >> > 83.162.250.46:61015 >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: STATE_AGGR_R2: ISAKMP SA established >> > {auth=PRESHARED_KEY cipher=aes_256 prf=...=MODP1024} >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: Dead Peer Detection (RFC 3706): enabled >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: XAUTH: Sending XAUTH Login/Password Request >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: XAUTH: Sending Username/Password request (XAUTH_R0) >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: ignoring informational payload IPSEC_INITIAL_CONTACT, >> > msgid=00000000, length=28 >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: received and ignored informational message for unknown >> > state >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: User vpn: >> > Attempting to login >> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: pam >> > authentication being called to authenticate user vpn >> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH: >> > pam_authenticate failed with 'Authentication failure' >> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH: User vpn: >> > Authentication Failed: Incorrect Username or Password >> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46 #2: received Delete SA payload: deleting ISAKMP State #2 >> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4] >> > 83.162.250.46: deleting connection "xauth-rsa" instance with peer >> > 83.162.250.46 {isakmp=#0/ipsec=#0} >> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: packet from >> > 83.162.250.46:61015: received and ignored empty informational >> > notification payload >> > >> >> I've tried to reproduce this with your configuration on RHEL7 and Win7 >> with >> the Shrew client 2.2.2, and the pam method worked. For the client >> authentication >> settings I used Mutual PSK + XAuth, with a Remote Identity of Any and a >> Local >> Identity with the IP Address, with the PSK added to the Credentials tab. >> >> It would help to see the debug logs around the failure, with the pam >> feedback. >> For example, an incorrect password provided: >> >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | ****parse ISAKMP ModeCfg >> attribute: >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | ModeCfg attr type: 16522?? >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | length/value: 1 >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | complete state transition with >> STF_IGNORE >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | #9 >> complete_v1_state_transition:2165 >> st->st_calculating == FALSE; >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | * processed 0 messages from >> cryptographic helpers >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 >> seconds for >> #9 >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 >> seconds for >> #9 >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Attempting to >> login >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: pam authentication being >> called to >> authenticate user vpnuser >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_start SUCCESS >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_set_item SUCCESS >> Aug 20 13:38:02 rhel7-b1 unix_chkpwd[27403]: password check failed for >> user >> (vpnuser) >> Aug 20 13:38:02 rhel7-b1 pluto[27347]: pam_unix(pluto:auth): >> authentication >> failure; logname= uid=0 euid=0 tty= ruser= rhost=10.13.211.181 >> user=vpnuser >> Aug 20 13:38:04 rhel7-b1 pluto[27347]: | pam_authenticate failed with >> 'Authentication failure >> Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: pam_authenticate failed with >> 'Authentication failure' >> Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Authentication >> Failed: Incorrect Username or Password >> >> The ModeCfg attribute displayed is the password length, so you can at >> least >> verify the password length in case the client is leaving something out. >> >> Regards, >> Matt >> _______________________________________________ >> Swan mailing list >> [email protected] >> https://lists.libreswan.org/mailman/listinfo/swan >> > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
