[Swan] xauthby=alwaysok discussion
Philippe Vouters
philippe.vouters at laposte.net
Thu Mar 7 21:51:26 EET 2013
How does Libreswan behave when http://en.wikipedia.org/wiki/IP_hijacking
along with xauthby=alwaysok as well as a full copy of the Shrew VPN
Client configuration files to take just Shrew VPN configuration files as
an example ????
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 07/03/2013 17:50, Paul Wouters a écrit :
> On Thu, 7 Mar 2013, Philippe Vouters wrote:
>
>> Sorry to not follow your opinion. If one can borrow an IP address as
>> it seems for the Cisco document, whether agressive or main mode or
>> RSA keys or PSA secret, the malicious can always IPSec connect as
>> long as xauthby=alwaysok. With xauthby={pam | file ] and unless he
>> gets the clear password by some means, he can't.
>
> Borrowing an IP addres is a cisco-configuration thing, not an IPsec
> protocol thing. I do not understand how one can hijack a connection if
> you don't have the RSA key - even if you have the XAUTH password, as you
> will never succeed phase1, so you never reach phase1.5/XAUTH to use that
> password.
>
> Paul
>
More information about the Swan
mailing list