Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. vpnc>
  3. devel
I need to give the same secret from the RSA token 3 times to login
guru at unixarea
Jul 27, 2017, 8:02 AM
Post #1 of 3 (1576 views)
Permalink
Hello,

I'm using vpnc-0.5.3_12, compiled from source on FreeBSD CURRENT and
encounter the following problem. We use an app on an iPhone to generate
a 8 digit secret based on a 5 digit PIN I have to key in into the app.
This gives the 8 digits which are valid to connect to the VPN server for
60 secs.

Since some days I have to provide the *same* 8 digits three times into
the vpnc to get it connected. It is reproduceable.

I collected the with tcpdump the line below which have comments about
what I did in the vpnc terminal.

Any ideas how to debug this further? The server is located in USA and I
do not know what to say or ask to the IT staff there either.

Thanks

matthias


# tcpdump -n -i wlan0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes

(now I start the VPN client)

16:37:40.887264 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 1 I agg
16:37:41.394480 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 1 R agg
16:37:41.403067 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 1 I agg[E]
16:37:41.526628 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R #6[E]
16:37:41.526997 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I #6[E]
16:37:43.532980 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I #6[E]
16:37:43.926149 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R #6[E]

(now I enter the 8 digits from the FOB as PIN into vpnc)

16:38:11.332438 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I #6[E]
16:38:11.682887 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R #6[E]

(now I enter the same 8 digits from the FOB as PIN again into vpnc)

16:38:16.679748 ARP, Request who-has 192.168.2.100 tell 192.168.2.1, length 28
16:38:16.679775 ARP, Reply 192.168.2.100 is-at 90:48:9a:92:9e:43, length 28
16:38:25.452600 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I #6[E]
16:38:27.475979 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I #6[E]
16:38:27.883623 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R #6[E]

(now I enter the same 8 digits from the FOB as PIN again into vpnc)

16:38:41.678864 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I #6[E]
16:38:44.245690 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R #6[E]
16:38:44.246037 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I #6[E]
16:38:44.246354 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I #6[E]
16:38:45.343385 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R #6[E]
16:38:46.046818 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I oakley-quick[E]
16:38:46.211118 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R inf[E]
16:38:46.211320 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I oakley-quick[E]
16:38:46.220652 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R oakley-quick[E]
16:38:46.220842 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I oakley-quick[E]
16:38:46.221361 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I inf[E]
16:38:46.221504 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I inf[E]
16:38:46.312851 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R oakley-quick[E]
16:38:46.384124 IP 193.31.11.196.500 > 192.168.2.100.500: isakmp: phase 2/others R inf[E]
16:38:55.389852 IP 192.168.2.100.500 > 193.31.11.196.500: isakmp: phase 2/others I inf[E]
16:38:55.389915 IP 192.168.2.100.10000 > 193.31.11.196.10000: UDP, length 5

OK, I'm connected now

--
Matthias Apitz, ? guru@unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

Attached Files:

Re: I need to give the same secret from the RSA token 3 times to login [ In reply to ]
guru at unixarea
Jul 28, 2017, 1:06 AM
Post #2 of 3 (1575 views)
Permalink
(I have copied the MAINTAINER in FreeBSD, I don't know if vpnc is still
maintained upstream)

Hello,


I have additional observations/remarks on this.

To generate the 8 digits secret, I'm using a RSA app on my iPhone.

I can reproduce the following from my home office and as well when connected over data
mobile using my smartphone as an Access Point:

1. I use the app to generate the 8 digits and wait until a fresh one shows up (to have 60 seconds
for the rest of the following procedure)

2. I start the vpn client and enter the 8 digits carefully

3. VPN asks me to re-enter a secret, I do so using the same 8 digits for a 2nd time

4. VPN asks me to re-enter a secret, I do so and enter the same 8 digits for the 3rd time

5. VPN comes up fine after this

This is fully reproducible if someone needs more information.

I used the --debug 3 mode of vpnc and this shows an interesting dialog in the tons of
debug lines:


...
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)Connect Banner:
| ==== XXXXXXXXXXXX Germany VPN ====^M
| ^M
| Use is restricted to XXXXXXXXXXXX authorized users.^M
| Usage and activity may be monitored or recorded and may be subject to auditing.^M
| Unauthorized access is strictly prohibited!

add host 193.31.11.196: gateway 10.42.0.1
delete net 10.49.94.0: gateway 10.49.94.100 fib 0: not in table

...

S5.4 xauth type check
[2017-07-28 07:37:04]
^M
Enter your new PIN, containing 5 chars,^M
or^M
<Ctrl-D> to cancel the New PIN procedure: <*************************************

S5.5 do xauth authentication
[2017-07-28 07:37:04]
size = 40, blksz = 8, padding = 0

sending: ========================>

...

S5.4 xauth type check
[2017-07-28 07:37:14]
^M
Please re-enter new PIN: <************************************

S5.5 do xauth authentication
[2017-07-28 07:37:14]
size = 40, blksz = 8, padding = 0

sending: ========================>

...

S5.4 xauth type check
[2017-07-28 07:37:25]
^M
^M
PIN rejected. Please try again.^M <****************************************
^M
Enter PASSCODE: <****************************************

S5.5 do xauth authentication
[2017-07-28 07:37:25]
size = 40, blksz = 8, padding = 0

sending: ========================>
...

Banner: ==== XXXXXXXXXXXX Germany VPN ====^M
^M
Use is restricted to XXXXXXXXXXXX authorized users.^M
Usage and activity may be monitored or recorded and may be subject to auditing.^M
Unauthorized access is strictly prohibited!
got save password setting: 0
got 42 acls for split include
acl 0: addr: 192.168.0.0/ 255.255.0.0 (16), protocol: 0, sport: 0, dport: 0
...

from here all is fine connected;

There seems to be some dialog in the authentication procedure which wants me to change
the PIN, asking for a confirmation of the new PIN and is failing to accept this new PIN.

This would explain why I'm asked three times for some secret: two times for some PIN and
at the end for the 8 RSA digits.

Does this ring someones bell?

I tested the same with a Windows VPN client. This connects fine after
entering the 8 digits the first time.

matthias

--
Matthias Apitz, ? guru@unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

Attached Files:

Re: I need to give the same secret from the RSA token 3 times to login [ In reply to ]
guru at unixarea
Jul 28, 2017, 1:55 AM
Post #3 of 3 (1575 views)
Permalink
I have modified the vpnc.c source so it prints the RSA code entered by
the user; as it is a one time key, this is no security problem:

# /usr/ports/security/vpnc/work/vpnc-0.5.3/vpnc
Password for VPN xxxxxxx@193.31.xxx.196:
RSA token entered was [55526846]
Password for VPN xxxxxxx@193.31.xxx.196:
RSA token entered was [55526846]
Password for VPN xxxxxxx@193.31.xxx.196:
RSA token entered was [55526846]
Connect Banner:
| ==== XXXXXXXX Germany VPN ====
|
| Use is restricted to OCLC authorized users.
| Usage and activity may be monitored or recorded and may be subject to auditing.
| Unauthorized access is strictly prohibited!

add host 193.31.xxx.196: gateway 10.42.0.1
...

i.e. after the 3rd same passcode it connects fine.

matthias

--
Matthias Apitz, ? guru@unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal