[Swan] xauthby=alwaysok discussion
Philippe Vouters
philippe.vouters at laposte.net
Thu Mar 7 15:16:20 EET 2013
Even with RSA authentication, right=%any and xauthby=ok, you can't
prevent a hacker to rob the RSA keys and IPSec connect with no problem.
So xauthby=alwaysok should never be allowed if IP security is a concern.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 07/03/2013 13:38, Philippe Vouters a écrit :
> Dear everyone,
>
> I'd like to bring in a discussion upon xauthby=alwaysok.
>
> If you run with PSK secrets and set xauthby=alwaysok then you have no
> mean to withdraw a user or refuse a hacker who robbed the PSK secret.
> To prevent such a situation, your only way is to specify a
> right=<fixed IP address> for each possible right.
>
> In summary, this prevents you to specify right=%any if a PSK secret
> and xauthby=alwaysok. Otherwise this brings in an IP security hole.
> For the record, the word IPSec, which Libreswan claims to implement,
> means IP Security.
>
> With PSK authentication and xauthby=pam you add the PAM level of
> authentication. With xauthby=file, you may specify as many PSK secrets
> as right end conns. With xauthby=file, you can describe your
> ipsec.conf as:
> conn Philippe_PSK
> authby=secret
> xauthby=file
> also=FIXED_RIGHT_IP
>
> conn FIXED_RIGHT_IP
> type=tunnel
> pfs=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> left=%defaultroute
> leftnexthop=%defaultroute
> leftsubnet=0.0.0.0/0
> leftupdown="ipsec _updown --route yes"
> right=%any
> rightsubnet=vhost:%no,%priv
> rekey=no
> auto=add
> and your /etc/ipsec.d/passwd as:
> Philippe Vouters:mfZlHLjHKmsKA:Philippe_XAUTH_PSK
>
> Your only workaround if right=%any and xauthby=alwaysok is to work
> with RSA authentication, one of the two RSA keys uniquely identifying
> the remote peer. This is semantically analog to right=<fixed IP address>.
>
More information about the Swan
mailing list