Project

General

Profile

Issue #683

XAUTH fails

Added by Enrico Hillmann about 11 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
interoperability
Affected version:
5.1.2
Resolution:
No feedback

Description

Hi,

I recently upgraded from Ubuntu 12.04 (StrongSwan 4.5.2) to 14.04 (StrongSwan 5.1.2).
Now the VPN connection (xauthpsk) can't be established anymore.
The remote gateway (D-Link firewall/router) claims the XAUTH-authentication failed.
With version 4.5.2 (still have another machine running Ubuntu 12.04) everything is fine.
Even tried OpenSwan (which is still using pluto): it also connects properly.

The config files were only adjusted to meet the requirements of the new version (pfs, authby => leftauth/leftauth2), the PSK/XAUTH-credentials remained unchanged.
Seems to be an issue with charon.

See attached configs and log.
I can also provide you with log files of pluto (which is working).

Thanks in advance!

ipsec.conf (605 Bytes) ipsec.conf Enrico Hillmann, 23.08.2014 21:51
ipsec.secrets (585 Bytes) ipsec.secrets Enrico Hillmann, 23.08.2014 21:51
strongswan.log (3.32 KB) strongswan.log Enrico Hillmann, 23.08.2014 21:51
ipsec_error_log.pdf (62.7 KB) ipsec_error_log.pdf Enrico Hillmann, 28.08.2014 20:57
ipsec_success_log.pdf (92.6 KB) ipsec_success_log.pdf Enrico Hillmann, 28.08.2014 21:40

History

#1 Updated by Tobias Brunner about 11 years ago

  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner

I guess the XAUTH secret you posted is not the one you actually use. The two daemons use different parsers, so maybe charon parses it incorrectly. Could you send me the actual config files you use?

rightsubnet=y.y.y.y/27,z.z.z.z

This will not work with IKEv1, you have to define separate conn sections for each traffic selector.

#2 Updated by Tobias Brunner about 11 years ago

Thanks for the config files. As far as I can tell they should get parsed fine. So that's probably not the problem. Do you have any logs from the other peer?

#3 Updated by Enrico Hillmann about 11 years ago

Do you have any logs from the other peer?

See the attached file. I doubt it will help much, but that's all I can get.
I changed the peer's IP-address to "X.X.X.X".

#4 Updated by Enrico Hillmann about 11 years ago

For completeness, I have attached another log excerpt.
This shows what happens when the connection is successful (via 4.5.2).
Last log message on top, first on bottom.

#5 Updated by Tobias Brunner about 11 years ago

I don't know what could cause this. Username and password are sent as plaintext binary blobs to the other peer, so if they are configured exactly the same in both setups there should be no reason for the authentication to fail.

#6 Updated by Enrico Hillmann about 11 years ago

For testing purposes I have disabled XAuth authentication on the gateway.
Then, strongSwan established the connection successfully.
But I'd rather want to have XAuth enabled...

#7 Updated by Tobias Brunner about 10 years ago

  • Category set to interoperability
  • Status changed from Feedback to Closed
  • Resolution set to No feedback

Closing some old tickets. Please open a new ticket if the issue persists.