[strongSwan-dev] [RFC] Be lenient about downstream encryption
Paul Stewart
pstew at chromium.org
Mon Apr 14 20:33:47 CEST 2014
On Mon, Apr 14, 2014 at 5:56 AM, Martin Willi <martin at strongswan.org> wrote:
> Hi Paul,
>
>> I discovered an interop issue with XAUTH authentication
>> with StrongSwan VPNs. Does anyone have a deep enough
>> knowledge of this frame to understand what the remote
>> VPN is giving away?
>
> Thanks for your analysis, and the patch.
>
> It seems that Sonicwall sends the ID/Hash payloads unencrypted even in
> Main Mode, probably to select different PSK keys based on the peer
> Identity. Something like an "Aggressive Mode light"?
>
> If that helps for interoperability, I'm not against upstreaming a
> work-around, even if it is not strictly within the specs.
>
> How about the (untested) patch at [1]? It introduces a
> charon.sonicwall_quirk strongswan.conf option to enable that behavior.
>
> @Tobias: What do you think about such an option? Don't know if it is
> worth it, as remote sends these unencrypted payloads anyway. On the
> other side, it can make the implications clear to the
> administrator/user, given that an attacker can snoop these identities
> sent in clear-text.
>
> Best Regards
> Martin
>
> [1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/sonicwall-quirk
I've verified your patch works. LGTM, modulo the other concerns I mentioned.
>
More information about the Dev
mailing list