[Openswan dev] Multiple clients with same ID behind NAT
paul at xelerance.com
Tue Oct 2 13:52:35 EDT 2007
On Tue, 2 Oct 2007, Venkat Yekkirala wrote:
> > > I have a setup where all the clients behind a NAT share
> > > the same ID and cert.
> > That's wrong. You *might* (very unlikely) get away with it
> > using uniqueids=no in config setup.
> I do have uniqueids=no in config setup.
If that is the case, it will never work with Openswan (and I think
that's a good thing)
> > Your setup is broken. Any single client compromise would lead
> > to all clients being compromised. One untrusted client can
> > lead to compromise of all trusted clients. Giving everyone
> > the same key is just not a real security solution.
> I agree this would be considered broken in the general case,
> specifically in regard to authentication. But the session
> encryption would any way be done using a unique symmetric
> session key (PFS) so a compromised client can't eavesdrop
> nor do a man-in-the-middle correct?
The only thing they need is to know your IP address and spoof it.
Since they already have all the credentials. After a rekey, they
just get all the tunneled traffic for free (assuming your config
> The specific threat model at hand requires only an authenticated
> and encrypted tunnel between any client and the gateway. It needn't
> differentiate one client from the other for authentication purposes.
Changing the model doesn't change the real world. You're creating
vulnerabilitis where none should be - regardless of some hyped
> Now it seems to me if OpenSwan did use a different host pair for
> each one of these connection instances (as differentiated by the NATed
> IKE port of the client), find_phase1_state() would then have been able
> to find the right phase1 SA. I can do a patch that does this and submit
> it if you agree the host pair could be unique for each client.
I don't see any harm in it. Michael? Any objection to such a patch?
> Client NAT CURRENT HOSTPAIR ON GATEWAY
> 172.16.233.101 (500/4500) 10.1.10.100 (32700/32701) 10.1.10.160:500;10.1.10.100:500
> 172.16.233.102 (500/4500) 10.1.10.100 (32702/32703) 10.1.10.160:500;10.1.10.100:500
> As can be seen, both instances use the same hostpair. But if we used a different host pair
> for each client as in: 10.1.10.160:500;10.1.10.100:32701 and 10.1.10.160:500;10.1.10.100:32703
> then find_phase1_state() will find the right SA, correct? Or am I wildly off-track here?
So what happens when the NAT router times out its NAT mapping for one of
the clients, and its port (eg 4500) is re-used? Then your SA's will be
Building and integrating Virtual Private Networks with Openswan:
More information about the Dev