[vpnc-devel] vpnc-nortel with group password authentication

Tue Sep 9 08:57:06 CEST 2008

Hi Francois,

also in my case, I have to apply the first patch in attachment
(patch_xauth.txt), to vpnc-nortel branch, to make it working. My patch
is equivalent to your suggestion.
Anyway, I do not like this patch at all, since I believe would break
the code so someone else.
The part of code we are patching comes from Zingo. I have no idea if
it has longer history.
I was looking in the history of vpnc code to better understand and
proposing a better patch.

My server sends auth request in a modecfg payload CFG_REQUEST payload,
with zeroed field ISAKMP_XAUTH_02_ATTRIB_TYPE, and empty fields
ISAKMP_XAUTH_02_ATTRIB_USER_NAME and
ISAKMP_XAUTH_02_ATTRIB_USER_PASSWORD

The only reply that seems accepted, has "exactly" the same fields,
with proper username and password, and value "1" for "TYPE".
Any other combination or value returns "authentication failure"
(modecfg.type == 6, instead of 5).

Instead, the current reply form vpnc has:
- value "5" instead of "1" for ISAKMP_XAUTH_02_ATTRIB_TYPE
- the field ISAKMP_XAUTH_02_ATTRIB_USER_PASSWORD
  replaced by ISAKMP_XAUTH_02_ATTRIB_PASSCODE
Either changes are not accepted by my server.

Can anyone verify WHY such behaviour has been put in vpnc?
Is it really required in some case?
Can we work together for a better code that covers both behaviour?

Also, should we code the Nortel proprietary replies of modecfg.type ==
5 or 6 with macros?
The second patch attached (patch_modecfg.txt) is a suggestion on this way.

By the way, there is some confusion in the fields name, since in
isakmp.h there is aliasing between the following attributes
# 0x0d == ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_SUBNET
       == ISAKMP_XAUTH_02_ATTRIB_TYPE
# 0x0e == ISAKMP_MODECFG_ATTRIB_SUPPORTED_ATTRIBUTES
       == ISAKMP_XAUTH_02_ATTRIB_USER_NAME
# 0x0f == ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_SUBNET
       == ISAKMP_XAUTH_02_ATTRIB_USER_PASSWORD
This seems a problem created by Nortel, aginst rfc4306
Any idea for a cleanup?

Best Regards,
Antonio Borneo

2008/9/8 francois valley <zorgluf at gmail.com>:
> Hi,
> First of all, great thanks for everybody working on the vpnc project,
> especially on the nortel branch.
> I am new to this list and a newbie on IPSEC or linux programming, but I have
> found some information that might be interesting for this list :
> * In my company, we are using "group password authentication" based on
> RADIUS and OTP (actividentity minitoken). The actual releases I get on this
> list (nortel svn branch, or zingo version
> "vpnc-nortel_merge_with_284.tar.gz") didn't work for me.
> I have made the following modifications from the zingo version to make it
> work :
> * the "xauth_type_requested" is 1 in my case :
>
> uint16_t xauth_type_requested = 1;
>
> * I had to remove the ifdef :
>
> #ifdef NORTELVPN
> na = reply_attr->next = new_isakmp_attribute(ISAKMP_XAUTH_ATTRIB_PASSCODE,
> /* reply_attr */ NULL);
> #else
> na = new_isakmp_attribute(ap->type, reply_attr);
> reply_attr = na;
> #endif
>
> to keep
>
> na = new_isakmp_attribute(ap->type, reply_attr);
> reply_attr = na;
>
> because it didn't apply to me (server is waiting
> ISAKMP_XAUTH_ATTRIB_USER_PASSWORD).
>
> And now I can successfully authenticate with the nortel contivity.
> I hope it might be usefull for somebody.
> Br,
> François
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel at unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch_xauth.txt
Url: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20080909/f2027c8f/attachment.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch_modecfg.txt
Url: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20080909/f2027c8f/attachment-0001.txt 