[Swan] xauthby=alwaysok discussion
Paul Wouters
pwouters at redhat.com
Thu Mar 7 18:50:04 EET 2013
On Thu, 7 Mar 2013, Philippe Vouters wrote:
> Sorry to not follow your opinion. If one can borrow an IP address as it seems
> for the Cisco document, whether agressive or main mode or RSA keys or PSA
> secret, the malicious can always IPSec connect as long as xauthby=alwaysok.
> With xauthby={pam | file ] and unless he gets the clear password by some
> means, he can't.
Borrowing an IP addres is a cisco-configuration thing, not an IPsec
protocol thing. I do not understand how one can hijack a connection if
you don't have the RSA key - even if you have the XAUTH password, as you
will never succeed phase1, so you never reach phase1.5/XAUTH to use that
password.
Paul
More information about the Swan
mailing list