On Tue, 24 Mar 2015, LAmbono Bono wrote:
I know that it is possible to configure Libreswan to be a VPN server supporting multiple xauth rounds. But does it work also when Libreswan is in the client role?
Yes. I use it daily to connect to the redhat.com Cisco :) We also have test cases, look at xauth-pluto-13 to xauth-pluto-16 at: https://github.com/libreswan/libreswan/tree/master/testing/pluto
My VPN server is Cisco ASA and my client is Libreswan version 3.12. Server is using OTP, and generated OTP password is sent to me by email. I think that during first xauth round a user password is automatically used after which OTP password is required. I'm stuck at this step, as I do not get prompt from Libreswan to enter that OTP password.
I initiate VPN connection using: ipsec auto --up cisco
That should prompt, unless you have specified an XAUTH password in ipsec.secrets.
conn cisco # fill in your groupname and username leftid=@mygroupname leftxauthusername=myusername # # The proposals have to match exactly or the cisco stops talking ike=aes128-sha1;modp1024 esp=aes128-sha1;modp1024 right=IP_address_of_Cisco_ASA initial_contact=yes aggrmode=yes authby=secret left=%defaultroute leftxauthclient=yes leftmodecfgclient=yes remote_peer_type=cisco rightxauthserver=yes rightmodecfgserver=yes salifetime=24h ikelifetime=1h dpdaction=restart dpdtimeout=60 dpddelay=30
That looks correct. You can try adding ike-frag=force and ikepad=no
Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC 3706): enabled Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH type: Generic Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH username Mar 24 13:18:00 vpn pluto[2817]: | Received Cisco XAUTH password Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH challenge with user='myusername' Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set Mar 24 13:18:00 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC 3706): enabled Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH type: Generic Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH password Mar 24 13:18:01 vpn pluto[2817]: | Received Cisco XAUTH message Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH type: Generic Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH username Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH password Mar 24 13:18:03 vpn pluto[2817]: | Received Cisco XAUTH message Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: XAUTH Message: Enter your MAIL one-time password Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: XAUTH: Answering XAUTH challenge with user='myusername' Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set Mar 24 13:18:03 vpn pluto[2817]: "cisco" #1: Dead Peer Detection (RFC 3706): enabled
Odd. it should have prompted you. Can you try leaving out leftxauthusername= and see if you get prompted? If this is wrapped in a script, be sure you have stdin/stdout or else whack will detect you cannot input the values and skip it. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
