From: Timo T. <tim...@ik...> - 2008-07-16 08:26:57
|
Jun Yin wrote: > I just upgrade my fedora core from 6 to 9, then I can see the version is: > [root@pc02 env_repository]# rpm -q ipsec-tools > ipsec-tools-0.7-13.fc9.i386 > Don't know if it's enable hybrid or not. You will get an error message that "hybrid mode not enabled" if you have the relevant configuration, but the racoon was not compiled with that feature. Thus your racoon is compiled with it. > I'm using cisco IOS router works as vpn gateway right now, and I already > tried to use openswan againest that cisco IOS to verify IOS worksok. then I > changed openswan to racoon. racoon always got problem. > >>From cisco debug, it show " unknown attribute 16384", but they ignore it. > I'm thinking if I can force racoon not sending out the gss_id attribute. The problem is that the specifications say: #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I 65001 #define OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB 65001 Thus the decision to use gssapi or xauth is done depending on the rest of the configuration. Apparently you are lacking some configuration for the remote to trigger using Xauth. Make sure the right "remote" block is used. And that xauth_login is specified there. Could you also tell how you trigger the initiation of the connection? > In racoon's configuration, if I use "authentication_method > xauth_psk_client", then it always send out gss_id attribute, and racoon's > debugshows : > 2008-07-11 10:52:31: INFO: received Vendor ID: > draft-ietf-ipsra-isakmp-xauth-06.txt > 2008-07-11 10:52:31: ERROR: No SIG was passed, hybrid auth is enabled, but > peer is no Xauth compliant > 2008-07-11 10:52:31: ERROR: ignore information because ISAKMP-SAhas not been > established yet. Since you are initiator and did not announce xauth, the responder does not announce either xauth, but still tries to use it (which is faulty imho). > I tried to change authentication_method to pre_shared_key, then it does not > send out gss_id attribute, but still got problem. racoon debugshows: > 2008-07-11 10:59:58: WARNING: Ignored short attribute INTERNAL_IP4_SUBNET > 2008-07-11 10:59:58: WARNING: Ignored attribute 17 > 2008-07-11 10:59:58: WARNING: Ignored attribute SUPPORTED_ATTRIBUTES > 2008-07-11 10:59:58: WARNING: Ignored attribute INTERNAL_IP6_SUBNET Yes, that disables xauth / mode_cfg and this is expected. Cheers, Timo |