[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

Paul Wouters paul at nohats.ca
Thu Apr 10 21:04:09 EEST 2014

On Thu, 10 Apr 2014, Philippe Vouters wrote:

> Although it is very insecure, would embedded systems be the reason of your 
> xauthby=alwaysok ?
> This is aside from the NSS database aspect.

xauthby=alwaysok is not "very insecure".

IPsec VPNs can by authenticated using various different methods:

1) PreShared Key with IDs (or IPs as ID)
2) raw RSA public keys
3) X.509 Certificates

4) 1,2 or 3 plus an XAUTH/CP username+password
5) 1,2 or 3 plus an L2TP username+password

Furthermore, IPsec VPNs can hand out an IP address to the client using:


Some people require an IP address assignment without needing an
additional username+password. For instance because they use 2) or 3)
or because they believe the PSK for 1) is good enough for their use

If you use A) to get an IP address, you are forced to also specify a
username+password. The options xauthby=alwaysok allows you to 'ignore'
the username+password in these cases.

If you are using A) because you want to identify the _user_ on top
identifying the _device_, than obviously you are going to have to use
xauthby=file or xauthby=pam


More information about the Swan-dev mailing list