I need to give the same secret from the RSA token 3 times to login

guru · ‎07-28-2017

I'm using a C-written vpn client on UNIX to connect to our company LAN. This worked fine for

years, but since some days I encounter the following problem.

To generate the 8 digits secret, I'm using a RSA app on my iPhone.

I can reproduce the following from my home office and as well when connected over data
mobile using my smartphone as an Access Point:

1. I use the app to generate the 8 digits and wait until a fresh one shows up (to have 60 seconds
for the rest of the following procedure)

2. I start the vpn client and enter the 8 digits carefully

3. VPN asks me to re-enter a secret, I do so using the same 8 digits for a 2nd time

4. VPN asks me to re-enter a secret, I do so and enter the same 8 digits for the 3rd time

5. VPN comes up fine after this

This is fully reproducible if someone needs more information.

I used the --debug 3 mode of vpnc client and this shows an interesting dialog in the tons of
debug lines:

...
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)Connect Banner:
| ==== XXXXXXXXXXXX Germany VPN ====^M
| ^M
| Use is restricted to XXXXXXXXXXXX authorized users.^M
| Usage and activity may be monitored or recorded and may be subject to auditing.^M
| Unauthorized access is strictly prohibited!

add host 193.31.11.196: gateway 10.42.0.1
delete net 10.49.94.0: gateway 10.49.94.100 fib 0: not in table

...

S5.4 xauth type check
[2017-07-28 07:37:04]
^M
Enter your new PIN, containing 5 chars,^M
or^M
<Ctrl-D> to cancel the New PIN procedure: <*************************************

S5.5 do xauth authentication
[2017-07-28 07:37:04]
size = 40, blksz = 8, padding = 0

sending: ========================>

...

S5.4 xauth type check
[2017-07-28 07:37:14]
^M
Please re-enter new PIN: <************************************

S5.5 do xauth authentication
[2017-07-28 07:37:14]
size = 40, blksz = 8, padding = 0

sending: ========================>

...

S5.4 xauth type check
[2017-07-28 07:37:25]
^M
^M
PIN rejected. Please try again.^M <****************************************
^M
Enter PASSCODE: <****************************************

S5.5 do xauth authentication
[2017-07-28 07:37:25]
size = 40, blksz = 8, padding = 0

sending: ========================>
...

Banner: ==== XXXXXXXXXXXX Germany VPN ====^M
^M
Use is restricted to XXXXXXXXXXXX authorized users.^M
Usage and activity may be monitored or recorded and may be subject to auditing.^M
Unauthorized access is strictly prohibited!
got save password setting: 0
got 42 acls for split include
acl 0: addr: 192.168.0.0/ 255.255.0.0 (16), protocol: 0, sport: 0, dport: 0
...

from here all is fine connected;

There seems to be some dialog in the authentication procedure which wants me to change
the PIN, asking for a confirmation of the new PIN and is failing to accept this new PIN.

This would explain why I'm asked three times for some secret: two times for some PIN and
at the end for the 8 RSA digits.

Does this ring someones bell? Any ideas?

I tested the same with a Windows VPN client. This connects fine after
entering the 8 digits the first time.

matthias