[Openswan Users] OpenSWAN question on XAUTH clients
Paul Wouters
paul at xelerance.com
Sun Aug 9 17:11:16 EDT 2009
On Sun, 9 Aug 2009, Diego Rivera wrote:
> Yes - I knew what XAUTH was I just wasn't sure if PAM would automatically
> be used as the authentication means or how to specify that it would be
> used. The reason I ask is because I also see that it's possible to
> create an htpasswd-type file with usernames and passwords in it - but no
> documentation on how to specify which of the two methods to use (or if
> they can be combined in the same deployment, for instance, for two
> different endpoints).
You cannot combine the two. either PAM is used or the htpasswd file is
used. It only depends on the setting of USE_XAUTHPAM
> Interesting that you should mention the X.509 certificates - we used
> exactly that with Racoon, and no group secret (or rather, the group
> secret was ignored). I've drafted a tunnel configuration for this but I
> can't seem to get it to come up - keeps complaining about "address family
> inconsistency in this client connection". I'm sure it's just me being
> too dumb again:
>
> ----- BEGIN XAUTH CONF -----
> conn rbx-ras
> authby=secret
> leftid=%fromcert
That should be authby=rsasig
> leftcert=/etc/openswan/ras.crt
> left=<my-public-ip>
> leftnexthop=%defaultroute
> leftsourceip=<my-private-ip>
leftsourceip= should not be used for roadwarriors, only for subnet-subnet
tunnels.
> leftsubnets={<all-the-private-subnets>}
> leftxauthserver=yes
> leftmodecfgserver=yes
> right=%any
> rightnexthop=%defaultroute
> rightid=@RAS
rightid should be left out so multiple id's can connect. It will
depend on the CA's loaded whether or not the client will be allowed.
> rightxauthclient=yes
> rightmodecfgclient=yes
rightsubnets=vhost:%no,%priv is missing here for NAT'ed clients.
> dpdaction=restart_by_peer
The server should not attempt to restart/rekey for dynamic IP
roadwarriors.
> dpddelay=30
> dpdtimeout=60
> pfs=yes
> ike=3des-md5-modp1024
> esp=3des-md5-modp1024
> aggrmode=yes
> salifetime=15m
> ikelifetime=1h
> rekeymargin=2m
> rekey=no
> auto=add
> ------ END XAUTH CONF ------
> I already have just such rules in place - I'm just somewhat
> anal-rententive that way :) I like to be able to fully control
> everything I deploy so I don't inadvertently leave something hanging
> where it shouldn't. It's a shame that hasn't been done in such a mature
> daemon... maybe a configuration such as
> "listenaddress={aaa.bbb.ccc.ddd:500 eee.fff.ggg.hhh:500}" ... ?
It's more complicated. What do you do when new IP addresses appear
or disappear (and you'd have to distinguish those that by themselves
come in via a tunnel. If someone writes a patch, we'll accept it after
testing, but most people use dedicatd machines for IPsec servers, so
they don't have an issue with listening to ANY.
Paul
More information about the Users
mailing list