Issue #360: no XAuth method found - strongSwan

Issue #360

no XAuth method found

Added by adam tiffany about 12 years ago. Updated about 12 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

configuration

Affected version:

5.0.4

Resolution:

Description

I don't exactly know if this is my final issue. I feel like I've been chasing issues for the last week. I'm running Ubuntu 12.04 and Strongswan 5.0.4. For whatever reason I couldn't get PSK, or XAUTHPSK to connect. But that's in the past. Most recently I couldn't get IPSEC PKI to create certificates appropriately. I believe I've solved that with OPENSSL. Anyway, assuming I have all the packages and configurations needed, here's what I have. Any advice would be hugely appreciated.

/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
    plutostart=yes
    nat_traversal=yes

conn ios
    keyexchange=ikev1
    authby=xauthrsasig
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    leftcert=server.pem
    right=%any
    rightsubnet=192.168.0.0/24
    rightsourceip=192.168.0.14
    rightcert=client.pem
    pfs=no
    auto=add

/etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file

192.168.0.14 : RSA server.key
ctuser : XAUTH "********"

/etc/strongswan.conf

# strongswan.conf - strongSwan configuration file

charon {

     load = x509 pem pkcs1 aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
    dns1 = 192.168.0.1
    filelog {
        /var/log/charon.log {
            time_format = %b %e %T
            append = no
            default = 1
            flush_line = yes
        }
    }    
}

libstrongswan {
     dh_exponent_ansi_x9_42 = no
     integrity_test = no
     crypto_test {
      on_add = yes
     }
    x509 {
        enforce_critical = no
    }
}

