Tree - source-git/libreswan - CentOS Git server

source-git / libreswan

Files

Commit: 319d6b3649d41f777b9c112fc1295557954b7348

Blob Blame History Raw

  
XAUTH Server Support
 
Based on FlexS/WAN code from Colubris Networks (www.colubris.com)
Ported to Openswan by Xelerance (www.xelerance.com)
 
Sponsored by Astaro AG (www.astaro.com)
Ported to OpenSwan by Sean Mathews Nu Tech Software (www.nutech.com)
   Also added MD5/DES password file support and reworked the PAM code.
 
XAUTH server code rewritten for Openswan 2.1.0 to permit both client
and server side code. Many changes, most visible to user.
 
Threading fixed by Philippe Vouters in Libreswan
 
Addresspool support added by Antony Antony in Libreswan
 
Installation:
 
1.  If you want to be able to use PAM to authenticate XAUTH users, you need
    to also set USE_XAUTHPAM=true in Makefile.inc.
 
2.  Build & Install as normal.
3.  If you compiled with PAM then 'make install' will install the
    /etc/pam.d/pluto policy file for pam authentication.
 
5.  If you choose the password file then create /etc/ipsec.d/passwd
    with the following format.
 
	userid:password:conname
 
    comments are allowed by putting a '#' as the first character of any
    line. You can allow a user access to any connection class in ipsec.conf
    by leaving the last field of the password file blank or '*', or set this
    field to the connection name in your ipsec.conf that you wish this person
    to have access.
 
  Note:
    The crypt() call is used for passwords. This means you can have DES,
    MD5, SHA1 and SHA256 hashed passwords. In FIPS mode, DES and MD5 will
    not be available, so it is recommended not to use those.
    Some of these can be generated by any typical htpasswd utility.
    If you need to use DES, use htpasswd -d instead of htpasswd -m
 
Configuration:
 
One way to use XAUTH is to have a single shared secret (PSK) for
all road warriors.  This is not the best, but it does work.
 
Configure as normal in /etc/ipsec.secrets  - eg:
 
0.0.0.0 1.2.3.4	: PSK "a secret for the xauth users"
 
On your conn block, simply add "{left|right}xauthserver=yes"
to enable XAUTH, and "{right|left}xauthclient=yes" for the client side.
 
Client Configurations - these assume you already have a working
non-XAUTH connection setup.  These are tested and known to work.
 
SSH Sentinel 1.4.1
 
Note: 1.4.0 has a bug where it will only propose Single DES,
even if Single DES is disabled.  Please upgrade to 1.4.1
 
1.	On the Rule Properties page, enabled Extended Authentication.
2.	Click [Settings], and check "Use authentication method types"
3.	Optionally set it to save your login information.
 
 
SafeNet SoftRemote LT 10.0
 
1.	In Security Policy Editor, open your connection.
2.	Expand Authentication (Phase 1)
3.	Click on Proposal, and set the Authentication Method to
	"Pre-Shared Key; Extended Authentication"
 
Note: SoftRemote does not let you save your Username and Password.


	XAUTH Server Support

	Based on FlexS/WAN code from Colubris Networks (www.colubris.com)
	Ported to Openswan by Xelerance (www.xelerance.com)

	Sponsored by Astaro AG (www.astaro.com)
	Ported to OpenSwan by Sean Mathews Nu Tech Software (www.nutech.com)
	Also added MD5/DES password file support and reworked the PAM code.

	XAUTH server code rewritten for Openswan 2.1.0 to permit both client
	and server side code. Many changes, most visible to user.

	Threading fixed by Philippe Vouters in Libreswan

	Addresspool support added by Antony Antony in Libreswan

	Installation:

	1. If you want to be able to use PAM to authenticate XAUTH users, you need
	to also set USE_XAUTHPAM=true in Makefile.inc.

	2. Build & Install as normal.
	3. If you compiled with PAM then 'make install' will install the
	/etc/pam.d/pluto policy file for pam authentication.

	5. If you choose the password file then create /etc/ipsec.d/passwd
	with the following format.

	userid:password:conname

	comments are allowed by putting a '#' as the first character of any
	line. You can allow a user access to any connection class in ipsec.conf
	by leaving the last field of the password file blank or '*', or set this
	field to the connection name in your ipsec.conf that you wish this person
	to have access.

	Note:
	The crypt() call is used for passwords. This means you can have DES,
	MD5, SHA1 and SHA256 hashed passwords. In FIPS mode, DES and MD5 will
	not be available, so it is recommended not to use those.
	Some of these can be generated by any typical htpasswd utility.
	If you need to use DES, use htpasswd -d instead of htpasswd -m

	Configuration:

	One way to use XAUTH is to have a single shared secret (PSK) for
	all road warriors. This is not the best, but it does work.

	Configure as normal in /etc/ipsec.secrets - eg:

	0.0.0.0 1.2.3.4 : PSK "a secret for the xauth users"

	On your conn block, simply add "{left\|right}xauthserver=yes"
	to enable XAUTH, and "{right\|left}xauthclient=yes" for the client side.

	Client Configurations - these assume you already have a working
	non-XAUTH connection setup. These are tested and known to work.

	SSH Sentinel 1.4.1

	Note: 1.4.0 has a bug where it will only propose Single DES,
	even if Single DES is disabled. Please upgrade to 1.4.1

	1. On the Rule Properties page, enabled Extended Authentication.
	2. Click [Settings], and check "Use authentication method types"
	3. Optionally set it to save your login information.


	SafeNet SoftRemote LT 10.0

	1. In Security Policy Editor, open your connection.
	2. Expand Authentication (Phase 1)
	3. Click on Proposal, and set the Authentication Method to
	"Pre-Shared Key; Extended Authentication"

	Note: SoftRemote does not let you save your Username and Password.

source-git / libreswan

Source Code

Files