[Swan] xauthby=alwaysok discussion
Philippe Vouters
philippe.vouters at laposte.net
Thu Mar 7 19:23:36 EET 2013
If I refer to my Shrew VPN Client experience, the PSK should be anything
between auth-mutual-psk: and line-feed and should be uuencoded or base64
encoded or both. The RSA keys should be anything between
auth-client-cert-data: and line-feed for the client RSA and anything
between auth-server-cert-data: and line-feed for the server RSA. If one
can borrow the IP address, Libreswan should be completely fooled without
any need to trap the username/password credentials. The aggressive or
main modes change nothing.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 07/03/2013 17:50, Paul Wouters a écrit :
> On Thu, 7 Mar 2013, Philippe Vouters wrote:
>
>> Sorry to not follow your opinion. If one can borrow an IP address as
>> it seems for the Cisco document, whether agressive or main mode or
>> RSA keys or PSA secret, the malicious can always IPSec connect as
>> long as xauthby=alwaysok. With xauthby={pam | file ] and unless he
>> gets the clear password by some means, he can't.
>
> Borrowing an IP addres is a cisco-configuration thing, not an IPsec
> protocol thing. I do not understand how one can hijack a connection if
> you don't have the RSA key - even if you have the XAUTH password, as you
> will never succeed phase1, so you never reach phase1.5/XAUTH to use that
> password.
>
> Paul
>
More information about the Swan
mailing list