[strongSwan] Strongswan client support for the XAUTH_PASSCODE attribute

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Apr 1 19:35:54 CEST 2020 

Hi,

AFAIR it doesn't/can't. I'm not sure though. You'd have to check.

Kind regards

Noel

Am 01.04.20 um 19:26 schrieb mnlists at frimail.net:
> Hi,
> 
> But the NetworkManager plugin could prompt for a passcode couldn't it?
> 
> Best regards,
> 
> /Mikael
> 
> On 2020-04-01 19:19, Noel Kuntze wrote:
>> Hi,
>>
>> Yw.
>>
>> There's also no support for dynamic prompting for EAP credentials.
>> I envisioned to implement that using VICI some time later. It'd be the natural choice.
>> Switching to IKEv2 won't solve the problem for you right now.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 01.04.20 um 19:10 schrieb Mikael Nordstrom:
>>> OK,
>>>
>>> Thanks anyway for the quick reply.
>>>
>>> The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius server
>>> so maybe that is the way to go with this.
>>>
>>> Thanks again,
>>>
>>> /Mikael
>>>
>>> On 2020-04-01 18:30, Noel Kuntze wrote:
>>>> Hi,
>>>>
>>>> There's just no frontend to ask dynamically for such credentials yet. You'd need to implement that, then you can dynamically prompt for the passcode (after hooking up X_CODE the same way as X_USER is). Other than that, there are no provisions for X_CODE or anything else. The code base wouldn't be extended particularly for X_CODE because IKEv1 is deprecated.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> Am 01.04.20 um 18:22 schrieb MN Lists:
>>>>> Hi,
>>>>>
>>>>> This is my first message to the list so sorry in advance if the answer is obvious or well-known.
>>>>> Also, sorry if my terminology is messed up, hopefully you will understand my issue.
>>>>>
>>>>> I have a Juniper ScreenOS gateway that does IKEv1 VPNs with RSA and then XAuth authentication
>>>>> towards an RSA SecurID box. SecurID is an MFA implementation with hardware tokens that display
>>>>> a new 6-digit number every 60 seconds.
>>>>>
>>>>> Clients can connect to it from Mac OS X with a client called NCP Secure Entry and from Windows
>>>>> with the Shrewsoft client. In the past vpnc on Linux was working but as it has not been developed
>>>>> since a long time and doesn't support newer algorithms, I'm looking for an alternative and
>>>>> Strongswan looks promising.
>>>>>
>>>>> So far I have been able to get IKE phase1 up but it fails on XAuth. It looks as if the gateway
>>>>> is sending a request for X_USER and X_CODE but charon is responding with just X_USER. Here is
>>>>> a log excerpt:
>>>>>
>>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] authentication of 'gw.example.com' with RSA_EMSA_PKCS1_NULL successful
>>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] activating new tasks
>>>>> apr 01 17:48:08 phoenix charon-debug[21177]: 02[IKE] nothing to initiate
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[NET] received packet: from 212.112.174.86[4500] to 172.20.33.34[4500] (92 bytes)
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050 => 16 bytes @ 0x7f0304001ed0
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]    0: 51 2C 54 DC D7 31 2D 5F 5D 84 00 10 81 42 88 2B  Q,T..1-_]....B.+
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] parsed TRANSACTION request 3123281050 [ HASH CPRQ(X_TYPE X_USER X_CODE) ]
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ 0x7f03040026b0
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]    0: 87 1C CA 53 F3 1A 81 40 E3 68 E8 78 EA 1C CF CE  ...S... at .h.x....
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]   16: B3 53 17 C6 8C 1B E7 F3 CA DD 50 DC F7 60 97 DD  .S........P..`..
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] next IV for MID 3123281050 => 16 bytes @ 0x7f02f8005600
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]    0: 33 C2 3E 9C 64 14 4C 87 85 C2 1B 26 45 84 2D FF  3.>.d.L....&E.-.
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE] Hash => 32 bytes @ 0x7f0304001ed0
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]    0: CB A7 62 8F 3F E0 98 7B 92 75 7F AE 70 B6 E4 0C  ..b.?..{.u..p...
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[IKE]   16: 9E B8 66 14 91 79 63 45 5C 9E B1 EF FD B3 5F B9  ..f..ycE\....._.
>>>>> apr 01 17:48:11 phoenix charon-debug[21177]: 07[ENC] generating TRANSACTION response 3123281050 [ HASH CPRP(X_USER) ]
>>>>>
>>>>> Relevant swanctl authentication and secret sections are:
>>>>>
>>>>> connections {
>>>>>     conn1 {
>>>>>         local-2 {
>>>>>             auth = xauth-generic
>>>>>             xauth_id = xauthuser
>>>>>         }
>>>>>     }
>>>>> }
>>>>>
>>>>> secrets {
>>>>>         xauth-1 {
>>>>>                 id-1 = xauthuser
>>>>>                 secret = 1234556677
>>>>>         }
>>>>>
>>>>> Is this a well known deficiency in strongswan or is there some configuration that can make
>>>>> this work?
>>>>>
>>>>> I'm happy to supply any further information that could help resolve this.
>>>>>
>>>>> Many thanks,
>>>>> /Mikael
>>>>>
>>>>
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200401/2dadcc2c/attachment.sig>

More information about the Users mailing list