[strongSwan-dev] Pure X.509 authentication bypassing XAUTH
Andrey Korolyov
andrey at xdel.ru
Mon Nov 21 14:55:47 CET 2011
Hello,
I want to use certificate-only authorization on my iPhone so I faced
some strange behavior:
- using --disable-xauth-vid from configure does not disable
recognizing XAUTH when client asked it as I may expect from
description, so I need to change case VID_MISC_XAUTH: vid_useful to
FALSE
- when 'ignoring Vendor ID payload [XAUTH]' finally appears in log,
server refuses to authorize client with 'no connection has been
authorized with policy=XAUTHRSASIG+XAUTHSERVER', but config[1] does
not contain any xauth-related options.
Can you please point me where I can create bypass in the source code
for XAUTH? As I understand, I need to do a fake-auth on the server
simularly NOT sending XAUTH request to the client which announced this
capability, is it possible?
Possible solution is clearly a patch, so please forgive posting to
dev@ instead of users at .
With XAUTH, all works fine.
config setup
nat_traversal=yes
charonstart=no
plutostart=yes
conn iphone
leftrsasigkey=%cert
rightrsasigkey=%cert
keyingtries=1
rekey=no
ikelifetime=600m
auto=add
dpdaction=clear
keyexchange=ikev1 #This string is necessary for cisco-like ikev1 client.
authby=xauthrsasig
xauth=server
pfs=no
leftcert=/etc/ipsec.d/cacerts/strongswanCert.pem
left=ip.ad.dre.ss
leftid=@fqdn
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=somesubnet/mask
rightcert=/etc/ipsec.d/certs/hostCert.pem
Trying to do same thing without XAUTH:
[1]
conn iphone
leftrsasigkey=%cert
rightrsasigkey=%cert
keyingtries=1
rekey=no
ikelifetime=600m
auto=add
dpdaction=clear
keyexchange=ikev1 #This string is necessary for cisco-like ikev1 client.
authby=rsasig #Also tried pubkey, with same result.
pfs=no
leftcert=/etc/ipsec.d/cacerts/strongswanCert.pem
left=ip.ad.dre.ss
leftid=@fqdn
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=somesubnet/mask
rightcert=/etc/ipsec.d/certs/hostCert.pem
More information about the Dev
mailing list