[Openswan dev] Multiple clients with same ID behind NAT

Paul Wouters paul at xelerance.com
Tue Oct 2 13:52:35 EDT 2007 

On Tue, 2 Oct 2007, Venkat Yekkirala wrote:

> > > I have a setup where all the clients behind a NAT share
> > > the same ID and cert.
> >
> > That's wrong. You *might* (very unlikely) get away with it
> > using uniqueids=no in config setup.
>
> I do have uniqueids=no in config setup.

If that is the case, it will never work with Openswan (and I think
that's a good thing)

> > Your setup is broken. Any single client compromise would lead
> > to all clients being compromised. One untrusted client can
> > lead to compromise of all trusted clients. Giving everyone
> > the same key is just not a real security solution.
>
> I agree this would be considered broken in the general case,
> specifically in regard to authentication. But the session
> encryption would any way be done using a unique symmetric
> session key (PFS) so a compromised client can't eavesdrop
> nor do a man-in-the-middle correct?

The only thing they need is to know your IP address and spoof it.
Since they already have all the credentials. After a rekey, they
just get all the tunneled traffic for free (assuming your config
would work)

> The specific threat model at hand requires only an authenticated
> and encrypted tunnel between any client and the gateway. It needn't
> differentiate one client from the other for authentication purposes.

Changing the model doesn't change the real world. You're creating
vulnerabilitis where none should be - regardless of some hyped
threat model.

> Now it seems to me if OpenSwan did use a different host pair for
> each one of these connection instances (as differentiated by the NATed
> IKE port of the client), find_phase1_state() would then have been able
> to find the right phase1 SA. I can do a patch that does this and submit
> it if you agree the host pair could be unique for each client.

I don't see any harm in it. Michael? Any objection to such a patch?

> Example:
>
> Client				NAT					CURRENT HOSTPAIR ON GATEWAY
>
> 172.16.233.101 (500/4500)	10.1.10.100 (32700/32701)	10.1.10.160:500;10.1.10.100:500
>
> 172.16.233.102 (500/4500)	10.1.10.100 (32702/32703)	10.1.10.160:500;10.1.10.100:500
>
> As can be seen, both instances use the same hostpair. But if we used a different host pair
> for each client as in: 10.1.10.160:500;10.1.10.100:32701  and 10.1.10.160:500;10.1.10.100:32703
> then find_phase1_state() will find the right SA, correct? Or am I wildly off-track here?

So what happens when the NAT router times out its NAT mapping for one of
the clients, and its port (eg 4500) is re-used? Then your SA's  will be
wrong.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Dev mailing list