[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

Paul Wouters paul at nohats.ca
Thu Apr 10 21:25:35 EEST 2014

On Thu, 10 Apr 2014, Paul Wouters wrote:

> xauthby=alwaysok is not "very insecure".
> IPsec VPNs can by authenticated using various different methods:
> 1) PreShared Key with IDs (or IPs as ID)
> 2) raw RSA public keys
> 3) X.509 Certificates
> 4) 1,2 or 3 plus an XAUTH/CP username+password
> 5) 1,2 or 3 plus an L2TP username+password
> Furthermore, IPsec VPNs can hand out an IP address to the client using:
> B) L2TP
> Some people require an IP address assignment without needing an
> additional username+password. For instance because they use 2) or 3)
> or because they believe the PSK for 1) is good enough for their use
> case.
> If you use A) to get an IP address, you are forced to also specify a
> username+password. The options xauthby=alwaysok allows you to 'ignore'
> the username+password in these cases.
> If you are using A) because you want to identify the _user_ on top
> identifying the _device_, than obviously you are going to have to use
> xauthby=file or xauthby=pam

I should probably for completeness sake also mention the option
xauthfail=hard|soft. If you set it to soft, the tunnel will be
estabilshed regardless of a bad username/password, but the _updown
script will be called with XAUTH_FAILED set. This allows you to
insert additional NAT and firewall rules for this user to send them
to a "walled garden" page - for instance to give them a chance to renew
their subscription to the VPN service.

Note that if X.509 certificates are used, and the user certificate has
been revoked or rejected, the tunnel will fail to establish even
before XAUTH authentication.


More information about the Swan-dev mailing list