On Thu, 10 Apr 2014, Paul Wouters wrote:
xauthby=alwaysok is not "very insecure".
IPsec VPNs can by authenticated using various different methods:
1) PreShared Key with IDs (or IPs as ID)
2) raw RSA public keys
3) X.509 Certificates
4) 1,2 or 3 plus an XAUTH/CP username+password
5) 1,2 or 3 plus an L2TP username+password
Furthermore, IPsec VPNs can hand out an IP address to the client using:
A) XAUTH/CP
B) L2TP
Some people require an IP address assignment without needing an
additional username+password. For instance because they use 2) or 3)
or because they believe the PSK for 1) is good enough for their use
case.
If you use A) to get an IP address, you are forced to also specify a
username+password. The options xauthby=alwaysok allows you to 'ignore'
the username+password in these cases.
If you are using A) because you want to identify the _user_ on top
identifying the _device_, than obviously you are going to have to use
xauthby=file or xauthby=pam
I should probably for completeness sake also mention the option
xauthfail=hard|soft. If you set it to soft, the tunnel will be
estabilshed regardless of a bad username/password, but the _updown
script will be called with XAUTH_FAILED set. This allows you to
insert additional NAT and firewall rules for this user to send them
to a "walled garden" page - for instance to give them a chance to renew
their subscription to the VPN service.
Note that if X.509 certificates are used, and the user certificate has
been revoked or rejected, the tunnel will fail to establish even
before XAUTH authentication.
Paul
Paul
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