/var/log/charon.log

Jul 16 16:42:45 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.2.0-29-generic-pae, i686)
Jul 16 16:42:45 00[LIB] enabled  AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  3DES_CBC[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  DES_CBC[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  DES_ECB[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HASH_SHA1[sha1]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  PRF_KEYED_SHA1[sha1]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HASH_SHA224[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HASH_SHA256[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HASH_SHA384[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HASH_SHA512[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HASH_MD5[md5]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  RNG_STRONG[random]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  RNG_TRUE[random]: skipping test (disabled by config)
Jul 16 16:42:45 00[LIB] enabled  PRF_HMAC_SHA1[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  PRF_HMAC_MD5[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  PRF_HMAC_SHA2_256[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  PRF_HMAC_SHA2_384[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  PRF_HMAC_SHA2_512[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_SHA1_96[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_SHA1_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_SHA1_160[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_MD5_96[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_MD5_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_SHA2_256_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_SHA2_256_256[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_SHA2_384_192[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_SHA2_384_384[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled  HMAC_SHA2_512_256[hmac]: no test vectors found
Jul 16 16:42:45 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 16 16:42:45 00[LIB]   mapping '/etc/ipsec.d/cacerts/caCert.pem' failed: Invalid argument
Jul 16 16:42:45 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
Jul 16 16:42:45 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' failed
Jul 16 16:42:45 00[CFG]   loaded ca certificate "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan" from '/etc/ipsec.d/cacerts/ca.pem'
Jul 16 16:42:45 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 16 16:42:45 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 16 16:42:45 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 16 16:42:45 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 16 16:42:45 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 16 16:42:45 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
Jul 16 16:42:45 00[CFG]   loaded EAP secret for user
Jul 16 16:42:45 00[DMN] loaded plugins: charon x509 pem pkcs1 aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
Jul 16 16:42:45 00[JOB] spawning 16 worker threads
Jul 16 16:42:45 13[CFG] received stroke: add connection 'ios'
Jul 16 16:42:45 13[CFG] left nor right host is our side, assuming left=local
Jul 16 16:42:45 13[CFG] adding virtual IP address pool 192.168.0.14
Jul 16 16:42:45 13[CFG]   loaded certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" from 'server.pem'
Jul 16 16:42:45 13[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'
Jul 16 16:42:45 13[CFG]   loaded certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" from 'client.pem'
Jul 16 16:42:45 13[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'
Jul 16 16:42:45 13[CFG] added configuration 'ios'
Jul 16 16:42:55 15[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (668 bytes)
Jul 16 16:42:55 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Jul 16 16:42:55 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 16 16:42:55 15[IKE] received XAuth vendor ID
Jul 16 16:42:55 15[IKE] received Cisco Unity vendor ID
Jul 16 16:42:55 15[IKE] received FRAGMENTATION vendor ID
Jul 16 16:42:55 15[IKE] received DPD vendor ID
Jul 16 16:42:55 15[IKE] 71.72.220.100 is initiating a Main Mode IKE_SA
Jul 16 16:42:55 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 16 16:42:55 15[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (136 bytes)
Jul 16 16:42:55 05[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (292 bytes)
Jul 16 16:42:55 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 16 16:42:55 05[IKE] local host is behind NAT, sending keep alives
Jul 16 16:42:55 05[IKE] remote host is behind NAT
Jul 16 16:42:55 05[IKE] sending cert request for "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan" 
Jul 16 16:42:55 05[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Jul 16 16:42:55 05[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (422 bytes)
Jul 16 16:42:56 16[NET] received packet: from 71.72.220.100[4500] to 192.168.0.14[4500] (796 bytes)
Jul 16 16:42:56 16[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Jul 16 16:42:56 16[IKE] ignoring certificate request without data
Jul 16 16:42:56 16[IKE] received end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" 
Jul 16 16:42:56 16[CFG] looking for XAuthInitRSA peer configs matching 192.168.0.14...71.72.220.100[test]
Jul 16 16:42:56 16[IKE] no peer config found
Jul 16 16:42:56 16[ENC] generating INFORMATIONAL_V1 request 3901007406 [ HASH N(AUTH_FAILED) ]
Jul 16 16:42:56 16[NET] sending packet: from 192.168.0.14[4500] to 71.72.220.100[4500] (92 bytes)
Jul 17 00:17:05 15[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:05 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 17 00:17:05 15[ENC] received unknown vendor ID: 2c:18:29:2c:67:5f:bf:1c:9c:ad:0e:9f:ea:7c:05:10
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 17 00:17:05 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 00:17:05 15[IKE] received XAuth vendor ID
Jul 17 00:17:05 15[IKE] received DPD vendor ID
Jul 17 00:17:05 15[IKE] 175.223.52.165 is initiating a Main Mode IKE_SA
Jul 17 00:17:05 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 00:17:05 15[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:05 05[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (228 bytes)
Jul 17 00:17:05 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 00:17:05 05[IKE] local host is behind NAT, sending keep alives
Jul 17 00:17:05 05[IKE] remote host is behind NAT
Jul 17 00:17:05 05[IKE] no shared key found for 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[192.168.0.14] - 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[175.223.52.165]
Jul 17 00:17:05 05[IKE] no shared key found for 192.168.0.14 - 175.223.52.165
Jul 17 00:17:05 05[ENC] generating INFORMATIONAL_V1 request 3167107593 [ N(INVAL_KE) ]
Jul 17 00:17:05 05[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (56 bytes)
Jul 17 00:17:15 16[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:15 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 17 00:17:15 16[ENC] received unknown vendor ID: 2c:18:29:2c:67:5f:bf:1c:9c:ad:0e:9f:ea:7c:05:10
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 17 00:17:15 16[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 00:17:15 16[IKE] received XAuth vendor ID
Jul 17 00:17:15 16[IKE] received DPD vendor ID
Jul 17 00:17:15 16[IKE] 175.223.52.165 is initiating a Main Mode IKE_SA
Jul 17 00:17:15 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 00:17:15 16[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:15 04[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:15 04[IKE] received retransmit of request with ID 0, retransmitting response
Jul 17 00:17:15 04[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:15 03[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (228 bytes)
Jul 17 00:17:15 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 00:17:15 03[IKE] local host is behind NAT, sending keep alives
Jul 17 00:17:15 03[IKE] remote host is behind NAT
Jul 17 00:17:15 03[IKE] no shared key found for 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[192.168.0.14] - 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[175.223.52.165]
Jul 17 00:17:15 03[IKE] no shared key found for 192.168.0.14 - 175.223.52.165
Jul 17 00:17:15 03[ENC] generating INFORMATIONAL_V1 request 162754795 [ N(INVAL_KE) ]
Jul 17 00:17:15 03[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (56 bytes)
Jul 17 08:49:40 15[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (476 bytes)
Jul 17 08:49:40 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jul 17 08:49:40 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jul 17 08:49:40 15[IKE] received XAuth vendor ID
Jul 17 08:49:40 15[IKE] received Cisco Unity vendor ID
Jul 17 08:49:40 15[IKE] received FRAGMENTATION vendor ID
Jul 17 08:49:40 15[IKE] received DPD vendor ID
Jul 17 08:49:40 15[IKE] 71.72.220.100 is initiating a Main Mode IKE_SA
Jul 17 08:49:40 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 08:49:40 15[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (136 bytes)
Jul 17 08:49:40 05[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (228 bytes)
Jul 17 08:49:40 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 08:49:40 05[IKE] local host is behind NAT, sending keep alives
Jul 17 08:49:40 05[IKE] remote host is behind NAT
Jul 17 08:49:40 05[IKE] sending cert request for "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan" 
Jul 17 08:49:40 05[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Jul 17 08:49:40 05[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (358 bytes)
Jul 17 08:49:40 16[NET] received packet: from 71.72.220.100[4500] to 192.168.0.14[4500] (876 bytes)
Jul 17 08:49:40 16[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
Jul 17 08:49:40 16[IKE] ignoring certificate request without data
Jul 17 08:49:40 16[IKE] received end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" 
Jul 17 08:49:40 16[CFG] looking for XAuthInitRSA peer configs matching 192.168.0.14...71.72.220.100[C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com]
Jul 17 08:49:40 16[CFG] selected peer config "ios" 
Jul 17 08:49:40 16[CFG]   using trusted ca certificate "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan" 
Jul 17 08:49:40 16[CFG]   reached self-signed root ca with a path length of 0
Jul 17 08:49:40 16[CFG]   using trusted certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" 
Jul 17 08:49:40 16[IKE] authentication of 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com' with RSA successful
Jul 17 08:49:40 16[IKE] authentication of 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com' (myself) successful
Jul 17 08:49:40 16[IKE] sending end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" 
Jul 17 08:49:40 16[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Jul 17 08:49:40 16[NET] sending packet: from 192.168.0.14[4500] to 71.72.220.100[4500] (860 bytes)
Jul 17 08:49:40 16[CFG] no XAuth method found

History

#1 Updated by Tobias Brunner about 12 years ago

Description updated (diff)
Status changed from New to Feedback
Assignee set to Tobias Brunner

loaded plugins: charon x509 pem pkcs1 aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
...
no XAuth method found

You'll have to enable one of the XAuth backends (these are the plugins whose names start with xauth). To use XAUTH secrets defined in ipsec.secrets this would be the xauth-generic plugin, which is enabled by default, but in your case not loaded. So make sure you include xauth-generic in charon.load in strongswan.conf.

#2 Updated by adam tiffany about 12 years ago

Brilliant. I had read that somewhere, but thought it needed to be loaded with ./configure. Many, many thanks.

#3 Updated by Tobias Brunner about 12 years ago

Status changed from Feedback to Closed

Project

General

Profile