[Swan] xauthby=alwaysok discussion
Philippe Vouters
philippe.vouters at laposte.net
Thu Mar 7 14:38:43 EET 2013
Dear everyone,
I'd like to bring in a discussion upon xauthby=alwaysok.
If you run with PSK secrets and set xauthby=alwaysok then you have no
mean to withdraw a user or refuse a hacker who robbed the PSK secret. To
prevent such a situation, your only way is to specify a right=<fixed IP
address> for each possible right.
In summary, this prevents you to specify right=%any if a PSK secret and
xauthby=alwaysok. Otherwise this brings in an IP security hole. For the
record, the word IPSec, which Libreswan claims to implement, means IP
Security.
With PSK authentication and xauthby=pam you add the PAM level of
authentication. With xauthby=file, you may specify as many PSK secrets
as right end conns. With xauthby=file, you can describe your ipsec.conf as:
conn Philippe_PSK
authby=secret
xauthby=file
also=FIXED_RIGHT_IP
conn FIXED_RIGHT_IP
type=tunnel
pfs=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
left=%defaultroute
leftnexthop=%defaultroute
leftsubnet=0.0.0.0/0
leftupdown="ipsec _updown --route yes"
right=%any
rightsubnet=vhost:%no,%priv
rekey=no
auto=add
and your /etc/ipsec.d/passwd as:
Philippe Vouters:mfZlHLjHKmsKA:Philippe_XAUTH_PSK
Your only workaround if right=%any and xauthby=alwaysok is to work with
RSA authentication, one of the two RSA keys uniquely identifying the
remote peer. This is semantically analog to right=<fixed IP address>.
--
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
More information about the Swan
mailing list