From: Joe Patterson (jpatterson_at_asgardgroup.com)
Date: Wed Sep 11 2002 - 21:16:31 CEST
It actually is a standard extension, known as xauth.
Well, perhaps that would be pushing the definition of "standard" a bit
much...
it seems to be documented (at least some) in
http://www.ietf.org/proceedings/99nov/I-D/draft-ietf-ipsec-isakmp-xauth-05.t
xt
However, it seems that no one in the freeswan world is particularly
interested in implementing this extension, even though a lot of other ipsec
stacks have the capability of using it (i.e., all cisco gear, and a few
others that I've used) Personally, I don't blame them, as I think it would
be a real pain in the butt to squeegee in, not so much from the point of
view of implementing the isakmp part of it, but from the point of view of
figuring out the logistics of getting the correct authentication credentials
from the user (the whole difference here being that ipsec as originally
designed was meant to authenticate and secure communications between
computers, whereas xauth leans more toward the idea of authenticating and
securing communications of a user. A subtle distinction, but very
important.)
-Joe
> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Ken Bantoft
> Sent: Wednesday, September 11, 2002 10:45 AM
> To: Axel Anders Kvale
> Cc: users_at_lists.freeswan.org
> Subject: Re: [Users] Cisco VPN 3000 and freeS/WAN
>
>
> On Wed, 11 Sep 2002, Axel Anders Kvale wrote:
>
> > The Cisco I'm trying to connect to, use shared secrets and user
> > authentication via Radius. Is it possible to connect to this cisco using
> > freeS/WAN?
>
> I don't know how they implement the user auth, since this would be a
> non-standard extention of IKE or IPSec. FreeS/WAN doesn't support this,
> since there is no public information on how the user auth portion is done.
>
> > When I connect to the cisco, I get this result:
> >
> > 104 "road" #6: STATE_MAIN_I1: initiate
> > 003 "road" #6: ignoring Vendor ID payload
> > 106 "road" #6: STATE_MAIN_I2: sent MI2, expecting MR2
> > 003 "road" #6: ignoring Vendor ID payload
> > 003 "road" #6: ignoring Vendor ID payload
> > 003 "road" #6: ignoring Vendor ID payload
> > 003 "road" #6: ignoring Vendor ID payload
> > 108 "road" #6: STATE_MAIN_I3: sent MI3, expecting MR3
> > 003 "road" #6: ignoring Vendor ID payload
> > 004 "road" #6: STATE_MAIN_I4: ISAKMP SA established
> > 112 "road" #7: STATE_QUICK_I1: initiate
> > 010 "road" #7: STATE_QUICK_I1: retransmission; will wait 20s
> for response
> > 010 "road" #7: STATE_QUICK_I1: retransmission; will wait 40s
> for response
> > 031 "road" #7: max number of retransmissions (2) reached STATE_QUICK_I1.
> > No acceptable response to our first Quick Mode message: perhaps
> peer likes
> > no proposal
> >
> > Does "STATE MAIN_I4: ISAKMP SA established" mean that I'm connected, but
> > not authenticated by Radius?
>
> It would appear so - you passed Phase 1 negotiation okay, but then died.
> Unless you can convince Cisco to release the specs on how the
> username/password are passed between client and server, this is probably
> as far as you'll get...
>
> Ken
>
> --
> Ken Bantoft The Unoffical FreeS/WAN Site:
> ken_at_freeswan.ca http://www.freeswan.ca
> PGP Key: finger ken_at_bantoft.org
> "We can factor the number 15 with quantum computers. We
> can also factor the number 15 with a dog trained to bark
> three times." -- Robert Harley, 5/12/01, Sci.crypt
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Sun Sep 15 2002 - 05:20:05 CEST