[strongSwan] IKEv1 XAuth EAP Plugin
vk4gtw at bigpond.com
Wed Sep 28 11:36:52 CEST 2016
I have the XAuth EAP Plugin enabled in my IPsec VPN responder, along
with a number of eap plugins. I did not build this version of strongSwan
(5.2.1) but downloaded it from a Raspberry Pi repository.
My /etc/ipsec.secrets file contains entries similar to:
Fred : EAP "1234567"
fred : XAUTH "deadbeef1234567"
Please note the different capitalisation of the letter f for the two different
My iPhone 4 Cisco IPsec VPN client has an X.509 entity certificate
and is configured with username=fred and password=1234567
My /etc/ipsec.conf file is configured as follows:
As the iPhone password is not the same as the XAUTH password in
/etc/ipsec.secrets, I was not expecting authentication to succeed.
However  notes it may not be this simple.
The /xauth-eap/ plugin is an IKEv1 XAuth server backend. It requests
username/password XAuth credentials and verifies them against
any password based IKEv2 EAP plugin.
My experience suggests the password is checked but not the
username. I was not expecting Fred's password to successfully
authenticate a request from user fred (note the lower case f).
The following log output suggests username is compared along with password.
01[ENC] <CiscoIPSec|58> generating TRANSACTION request 2160949662 [ HASH CPRQ(X_USER X_PWD) ]
11[ENC] <CiscoIPSec|58> parsed TRANSACTION response 2160949662 [ HASH CPRP(X_USER X_PWD) ]
11[IKE] <CiscoIPSec|58> XAuth authentication of 'fred' successful
The other possible reason for my observed behaviour is that a truncated password is used in the hash
calculation, but I would doubt that is the case.
My iPhone X.509 certificate has the serverAuth flag set as required by Windows 7 but I don't think
this would explain what I am seeing.
Any help appreciated, thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users