[Openswan Users]

Brian Candler B.Candler at pobox.com
Wed May 10 13:10:26 CEST 2006


On Wed, May 10, 2006 at 11:47:51AM +0100, Shalini Tadimeti wrote:
>  Is there no way that I can authenticate the client
> machine on the basis of my own set of parameters,
> which are defined in a file ,for the establishment of
> the IPSEC.I want this authentication for the
> establishment of IPSEC.That is , data should be sent
> before Security Association is established.

Standard IPSEC authentication mechanisms include:

- pre-shared key (*)
- RSA keys
- X509 certificates

Cisco XAUTH extension also allows username and password, which can be
forwarded to a RADIUS or LDAP server.

L2TP over IPSEC lets you use PAP, CHAP or EAP.

What else would you want?

(*) Note that if you use aggressive mode, you can use a different pre-shared
key for each endpoint. That is, the IKE exchange also includes an identity
(which could be an FQDN or E-mail address), and you can use this to select
the appropriate secret. Many VPN solutions are built on this.

Now, you can pass whatever information you like in the IKE identity, but
generally you would only use this to select the key for *authentication*,
because the *authorisation* is up to the server. That is, the client
shouldn't be able to say what it's allowed to access; the server, once it
has validated the credentials, has its own knowledge of what that particular
client is allowed to do. Otherwise, clients could access anything they
wanted to, just by asking for it.

Regards,

Brian.


More information about the Users mailing list