• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 922
  • Last Modified:

XAUTH/MD5 fails

Hey,

I’m trying to set up VPN between openswan (on Gentoo) and iPhone. I’m using identity certificates and XAUTH (if only because there appear to be no way to turn OFF XAUTH on the iphone).

After MUCH head-beating…I’ve gotten it to the point where the SA is formed and the iPhone passes the CORRECT XAUTH username and password (verified within ipsec.log) to ipsec in the ISAKMP_CFG_REPLY message.

The log also shows that the /etc/ipsec.d/passwd file is being opened.

HOWEVER, then the user/pass combination fails.

I used htpasswd –c –m /etc/ipsec.d/passwd <username> to create the file and encrypted password.

How can I trace what’s happening?

From ipsec.log
The lengths of XAUTH-USER and XAUTH-USER-PASSWORD are both correct. The decrypted HEX code from the packet payload shows that the correct user/pass is being sent by the iPhone

.
.
.
| ***parse ISAKMP Mode Attribute:
|    next payload type: ISAKMP_NEXT_NONE
|    length: 34
|    Attr Msg Type: ISAKMP_CFG_REPLY
|    Identifier: 0
| removing 6 bytes of padding
| XAUTH: HASH computed:
|   4e 66 27 7c  c3 05 8a 14  cb 5c d0 e1  76 00 45 d2
|   db 60 90 ed
| ****parse ISAKMP ModeCfg attribute:
|    ModeCfg attr type: XAUTH-USER-NAME
|    length/value: 8
| ****parse ISAKMP ModeCfg attribute:
|    ModeCfg attr type: XAUTH-USER-PASSWORD
|    length/value: 10
"just-ipsec"[22] 89.166.136.241 #13: XAUTH: User mrightmi: Attempting to login
"just-ipsec"[22] 89.166.136.241 #13: XAUTH: md5 authentication being called to authenticate user mrightmi
"just-ipsec"[22] 89.166.136.241 #13: XAUTH: password file (/etc/ipsec.d/passwd) open.
"just-ipsec"[22] 89.166.136.241 #13: XAUTH: User mrightmi: Authentication Failed: Incorrect Username or Password
| **emit ISAKMP Message:
|    initiator cookie:
.
.
.

Open in new window

0
Mike R.
Asked:
Mike R.
1 Solution
 
Mike R.Author Commented:
The problem was the /etc/pam.d/pluto file was corrupt. I recopied the /etc/pam.d/pop file to /etc/pam.d/pluto and life is good.

Hopefully this will help someone else who's gotten stumped by the same issue :-)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now