On Fri, 20 Mar 2020, MN Lists wrote:
try: ipsec whack --initiate --name <con>
You can also, if you put the leftusername= back, add the password to
/etc/ipsec.secrets using:
@yourxauthname : XAUTH "password"
Both these actions gave the same result.
Seems the other end did not send a password request. Something else
might be wrong. You have to ask the other endpoint what error they
see.
After diving in to the logs, I found the following:
Mar 20 11:07:49.073524: | Received Cisco XAUTH type: Generic
Mar 20 11:07:49.073529: | ****parse ISAKMP ModeCfg attribute:
Mar 20 11:07:49.073533: | ModeCfg attr type: XAUTH-USER-NAME (0x4089)
Mar 20 11:07:49.073538: | length/value: 0 (0x0)
Mar 20 11:07:49.073542: | Received Cisco XAUTH username
Mar 20 11:07:49.073547: | ****parse ISAKMP ModeCfg attribute:
Mar 20 11:07:49.073551: | ModeCfg attr type: XAUTH-PASSCODE (0x408b)
Mar 20 11:07:49.073556: | length/value: 0 (0x0)
Mar 20 11:07:49.073561: | Unsupported XAUTH (inI0) long attribute
XAUTH-PASSCODE received.
It looks like the gateway is sending a request for an XAUTH-PASSCODE attribute
which ipsec does
not support.
Based on https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02#section-6.2
it looks like it is expecting some kind of OTP reply from a hardware or
software token, and not a static password? So in that case you cannot
store the password in the secrets file.
Is your password static? We could patch the code to handle
XAUTH-PASSCODE the same as XAUTH-USER-PASSWORD ? That would
allow you to put it in the secrets file if static, and allow
you to type it in uing ipsec whack --initiate --name <conn>
I have a lot of logs from the gateway and pluto on this exchange but wasn't
sure how you prefer to
get them on this mailing list, attachments, pastebin or just paste them in the
mail?
That is not needed, you picked out the right information above.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
