[Openswan Users] tunnel using XAUTH client mode to Cisco 3000 series

Michael Richardson mcr at sandelman.ottawa.on.ca
Thu Jul 8 13:38:15 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "David" == David Edmondson <dme at dme.org> writes:
    David> This doesn't appear to be a requirement for the Cisco client
    David> or vpnc - people connect from random places without any prior
    David> configuration of the client IP address.

    David> We currently use a single group with a single well-known
    David> passphrase (well, well-known if you know how to read the
    David> Cisco client configuration files) and then username and token
    David> card authentication.

  That's because it uses aggresive mode.
  The only protection that aggresive mode offers against massive, and
trivial DOS is keeping the well-known passphase secret. Except that 70%
of installations use "cisco123", which is what the documentation example
shows...
  (the DOS would eat 100% of the CPU of the gateway, while using a
trivial amount of network bandwidth)

    David> It's tempting to ask "is it likely to be relevant", but
    David> obviously it is as one works and the other doesn't :-)

  Very relevant.
  Due to a screw up in how PSK was defined in IKEv1 Main Mode, you have
to know the identity of the system to find the PSK. But the identity
isn't sent until after you have privacy, so you can only get things work
right if the system is coming from a "known" IP address.

    David> Thanks for the information.  Is the 'custom configuration'
    David> the creation of the group with the name of my IP address that
    David> you mention above, or is there more?

  That's what it takes.

  If you use RSA authentication, this whole nonsense goes away.
  Since RSA authentication is FAR BETTER than username/password, and it
also scales better, I'd recommend it. If you need a physical token as
well, you can combine RSA+XAUTH, but this is less commonly done.

  Adding aggressive to Openswan 2 is something that we are open to
doing, but we insist that it be done right.  That means both a client
and server implementation, and resistance to DOS attacks by carefully
restricting how much work we will do.  If we could put together a
consortium of 5-6 sponsors to put up $30K or so, it could be done properly.

  If you are happy with a client-only, single-session system, use
'vpnc'. The reports are that it works, is simple enough and needs no
kernel components. 

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQO14dYqHRg3pndX9AQEHWQQAulA7jqqpLA5PfCV13IqPJGNJkNNP+ZtR
cyvFlLs+dxxi/vWhF8cDjx0W41b8zq759HzIRCsQOxcyOb4gxpFxMCw2yvV0PM9x
Prdd5eKaD/8n0jOH2mb+c4nX21O2ozbn7iVZ6X3jAs0ahZdYjSI2DMFk0pFGOytd
a7DYhdMTQ2U=
=KtMr
-----END PGP SIGNATURE-----

More information about the Users mailing list