[Openswan Users] Xauth Client extensions

mcr at xelerance.com mcr at xelerance.com
Tue Apr 6 14:14:17 CEST 2004


>>>>> "David" == David Mattes <david.mattes at boeing.com> writes:
    David> I know, I know that openswan only has support for XAuth
    David> server extensions, but how hard would it be (rough order of
    David> magnitude) to get the XAuth client portion working?  I
    David> really, really want to talk to the corporate Nortel CES VPN
    David> server using openswan, and I am very tired of dealing with
    David> the Apani Netlock client.  Our corporate configuration
    David> requires a group user/name password and a one-time password.

  Openswan 2.1.x has client and server XAUTH.
  It functions well.

  It does not have aggressive mode support, so it may not function with
the Nortel box. It depends upon how the nortel box is configured.
  Bugs in the Cisco VPN3005 prevent it from being configured
properly. That box is basically EOL from Cisco, so they are unlikely to
fix it. I'm told that the PIX don't have this problem.

  So, we will not put aggressive mode support into openswan 2.x until we
	1) put in both initiator and responder support
	2) implement CPU limits on responder support such that
	   a DoS is not so trivial to cause.

  We require initiator and responder support so that we can test it
regularly. We will not ship untested code.  We also are not interested
in ghetto-izing openswan as a "client" or "server" only system. 
  It must function as a full peer on the network.

  The hard part is the CPU limits - we have to change pluto such that it
it knows how much diffie-hellman work it has done, knows how much of its
timeslice is left, and can suspend computation on aggressive mode
clients and return to regular work. 

  Probably this will involving putting all DH work into a sub-process
and restrict the amount of CPU that this sub-process can use. There is
still a head-of-queue problem that we have to work out.

  It is about 1 month of effort to do all of this properly.

  If you think you can help support the effort, then please contact Ken.

  We also have some thoughts on using XAUTH with Opportunistic
Encryption to simplify road warrior deployment.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys


More information about the Users mailing list