[Swan] xauthby=alwaysok discussion

Philippe Vouters philippe.vouters at laposte.net
Thu Mar 7 16:24:57 EET 2013 

I read it quickly, but from this Cisco document, it seems an IP address 
can also be borrowed.
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8d.shtml

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 07/03/2013 14:16, Philippe Vouters a écrit :
> Even with RSA authentication, right=%any and xauthby=ok, you can't 
> prevent a hacker to rob the RSA keys and IPSec connect with no problem.
> So xauthby=alwaysok should never be allowed if IP security is a concern.
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 07/03/2013 13:38, Philippe Vouters a écrit :
>> Dear everyone,
>>
>> I'd like to bring in a discussion upon xauthby=alwaysok.
>>
>> If you run with PSK secrets and set xauthby=alwaysok then you have no 
>> mean to withdraw a user or refuse a hacker who robbed the PSK secret. 
>> To prevent such a situation, your only way is to specify a 
>> right=<fixed IP address> for each possible right.
>>
>> In summary, this prevents you to specify right=%any if a PSK secret 
>> and xauthby=alwaysok. Otherwise this brings in an IP security hole. 
>> For the record, the word IPSec, which Libreswan claims to implement, 
>> means IP Security.
>>
>> With PSK authentication and xauthby=pam you add the PAM level of 
>> authentication. With xauthby=file, you may specify as many PSK 
>> secrets as right end conns. With xauthby=file, you can describe your 
>> ipsec.conf as:
>> conn Philippe_PSK
>>      authby=secret
>>      xauthby=file
>>      also=FIXED_RIGHT_IP
>>
>> conn FIXED_RIGHT_IP
>>      type=tunnel
>>      pfs=yes
>>      dpddelay=30
>>      dpdtimeout=120
>>      dpdaction=restart
>>      left=%defaultroute
>>      leftnexthop=%defaultroute
>>      leftsubnet=0.0.0.0/0
>>      leftupdown="ipsec _updown --route yes"
>>      right=%any
>>      rightsubnet=vhost:%no,%priv
>>      rekey=no
>>      auto=add
>> and your /etc/ipsec.d/passwd as:
>> Philippe Vouters:mfZlHLjHKmsKA:Philippe_XAUTH_PSK
>>
>> Your only workaround if right=%any and xauthby=alwaysok is to work 
>> with RSA authentication, one of the two RSA keys uniquely identifying 
>> the remote peer. This is semantically analog to right=<fixed IP 
>> address>.
>>
>

More information about the Swan mailing list