<div dir="ltr"><div>Hi all - </div><div><br></div><div>I'm working on setting up xauth-pam but PAM seems to be trying to use my client's internal IP address when it should clearly be 'losapio'. <br></div><div><br></div><div><div>Server:</div><div>CentOS Linux release 7.3.1611 (Core) </div></div><div><div>strongswan-5.4.0-2.el7.x86_64</div></div><div><br></div><div>Client:</div><div>Mac OSX 10.12.5 (16F73) Native VPN Client configured via a profile generated by Apple Configurator. </div><div><br></div><div>(The problem)</div><div>/var/log/secure</div><div><div>2017-07-14T18:13:46.537632+00:00 transit-pvd-tunnel-2 charon: pam_console(ipsec:session): getpwnam failed for 192.168.0.149</div><div>2017-07-14T18:13:46.537793+00:00 transit-pvd-tunnel-2 charon: pam_unix(ipsec:session): session closed for user 192.168.0.149</div><div><br></div><div><br></div><div>/var/log/messages</div><div><div>2017-07-14T18:23:16.272910+00:00 transit-pvd-tunnel-2 charon: 05[NET] received packet: from 108.5.52.66[500] to 100.127.1.32[500] (848 bytes)</div><div>2017-07-14T18:23:16.273109+00:00 transit-pvd-tunnel-2 charon: 05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]</div><div>2017-07-14T18:23:16.273258+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received NAT-T (RFC 3947) vendor ID</div><div>2017-07-14T18:23:16.273403+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID</div><div>2017-07-14T18:23:16.273569+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID</div><div>2017-07-14T18:23:16.273713+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID</div><div>2017-07-14T18:23:16.273857+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID</div><div>2017-07-14T18:23:16.274000+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID</div><div>2017-07-14T18:23:16.274145+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID</div><div>2017-07-14T18:23:16.274284+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID</div><div>2017-07-14T18:23:16.274421+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID</div><div>2017-07-14T18:23:16.274582+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</div><div>2017-07-14T18:23:16.274722+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received XAuth vendor ID</div><div>2017-07-14T18:23:16.274866+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received Cisco Unity vendor ID</div><div>2017-07-14T18:23:16.275007+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received FRAGMENTATION vendor ID</div><div>2017-07-14T18:23:16.275146+00:00 transit-pvd-tunnel-2 charon: 05[IKE] received DPD vendor ID</div><div>2017-07-14T18:23:16.275289+00:00 transit-pvd-tunnel-2 charon: 05[IKE] 108.5.52.66 is initiating a Main Mode IKE_SA</div><div>2017-07-14T18:23:16.275585+00:00 transit-pvd-tunnel-2 charon: 05[ENC] generating ID_PROT response 0 [ SA V V V ]</div><div>2017-07-14T18:23:16.275725+00:00 transit-pvd-tunnel-2 charon: 05[NET] sending packet: from 100.127.1.32[500] to 108.5.52.66[500] (136 bytes)</div><div>2017-07-14T18:23:16.300787+00:00 transit-pvd-tunnel-2 charon: 05[NET] received packet: from 108.5.52.66[500] to 100.127.1.32[500] (380 bytes)</div><div>2017-07-14T18:23:16.300962+00:00 transit-pvd-tunnel-2 charon: 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]</div><div>2017-07-14T18:23:16.311506+00:00 transit-pvd-tunnel-2 charon: 05[IKE] local host is behind NAT, sending keep alives</div><div>2017-07-14T18:23:16.311674+00:00 transit-pvd-tunnel-2 charon: 05[IKE] remote host is behind NAT</div><div>2017-07-14T18:23:16.311827+00:00 transit-pvd-tunnel-2 charon: 05[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]</div><div>2017-07-14T18:23:16.311971+00:00 transit-pvd-tunnel-2 charon: 05[NET] sending packet: from 100.127.1.32[500] to 108.5.52.66[500] (396 bytes)</div><div>2017-07-14T18:23:16.363909+00:00 transit-pvd-tunnel-2 charon: 09[NET] received packet: from 108.5.52.66[4500] to 100.127.1.32[4500] (108 bytes)</div><div>2017-07-14T18:23:16.364108+00:00 transit-pvd-tunnel-2 charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]</div><div>2017-07-14T18:23:16.364269+00:00 transit-pvd-tunnel-2 charon: 09[CFG] looking for XAuthInitPSK peer configs matching 100.127.1.32...108.5.52.66[192.168.0.149]</div><div>2017-07-14T18:23:16.364438+00:00 transit-pvd-tunnel-2 charon: 09[CFG] selected peer config "con1"</div><div>2017-07-14T18:23:16.364605+00:00 transit-pvd-tunnel-2 charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]</div><div>2017-07-14T18:23:16.364760+00:00 transit-pvd-tunnel-2 charon: 09[NET] sending packet: from 100.127.1.32[4500] to 108.5.52.66[4500] (92 bytes)</div><div>2017-07-14T18:23:16.364912+00:00 transit-pvd-tunnel-2 charon: 09[ENC] generating TRANSACTION request 4279728683 [ HASH CPRQ(X_USER X_PWD) ]</div><div>2017-07-14T18:23:16.365068+00:00 transit-pvd-tunnel-2 charon: 09[NET] sending packet: from 100.127.1.32[4500] to 108.5.52.66[4500] (92 bytes)</div><div>2017-07-14T18:23:19.628584+00:00 transit-pvd-tunnel-2 charon: 06[NET] received packet: from 108.5.52.66[4500] to 100.127.1.32[4500] (108 bytes)</div><div>2017-07-14T18:23:19.628787+00:00 transit-pvd-tunnel-2 charon: 06[ENC] parsed TRANSACTION response 4279728683 [ HASH CPRP(X_USER X_PWD) ]</div><div>2017-07-14T18:23:19.681129+00:00 transit-pvd-tunnel-2 charon: 06[IKE] XAuth pam_authenticate for 'losapio' failed: Authentication failure</div><div>2017-07-14T18:23:19.681588+00:00 transit-pvd-tunnel-2 charon: 06[IKE] XAuth authentication of 'losapio' failed</div><div>2017-07-14T18:23:19.681745+00:00 transit-pvd-tunnel-2 charon: 06[ENC] generating TRANSACTION request 3399372098 [ HASH CPS(X_STATUS) ]</div><div>2017-07-14T18:23:19.681895+00:00 transit-pvd-tunnel-2 charon: 06[NET] sending packet: from 100.127.1.32[4500] to 108.5.52.66[4500] (92 bytes)</div><div>2017-07-14T18:23:19.695956+00:00 transit-pvd-tunnel-2 charon: 08[NET] received packet: from 108.5.52.66[4500] to 100.127.1.32[4500] (92 bytes)</div><div>2017-07-14T18:23:19.696118+00:00 transit-pvd-tunnel-2 charon: 08[ENC] parsed TRANSACTION response 3399372098 [ HASH CPA(X_STATUS) ]</div><div>2017-07-14T18:23:19.696322+00:00 transit-pvd-tunnel-2 charon: 08[IKE] destroying IKE_SA after failed XAuth authentication</div><div><br></div></div><div><br></div><div>I followed the directions here (slightly modified) </div><div><a href="https://wiki.strongswan.org/projects/strongswan/wiki/XAuthPAM">https://wiki.strongswan.org/projects/strongswan/wiki/XAuthPAM</a><br></div><div><br></div><div><div>/etc/strongswan/ipsec.conf </div><div># ipsec.conf - strongSwan IPsec configuration file</div><div><br></div><div># basic configuration</div><div><br></div><div>config setup</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">      </span># strictcrlpolicy=yes</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">  </span># uniqueids = no</div><div><br></div><div>conn con1 </div><div>        ikelifetime=60m</div><div>        keylife=20m</div><div>        rekeymargin=3m</div><div>        keyingtries=1</div><div>        keyexchange=ikev1</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">       </span>rekey = yes</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">    </span>installpolicy = yes</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">    </span>#type = tunnel</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>auto = add</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">     </span>left = %any</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">    </span>leftid = 34.228.107.145</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">        </span>leftauth=psk</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">   </span>rightauth=psk</div><div>        rightauth2=xauth-pam</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">   </span>right = %any</div><div><span class="gmail-Apple-tab-span" style="white-space:pre">   </span>leftsubnet = <a href="http://0.0.0.0/0">0.0.0.0/0</a></div></div><div><br></div></div><div><br></div><div>Any help would be appreciated!</div><div><br></div><div>--Mike</div><div><br></div></div>