Hi Brian, > I'm finding that clients drop after 45 minutes because the client > wants to rekey, but doesn't expect to have to perform XAUTH > authentication again.
Yes, that's a known issue with iOS clients. I didn't know the same applies to OS X, though. > sending an OK status immediately instead of a request for > authentication works. I don't particularly care that XAUTH > authentication never occurs in this case because I'd be using pure RSA > if OS X would let me get away with it. If you do not rely on XAUTH, this is fine. However, other users do the opposite; they don't rely on RSA (but just use it to securely authenticate the gateway), and then fully rely on XAuth password authentication. The private key is considered "public" in such a setup, but we still have a good level of security (compared to XAUTH+PSK, for example). Just skipping XAuth during reauthentication is not really an option then: There is no cryptographic binding between the old and the new ISAKMP SA. An attacker could hijack such a connection if it has the private key. > Is there any interest in a cleaner patch for this "fake XAUTH" mode? When I find some time during the next weeks, I'll try to have a look at it. Maybe there is another way how we can trick iOS to survive that rekeying procedure. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
