XAUTH is a strange and difficult addition aimed at extending the IKE protocol to support other authorization schemes. It is usually needed for interoperability, but often systems using XAUTH also use other, often proprietary extensions to the IPsec protocol. Chances are high XAUTH will actually not help you reach a working solution. This is also the reason that XAUTH support has been added only very recently, and has not been tested very well: XAUTH support in Openswan is still very experimental.
An additional problem is that some features of XAUTH are actually dependent on other parts of the system, which can at times be incompatible. For instance encrypting and decrypting MD5 or DES passwords, for example from /etc/shadow
, does not always seem to work among different systems, and using XAUTH to authenticate against the system's user database using PAM opens up another Pandora's box of problems.
XAUTH stands for Extended Authentication. It is important to realize that it is not an...