[Swan] xauthby=alwaysok discussion
Philippe Vouters
philippe.vouters at laposte.net
Thu Mar 7 16:24:57 EET 2013
I read it quickly, but from this Cisco document, it seems an IP address
can also be borrowed.
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8d.shtml
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 07/03/2013 14:16, Philippe Vouters a écrit :
> Even with RSA authentication, right=%any and xauthby=ok, you can't
> prevent a hacker to rob the RSA keys and IPSec connect with no problem.
> So xauthby=alwaysok should never be allowed if IP security is a concern.
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 07/03/2013 13:38, Philippe Vouters a écrit :
>> Dear everyone,
>>
>> I'd like to bring in a discussion upon xauthby=alwaysok.
>>
>> If you run with PSK secrets and set xauthby=alwaysok then you have no
>> mean to withdraw a user or refuse a hacker who robbed the PSK secret.
>> To prevent such a situation, your only way is to specify a
>> right=<fixed IP address> for each possible right.
>>
>> In summary, this prevents you to specify right=%any if a PSK secret
>> and xauthby=alwaysok. Otherwise this brings in an IP security hole.
>> For the record, the word IPSec, which Libreswan claims to implement,
>> means IP Security.
>>
>> With PSK authentication and xauthby=pam you add the PAM level of
>> authentication. With xauthby=file, you may specify as many PSK
>> secrets as right end conns. With xauthby=file, you can describe your
>> ipsec.conf as:
>> conn Philippe_PSK
>> authby=secret
>> xauthby=file
>> also=FIXED_RIGHT_IP
>>
>> conn FIXED_RIGHT_IP
>> type=tunnel
>> pfs=yes
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=restart
>> left=%defaultroute
>> leftnexthop=%defaultroute
>> leftsubnet=0.0.0.0/0
>> leftupdown="ipsec _updown --route yes"
>> right=%any
>> rightsubnet=vhost:%no,%priv
>> rekey=no
>> auto=add
>> and your /etc/ipsec.d/passwd as:
>> Philippe Vouters:mfZlHLjHKmsKA:Philippe_XAUTH_PSK
>>
>> Your only workaround if right=%any and xauthby=alwaysok is to work
>> with RSA authentication, one of the two RSA keys uniquely identifying
>> the remote peer. This is semantically analog to right=<fixed IP
>> address>.
>>
>
More information about the Swan
mailing list