New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XAuth support for Linux clients #386
Conversation
39a1f06
to
8e15eb6
Compare
a45307b
to
f838fcf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you again for contributing. I added a few comments to your pull request, please have a look.
Due to the limit of 16384 bytes for AWS instance user data, I am unable to merge these changes until I can figure out a way to reduce the script size. Also, I would like to do more testing to investigate why xauthby=file
is not working, and we had to instead use xauthby=pam
.
@@ -245,7 +247,7 @@ conn shared | |||
dpddelay=30 | |||
dpdtimeout=120 | |||
dpdaction=clear | |||
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 | |||
ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the 3des-sha1;modp1024
part you added on this line required for vpnc
to connect? Or can we use the original version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vpnc doesn't work without those cyphers, don't know if it's the bug of LibreSwan or vpnc.
vpnsetup.sh
Outdated
@@ -245,7 +247,7 @@ conn shared | |||
dpddelay=30 | |||
dpdtimeout=120 | |||
dpdaction=clear | |||
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 | |||
ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 | |||
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We had changed this to phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
for better Android compatibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That should work both with android and vpnc (desktop linux), tested on my server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated, please check.
vpnsetup.sh
Outdated
auto=add | ||
leftsubnet=0.0.0.0/0 | ||
rightaddresspool=$XAUTH_POOL | ||
modecfgdns="$DNS_SRV1, $DNS_SRV2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Due to some issues in Libreswan 3.23 with multiple IPsec/XAuth VPN clients from behind the same NAT (e.g. home router), we now use Libreswan 3.22 and this line had been replaced with these two lines:
modecfgdns1=$DNS_SRV1
modecfgdns2=$DNS_SRV2
82f614b
to
20f5797
Compare
@kshcherban Thank you again for contributing! I've decided not to merge these changes at this time because:
However, if the changes work for you, you're welcome to adapt the scripts to your needs. |
On Fri, 16 Nov 2018, Lin Song wrote:
5. The IPsec aggressive mode is vulnerable to offline dictionary attacks on the IPsec PSK [1].
[1] https://security.stackexchange.com/questions/76444/what-are-the-practical-risks-of-using-ike-aggressive-mode-with-a-pre-shared-key
Technically, Main Mode and IKEv2 are also vulnerable to this, see:
https://datatracker.ietf.org/meeting/103/materials/slides-103-ipsecme-psks-will-always-be-weak-00
But I agree that to reduce the script, it is best to only support IKEv2
and IKEv1 L2TP/IPsec
Paul
|
Added support for Aggressive Mode that is being used by
vpnc
.Documented Linux client setup on Ubuntu example.