XAuth support for Linux clients #386
Conversation
hwdsl2
force-pushed
the
master
branch
2 times, most recently
from
39a1f06
to
8e15eb6
Compare
hwdsl2
force-pushed
the
master
branch
2 times, most recently
from
a45307b
to
f838fcf
Compare
There was a problem hiding this comment.
Thank you again for contributing. I added a few comments to your pull request, please have a look.
Due to the limit of 16384 bytes for AWS instance user data, I am unable to merge these changes until I can figure out a way to reduce the script size. Also, I would like to do more testing to investigate why xauthby=file is not working, and we had to instead use xauthby=pam.
| @@ -245,7 +247,7 @@ conn shared | |||
| dpddelay=30 | |||
| dpdtimeout=120 | |||
| dpdaction=clear | |||
| ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 | |||
| ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 | |||
There was a problem hiding this comment.
Is the 3des-sha1;modp1024 part you added on this line required for vpnc to connect? Or can we use the original version?
There was a problem hiding this comment.
vpnc doesn't work without those cyphers, don't know if it's the bug of LibreSwan or vpnc.
vpnsetup.sh
Outdated
| @@ -245,7 +247,7 @@ conn shared | |||
| dpddelay=30 | |||
| dpdtimeout=120 | |||
| dpdaction=clear | |||
| ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 | |||
| ike=3des-sha1,3des-sha1;modp1024,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 | |||
| phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 | |||
There was a problem hiding this comment.
We had changed this to phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 for better Android compatibility.
There was a problem hiding this comment.
That should work both with android and vpnc (desktop linux), tested on my server.
vpnsetup.sh
Outdated
| auto=add | ||
| leftsubnet=0.0.0.0/0 | ||
| rightaddresspool=$XAUTH_POOL | ||
| modecfgdns="$DNS_SRV1, $DNS_SRV2" |
There was a problem hiding this comment.
Due to some issues in Libreswan 3.23 with multiple IPsec/XAuth VPN clients from behind the same NAT (e.g. home router), we now use Libreswan 3.22 and this line had been replaced with these two lines:
modecfgdns1=$DNS_SRV1
modecfgdns2=$DNS_SRV2
82f614b
to
20f5797
Compare
|
@kshcherban Thank you again for contributing! I've decided not to merge these changes at this time because:
However, if the changes work for you, you're welcome to adapt the scripts to your needs. |
|
On Fri, 16 Nov 2018, Lin Song wrote:
5. The IPsec aggressive mode is vulnerable to offline dictionary attacks on the IPsec PSK [1].
[1] https://security.stackexchange.com/questions/76444/what-are-the-practical-risks-of-using-ike-aggressive-mode-with-a-pre-shared-key
Technically, Main Mode and IKEv2 are also vulnerable to this, see:
https://datatracker.ietf.org/meeting/103/materials/slides-103-ipsecme-psks-will-always-be-weak-00
But I agree that to reduce the script, it is best to only support IKEv2
and IKEv1 L2TP/IPsec
Paul
|
Added support for Aggressive Mode that is being used by
vpnc.Documented Linux client setup on Ubuntu example.