Hi,

Sorry, my mistake, I was looking at the log from racoon v0.7.1 instead of CVS HEAD.

So XAuth is now correctly identified using CVS HEAD version.


Some additional notes:

The platform is a Fox832LX CPU compiled using the cris axis gnu compiler v3.2.1.  Linux 2.6.19 Kernel.

Compile options:
./configure \
--with-kernel-headers=/home/djclarke/acme/linux-2.6.19/include \
--sysconfdir=/etc/racoon \
--localstatedir=/var \
--enable-natt \
--enable-frag \
--enable-hybrid \
--enable-dpd \
--enable-adminport \
--enable-security-context=no \
--with-openssl=/home/djclarke/acme/devboard-R2_10/apps/crypto/openssl/openssl \
--host=cris-axis-linux

Additional source changes due to other bugs found:
src/racoon/isakmp_frag.c:245
     add code to handle frags received in reverse order - otherwise we get the error "packet reassembly failed - missing frag"
     /* DJC check if we have already got the last frag */
     if ( last_frag == 0 ) {
          item = iph1->frag_chain;
          while ( item != NULL ) {
              if ( item->frag_last ) {
                 last_frag = item->frag_num;
                 plog(LLV_INFO, LOCATION, NULL, "DJC Frag: already got last frag %d\n", last_frag);
                  break;
              }
              item = item->frag_next;
          }
     }
     /* end DJC fix */

I will post the full list of source changes for this platform once I get the tunnel working - still working on some problems at the Cisco end.


Full log file and config....

//***************** racoon.conf *************
path certificate "/etc/certificates";
path pre_shared_key "/etc/racoon/psk.txt";

listen {
        adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}

timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 30 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        #
        # timer for waiting to complete each phase.
        phase1 90 sec;
        phase2 90 sec;
}

remote 203.96.83.225 {
        exchange_mode main;
        lifetime time 24 hour;
        certificate_type x509 "my.cert" "my.private.key";
        verify_cert off;
        verify_identifier off;
        xauth_login "fire_avl_test";
        nat_traversal on;
        ike_frag force;
        script "/etc/racoon/phase1-up-down-linux.sh" phase1_up;
        script "/etc/racoon/phase1-up-down-linux.sh" phase1_down;
        passive off;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method xauth_rsa_client;
                dh_group 2;
        }
}


sainfo address 172.29.159.184/29 any address 10.113.73.137/32 any {
        lifetime time 24 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}




Regards
Dave


Timo Teräs wrote:
David Clarke wrote:
  
I have just tested with ipsec-tools CVS HEAD - XAuth is still not being
recognised.

In the racoon -d -F log for the 2nd packet received:
   2008-07-28 13:59:42: INFO: received Vendor ID: CISCO-UNITY
   2008-07-28 13:59:42: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
   2008-07-28 13:59:42: DEBUG: received unknown Vendor ID
   2008-07-28 13:59:42: DEBUG:
   41b3b407 63b17255 e2971265 63f18856
   2008-07-28 13:59:42: DEBUG: received unknown Vendor ID
   2008-07-28 13:59:42: DEBUG:
   1f07f70e aa6514d3 b0fa9654 2a500100

and later
   2008-07-28 13:59:54: DEBUG: Configuration exchange type mode config
REQUEST
   2008-07-28 13:59:54: DEBUG: Short attribute XAUTH_TYPE = 0
   2008-07-28 13:59:54: ERROR: Xauth mode config request but peer did
not declare itself as Xauth capable
    

That would be strange. You did configure with --enable-hybrid, right?
Are you using aggressive, main or base mode phase1? Could you attach
the full log?

- Timo




  

-- 
Dave Clarke
Director - Technology
Flat Cat IT Ltd           www.flatcatit.co.nz
Tel/Fax: +64-3-542-4530   Mob: 021-886-033   Skype: daveclarke.flatcatit
------------------------------
Need help with operating your sports club ? visit www.opensportz.org !