[Swan] xauthby=alwaysok discussion
Paul Wouters
pwouters at redhat.com
Thu Mar 7 23:59:05 EET 2013
On Thu, 7 Mar 2013, Philippe Vouters wrote:
> Something looks incorrect in your answer. One should not be able to get a
> user credentials even if in the same Wifi zone as the user credentials should
> be part of encrypted data whose encryption algorithm is negotiated between
> the two peers. As per my experience with IPSec, I have so far been unable to
> read my own credentials using Wireshark on the PC where I run the Shrew VPN
> client
Yes, but that is encrypted by a DiffieHellman Key Exchange. But you do
not know for sure _who_ you established that DH session with, until you
have completed authentication. To see that illustrated, see:
http://arvindtm.com/2008/06/understanding-ipsecike-phase-1.html
(although their description of DH is not entirely correct)
DH gives you privacy from eavesdroppers, but not identification. So if
my laptop answers on behalf of the remove gateway, your VPN client will
setup DH to me, no one but you and me know what is send over this
connection. If you then authenticate me with PSK (which we both happen
to know), then you cannot tell me apart from the real gateway. If we
used RSA, I would not be able to proof to you I have the private key
that belongs to the public key/cert of the gateway. And you would abort
the connection before sending me your XAUTH credentials.
Paul
More information about the Swan
mailing list