Talk:OpenSwan

From royhills
Jump to: navigation, search

XAUTH

Add details of XAUTH authentication. This is supposedly possible by adding xauth=yes to ipsec.conf. However, I've not got it to work yet.

With the config entry:

conn iketest
        left=172.16.3.18
        leftsubnet=172.16.3.0/24
        right=%any
        authby=secret
        xauth=yes
        auto=add

We get the following message logged in syslog when we try ike-scan --trans=5,1,65001,2 (65001 is XAUTH authentication method):

"iketest"[1] 192.168.124.3 #1: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder).
Attribute OAKLEY_AUTHENTICATION_METHOD