[strongSwan] xauth-pam and ip address

Mike LoSapio mike.losapio at gmail.com
Fri Jul 14 20:29:39 CEST 2017 

Hi all -

I'm working on setting up xauth-pam but PAM seems to be trying to use my
client's internal IP address when it should clearly be 'losapio'.

Server:
CentOS Linux release 7.3.1611 (Core)
strongswan-5.4.0-2.el7.x86_64

Client:
Mac OSX 10.12.5 (16F73) Native VPN Client configured via a profile
generated by Apple Configurator.

(The problem)
/var/log/secure
2017-07-14T18:13:46.537632+00:00 transit-pvd-tunnel-2 charon:
pam_console(ipsec:session): getpwnam failed for 192.168.0.149
2017-07-14T18:13:46.537793+00:00 transit-pvd-tunnel-2 charon:
pam_unix(ipsec:session): session closed for user 192.168.0.149


/var/log/messages
2017-07-14T18:23:16.272910+00:00 transit-pvd-tunnel-2 charon: 05[NET]
received packet: from 108.5.52.66[500] to 100.127.1.32[500] (848 bytes)
2017-07-14T18:23:16.273109+00:00 transit-pvd-tunnel-2 charon: 05[ENC]
parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2017-07-14T18:23:16.273258+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received NAT-T (RFC 3947) vendor ID
2017-07-14T18:23:16.273403+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike vendor ID
2017-07-14T18:23:16.273569+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike-08 vendor ID
2017-07-14T18:23:16.273713+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike-07 vendor ID
2017-07-14T18:23:16.273857+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike-06 vendor ID
2017-07-14T18:23:16.274000+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike-05 vendor ID
2017-07-14T18:23:16.274145+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike-04 vendor ID
2017-07-14T18:23:16.274284+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2017-07-14T18:23:16.274421+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2017-07-14T18:23:16.274582+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2017-07-14T18:23:16.274722+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received XAuth vendor ID
2017-07-14T18:23:16.274866+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received Cisco Unity vendor ID
2017-07-14T18:23:16.275007+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received FRAGMENTATION vendor ID
2017-07-14T18:23:16.275146+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
received DPD vendor ID
2017-07-14T18:23:16.275289+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
108.5.52.66 is initiating a Main Mode IKE_SA
2017-07-14T18:23:16.275585+00:00 transit-pvd-tunnel-2 charon: 05[ENC]
generating ID_PROT response 0 [ SA V V V ]
2017-07-14T18:23:16.275725+00:00 transit-pvd-tunnel-2 charon: 05[NET]
sending packet: from 100.127.1.32[500] to 108.5.52.66[500] (136 bytes)
2017-07-14T18:23:16.300787+00:00 transit-pvd-tunnel-2 charon: 05[NET]
received packet: from 108.5.52.66[500] to 100.127.1.32[500] (380 bytes)
2017-07-14T18:23:16.300962+00:00 transit-pvd-tunnel-2 charon: 05[ENC]
parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2017-07-14T18:23:16.311506+00:00 transit-pvd-tunnel-2 charon: 05[IKE] local
host is behind NAT, sending keep alives
2017-07-14T18:23:16.311674+00:00 transit-pvd-tunnel-2 charon: 05[IKE]
remote host is behind NAT
2017-07-14T18:23:16.311827+00:00 transit-pvd-tunnel-2 charon: 05[ENC]
generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2017-07-14T18:23:16.311971+00:00 transit-pvd-tunnel-2 charon: 05[NET]
sending packet: from 100.127.1.32[500] to 108.5.52.66[500] (396 bytes)
2017-07-14T18:23:16.363909+00:00 transit-pvd-tunnel-2 charon: 09[NET]
received packet: from 108.5.52.66[4500] to 100.127.1.32[4500] (108 bytes)
2017-07-14T18:23:16.364108+00:00 transit-pvd-tunnel-2 charon: 09[ENC]
parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
2017-07-14T18:23:16.364269+00:00 transit-pvd-tunnel-2 charon: 09[CFG]
looking for XAuthInitPSK peer configs matching
100.127.1.32...108.5.52.66[192.168.0.149]
2017-07-14T18:23:16.364438+00:00 transit-pvd-tunnel-2 charon: 09[CFG]
selected peer config "con1"
2017-07-14T18:23:16.364605+00:00 transit-pvd-tunnel-2 charon: 09[ENC]
generating ID_PROT response 0 [ ID HASH ]
2017-07-14T18:23:16.364760+00:00 transit-pvd-tunnel-2 charon: 09[NET]
sending packet: from 100.127.1.32[4500] to 108.5.52.66[4500] (92 bytes)
2017-07-14T18:23:16.364912+00:00 transit-pvd-tunnel-2 charon: 09[ENC]
generating TRANSACTION request 4279728683 [ HASH CPRQ(X_USER X_PWD) ]
2017-07-14T18:23:16.365068+00:00 transit-pvd-tunnel-2 charon: 09[NET]
sending packet: from 100.127.1.32[4500] to 108.5.52.66[4500] (92 bytes)
2017-07-14T18:23:19.628584+00:00 transit-pvd-tunnel-2 charon: 06[NET]
received packet: from 108.5.52.66[4500] to 100.127.1.32[4500] (108 bytes)
2017-07-14T18:23:19.628787+00:00 transit-pvd-tunnel-2 charon: 06[ENC]
parsed TRANSACTION response 4279728683 [ HASH CPRP(X_USER X_PWD) ]
2017-07-14T18:23:19.681129+00:00 transit-pvd-tunnel-2 charon: 06[IKE] XAuth
pam_authenticate for 'losapio' failed: Authentication failure
2017-07-14T18:23:19.681588+00:00 transit-pvd-tunnel-2 charon: 06[IKE] XAuth
authentication of 'losapio' failed
2017-07-14T18:23:19.681745+00:00 transit-pvd-tunnel-2 charon: 06[ENC]
generating TRANSACTION request 3399372098 [ HASH CPS(X_STATUS) ]
2017-07-14T18:23:19.681895+00:00 transit-pvd-tunnel-2 charon: 06[NET]
sending packet: from 100.127.1.32[4500] to 108.5.52.66[4500] (92 bytes)
2017-07-14T18:23:19.695956+00:00 transit-pvd-tunnel-2 charon: 08[NET]
received packet: from 108.5.52.66[4500] to 100.127.1.32[4500] (92 bytes)
2017-07-14T18:23:19.696118+00:00 transit-pvd-tunnel-2 charon: 08[ENC]
parsed TRANSACTION response 3399372098 [ HASH CPA(X_STATUS) ]
2017-07-14T18:23:19.696322+00:00 transit-pvd-tunnel-2 charon: 08[IKE]
destroying IKE_SA after failed XAuth authentication


I followed the directions here (slightly modified)
https://wiki.strongswan.org/projects/strongswan/wiki/XAuthPAM

/etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

conn con1
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
rekey = yes
installpolicy = yes
#type = tunnel
auto = add
left = %any
leftid = 34.228.107.145
leftauth=psk
rightauth=psk
        rightauth2=xauth-pam
right = %any
leftsubnet = 0.0.0.0/0


Any help would be appreciated!

--Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170714/833c5297/attachment.html>

More information about the Users mailing list