[Openswan Users] Re: SonicWALL weirdness...

Francesco Peeters Francesco at FamPeeters.com
Thu Mar 9 11:22:31 CET 2006 

On Wed, March 8, 2006 16:51, Paul Wouters said:
> On Wed, 8 Mar 2006, Francesco Peeters wrote:
>
>> > What happens if you just do: ipsec auto --up group ?
>> >
>>
>> OK, onlu tested it once so far, but:
>> ipsec auto --down group
>> ipsec auto --up group
>> successfully restored the vpn connection this time... So far so good!
>
>> I think the important bit - at least when using above commands - is that
>> the XAuth info is not being cached:
>
> That is correct. Openswan does not cache the username/password. Otherwise,
> what would be the point of XAUTH? It is an additional user/password
> credential. This is also the reason auto=start does not work. XAUTH
> connections
> need to be loaded with auto=add and manually started with ipsec auto --up
> so
> you can type in your username and password.
> XAUTH connections can also not rekey. Any client that seems to rekey is
> really
> setting up a new tunnel (eg clients on windows) and caching the
> user/password.
>
> Paul

Those are valid points, and I agree with the for the most part, but I
would like to be able to cache the information for as long as the
connection is not taken down manually...

I would be opposed to constant storage of the data, as that would mean it
could be compromised by reading the correct files, but maintaining the
data in a memory structure until the tunnel is stopped would be a nice
feature.

The SonicWALL uses IPsec for WiFi protection, and uses XAuth to protect
the tunnel.

Right now I am forced to use a long key time (8h) for a type of connection
that would usually have a much shorter keying time, just to keep it
workable with my linux laptop.

The Windoze machin (my wife's) running Global VPN Client *does* cache the
XAuth data during the session (ie until taken down manually) and keeps
working nicely, as it automatically re-authenticates using cached data. It
is IMHO only a tiny concession on the security side for a huge improvement
in the user-friendliness department...

Cheers,

-- 
Francesco Peeters
----
GPG Key = AA69 E7C6 1D8A F148 160C  D5C4 9943 6E38 D5E3 7704
If your program doesn't recognize my signature, please visit
http://www.CAcert.org/index.php?id=3 to retrieve the Root CA certificate.

More information about the Users mailing list