[Openswan Users] OpenSWAN question on XAUTH clients

Sun Aug 9 17:11:16 EDT 2009

On Sun, 9 Aug 2009, Diego Rivera wrote:

> Yes - I knew what XAUTH was I just wasn't sure if PAM would automatically
> be used as the authentication means or how to specify that it would be
> used.  The reason I ask is because I also see that it's possible to
> create an htpasswd-type file with usernames and passwords in it - but no
> documentation on how to specify which of the two methods to use (or if
> they can be combined in the same deployment, for instance, for two
> different endpoints).

You cannot combine the two. either PAM is used or the htpasswd file is
used. It only depends on the setting of USE_XAUTHPAM

> Interesting that you should mention the X.509 certificates - we used
> exactly that with Racoon, and no group secret (or rather, the group
> secret was ignored).  I've drafted a tunnel configuration for this but I
> can't seem to get it to come up - keeps complaining about "address family
> inconsistency in this client connection".  I'm sure it's just me being
> too dumb again:
> 
> ----- BEGIN XAUTH CONF -----
> conn rbx-ras
>     authby=secret
>     leftid=%fromcert

That should be authby=rsasig

>     leftcert=/etc/openswan/ras.crt
>     left=<my-public-ip>
>     leftnexthop=%defaultroute
>     leftsourceip=<my-private-ip>

leftsourceip= should not be used for roadwarriors, only for subnet-subnet
tunnels.

>     leftsubnets={<all-the-private-subnets>}
>     leftxauthserver=yes
>     leftmodecfgserver=yes
>     right=%any
>     rightnexthop=%defaultroute
>     rightid=@RAS

rightid should be left out so multiple id's can connect. It will
depend on the CA's loaded whether or not the client will be allowed.

>     rightxauthclient=yes
>     rightmodecfgclient=yes

rightsubnets=vhost:%no,%priv is missing here for NAT'ed clients.

>     dpdaction=restart_by_peer

The server should not attempt to restart/rekey for dynamic IP
roadwarriors.

>     dpddelay=30
>     dpdtimeout=60
>     pfs=yes
>     ike=3des-md5-modp1024
>     esp=3des-md5-modp1024
>     aggrmode=yes
>     salifetime=15m
>     ikelifetime=1h
>     rekeymargin=2m
>     rekey=no
>     auto=add
> ------ END XAUTH CONF ------

> I already have just such rules in place - I'm just somewhat
> anal-rententive that way :)  I like to be able to fully control
> everything I deploy so I don't inadvertently leave something hanging
> where it shouldn't.  It's a shame that hasn't been done in such a mature
> daemon... maybe a configuration such as
> "listenaddress={aaa.bbb.ccc.ddd:500 eee.fff.ggg.hhh:500}" ... ?

It's more complicated. What do you do when new IP addresses appear
or disappear (and you'd have to distinguish those that by themselves
come in via a tunnel. If someone writes a patch, we'll accept it after
testing, but most people use dedicatd machines for IPsec servers, so
they don't have an issue with listening to ANY.

Paul