[Swan] xauthby=alwaysok discussion
Paul Wouters
pwouters at redhat.com
Thu Mar 7 19:56:47 EET 2013
On Thu, 7 Mar 2013, Philippe Vouters wrote:
> If I refer to my Shrew VPN Client experience, the PSK should be anything
> between auth-mutual-psk: and line-feed and should be uuencoded or base64
> encoded or both. The RSA keys should be anything between
> auth-client-cert-data: and line-feed for the client RSA and anything between
> auth-server-cert-data: and line-feed for the server RSA. If one can borrow
> the IP address, Libreswan should be completely fooled without any need to
> trap the username/password credentials. The aggressive or main modes change
> nothing.
You cannot "borrow" an IP address. The unnumbered link is just a Cisco
term for using a 0/0 to 0/0 IPsec tunnel and then using other means like
firewalls to lock it down further.
I did mention to you a few months ago that the "DHCP over IPsec" mode
you use with Shrew has a security issue, but that's only after you
authenticate as a client, and use an IP address not offered via the
DHCP relay request, as the tunnel negotiated is wide open. It's a
fundamental problem of 0/0 links.
Without my private RSA key or my remote gateway's private RSA key, and
without being able to generate more certificates by the CA used between
those two, you cannot get a phase1 IKE SA up, and therefor you do not
even start with the XAUTH phase, so whether or not you know my password
or xauthby=alwaysok is used does not even matter.
Paul
More information about the Swan
mailing list