I can't connect from Ubuntu 16.04.2 vpnc 0.5.3r550-2build1 to the system my workplace uses. IT helpfulness ranges from
"not" to "decent" depending on who I get to talk to on any given day, but they have told me the system is called "Global
Protect" and (eventually) they gave me the group password. Also one guy says he has connected from Ubuntu using vpnc
just like I'm trying (the old "it works at my desk"). It is a 2FA system. When I attempt to connect, I receive the text
message with the code on my phone, but long before that vpnc has already exited with "authentication unsuccessful".
There appears to be only one place this could be coming from in the source in vpnc.c:
DEBUGTOP(2, printf("S5.6 process xauth set\n"));
{
/* The final SET should have just one attribute. */
struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
uint16_t set_result = 1;
if (a == NULL
|| a->type != ISAKMP_XAUTH_06_ATTRIB_STATUS
|| a->af != isakmp_attr_16 || a->next != NULL) {
reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
phase2_fatal(s, "xauth SET message rejected: %s(%d)", reject);
} else {
set_result = a->u.attr_16;
}
/* ACK the SET. */
DEBUGTOP(2, printf("S5.7 send xauth ack\n"));
r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
r->message_id, 1, 0, 0, 0, 0);
r->payload->next = NULL; /* this part is already free()d by sendrecv_phase2 */
free_isakmp_packet(r); /* this frees the received set packet (header+hash) */
if (set_result == 0)
error(2, 0, "authentication unsuccessful");
}
DEBUGTOP(2, printf("S5.8 xauth done\n"));
That "S5.8" is never logged. Nor is "xauth SET message rejected". So it seems a->u.attr_16 must be 0, whatever that
means. This is in do_phase2_xauth().
I tried to 'cheat' by commenting out those 2 lines and rebuilding. A different error occurred later.
PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
PARSE_OK
hashlen: 20
u.hash.length: 20
expected_hash:
5997db8a 86516964 a28f20fa e3ecea5e ae60afc2
h->u.hash.data:
5997db8a 86516964 a28f20fa e3ecea5e ae60afc2
got pfs setting: 0
got save password setting: 1
Split DNS:
unknown attribute 28682 / 0x700A
Remote Application Version: PANOS 7.1.7
---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
.......
./vpnc: configuration response rejected: (ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED)(13)
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
"not" to "decent" depending on who I get to talk to on any given day, but they have told me the system is called "Global
Protect" and (eventually) they gave me the group password. Also one guy says he has connected from Ubuntu using vpnc
just like I'm trying (the old "it works at my desk"). It is a 2FA system. When I attempt to connect, I receive the text
message with the code on my phone, but long before that vpnc has already exited with "authentication unsuccessful".
There appears to be only one place this could be coming from in the source in vpnc.c:
DEBUGTOP(2, printf("S5.6 process xauth set\n"));
{
/* The final SET should have just one attribute. */
struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
uint16_t set_result = 1;
if (a == NULL
|| a->type != ISAKMP_XAUTH_06_ATTRIB_STATUS
|| a->af != isakmp_attr_16 || a->next != NULL) {
reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
phase2_fatal(s, "xauth SET message rejected: %s(%d)", reject);
} else {
set_result = a->u.attr_16;
}
/* ACK the SET. */
DEBUGTOP(2, printf("S5.7 send xauth ack\n"));
r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
r->message_id, 1, 0, 0, 0, 0);
r->payload->next = NULL; /* this part is already free()d by sendrecv_phase2 */
free_isakmp_packet(r); /* this frees the received set packet (header+hash) */
if (set_result == 0)
error(2, 0, "authentication unsuccessful");
}
DEBUGTOP(2, printf("S5.8 xauth done\n"));
That "S5.8" is never logged. Nor is "xauth SET message rejected". So it seems a->u.attr_16 must be 0, whatever that
means. This is in do_phase2_xauth().
I tried to 'cheat' by commenting out those 2 lines and rebuilding. A different error occurred later.
PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
PARSE_OK
hashlen: 20
u.hash.length: 20
expected_hash:
5997db8a 86516964 a28f20fa e3ecea5e ae60afc2
h->u.hash.data:
5997db8a 86516964 a28f20fa e3ecea5e ae60afc2
got pfs setting: 0
got save password setting: 1
Split DNS:
unknown attribute 28682 / 0x700A
Remote Application Version: PANOS 7.1.7
---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
.......
./vpnc: configuration response rejected: (ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED)(13)
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/