[Swan] xauthby=alwaysok discussion
Philippe Vouters
philippe.vouters at laposte.net
Thu Mar 7 18:40:36 EET 2013
Paul,
Sorry to not follow your opinion. If one can borrow an IP address as it
seems for the Cisco document, whether agressive or main mode or RSA keys
or PSA secret, the malicious can always IPSec connect as long as
xauthby=alwaysok. With xauthby={pam | file ] and unless he gets the
clear password by some means, he can't.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 07/03/2013 16:38, Paul Wouters a écrit :
> On Thu, 7 Mar 2013, Philippe Vouters wrote:
>
>> I'd like to bring in a discussion upon xauthby=alwaysok.
>>
>> If you run with PSK secrets and set xauthby=alwaysok then you have no
>> mean to withdraw a user or refuse a hacker who robbed the PSK secret.
>
> That's incorrect. You _can_ use Aggressive Mode and set PSKs per
> leftid/rightid combination. It is only Main Mode where the ID comes in
> the second packet exchange where you cannot have different PSKs.
>
> Regardless, RSA configurations are _always_ preferred over PSK ones. In
> my opinion, PSK ones should _only_ be used for site-to-site connections
> and not for server-clients connections.
>
> Even when using xauthby=pam or xauthby=file, anyone who knows the PSK
> and can intercept your traffic (like at a coffee shop wifi) can pretend
> to be the remote IPsec gateway, and you will then give your pam/password
> secret to the rogue man in the middle. For example if you run a large
> campus wifi using PSK/IPsec for your students, any student can learn any
> other student's pam/password credentials.
>
> Where possible, use raw RSA. Otherwise, use X509 certs. Only as a last
> resort, use PSK.
>
> Paul
>
More information about the Swan
mailing list