Re: vpnc does not indicate failed authentication

[Dan Williams <dcbw redhat com>]

On Sat, 2010-02-20 at 20:59 +0300, Andrey Borzenkov wrote:
> vpnc plugin expects return code 2 from vpnc to indicate failed 
> authentication.:
> 
>         case 2:
>                 /* Couldn't log in due to bad user/pass */
>                 nm_vpn_plugin_failure (NM_VPN_PLUGIN (plugin), 
> NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
>                 break;
> 
> 
> At least in my testing I could not trigger it - whatever I did I always 
> got exit code 1, which is interpreted as generic connection failure.
> 
> Just curious, is something wrong with my vpnc version or something has 
> changed since code was originally written? Using vpnc 0.5.3.

Looks like it still should be the case; error() in vpnc eventually calls
exit() with the first number.  So:

	if (opt_auth_mode == AUTH_MODE_PSK) {
		if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0)
			error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!",
				val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array),
				ISAKMP_N_AUTHENTICATION_FAILED);

or

	if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
		reject = ISAKMP_N_AUTHENTICATION_FAILED;
		phase2_fatal(s, "noninteractive can't reuse password", reject);
		error(2, 0, "authentication failed (requires interactive mode)");

what stage is vpnc failing in, and what is it's error output?  You can
find this out by:

killall -TERM nm-vpnc-service
nm-vpnc-service
<try to connected and get the failure>

and you'll get at least some information printed out.  For recent
versions of NM-vpnc you can also:

VPNC_DEBUG=1 nm-vpnc-service

which sets the vpnc debug level really, really high.

Dan