[Swan] xauthby=alwaysok discussion

Philippe Vouters philippe.vouters at laposte.net
Thu Mar 7 15:16:20 EET 2013


Even with RSA authentication, right=%any and xauthby=ok, you can't 
prevent a hacker to rob the RSA keys and IPSec connect with no problem.
So xauthby=alwaysok should never be allowed if IP security is a concern.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 07/03/2013 13:38, Philippe Vouters a écrit :
> Dear everyone,
>
> I'd like to bring in a discussion upon xauthby=alwaysok.
>
> If you run with PSK secrets and set xauthby=alwaysok then you have no 
> mean to withdraw a user or refuse a hacker who robbed the PSK secret. 
> To prevent such a situation, your only way is to specify a 
> right=<fixed IP address> for each possible right.
>
> In summary, this prevents you to specify right=%any if a PSK secret 
> and xauthby=alwaysok. Otherwise this brings in an IP security hole. 
> For the record, the word IPSec, which Libreswan claims to implement, 
> means IP Security.
>
> With PSK authentication and xauthby=pam you add the PAM level of 
> authentication. With xauthby=file, you may specify as many PSK secrets 
> as right end conns. With xauthby=file, you can describe your 
> ipsec.conf as:
> conn Philippe_PSK
>      authby=secret
>      xauthby=file
>      also=FIXED_RIGHT_IP
>
> conn FIXED_RIGHT_IP
>      type=tunnel
>      pfs=yes
>      dpddelay=30
>      dpdtimeout=120
>      dpdaction=restart
>      left=%defaultroute
>      leftnexthop=%defaultroute
>      leftsubnet=0.0.0.0/0
>      leftupdown="ipsec _updown --route yes"
>      right=%any
>      rightsubnet=vhost:%no,%priv
>      rekey=no
>      auto=add
> and your /etc/ipsec.d/passwd as:
> Philippe Vouters:mfZlHLjHKmsKA:Philippe_XAUTH_PSK
>
> Your only workaround if right=%any and xauthby=alwaysok is to work 
> with RSA authentication, one of the two RSA keys uniquely identifying 
> the remote peer. This is semantically analog to right=<fixed IP address>.
>



More information about the Swan mailing list