Subject: Re: Cisco VPN interop
To: None <firstname.lastname@example.org>
From: Thor Lancelot Simon <email@example.com>
Date: 01/24/2004 12:45:04
On Sat, Jan 24, 2004 at 06:36:08AM -0800, Wolfgang S. Rupprecht wrote:
> Is anyone talking to a Cisco VPN using racoon or isakmpd? My ISP
> offers a VPN "wifi hostspot" service that has these following
> instructions. I'm having a hard time googling for any examples.
> Open a VPN Tunnel
> Using a VPN client such as the Cisco VPN client (for Windows,
> Linux, or Mac OSX), create a connection to our VPN
> Concentrator. Use the following settings:
> * Host: XXX.XXX.XXX
> * Group Auth Name: "Standard VPN"
> * Password: "standard"
> Log In
> Once you've opened your VPN tunnel, you will be prompted for your
> Sonic.net login name and password.
Ha! No, you can't use racoon nor isakmpd to talk to a Cisco configured
that way, because it's using the nonstandard and dangerous XAUTH
extension to IKE. But what's pretty funny is that using IKE that way
lets *any* sonic.net customer steal any other sonic.net customer's
password. All you have to do is pretend to be the server -- which any
of you can do, because you all know the "group password", which actually
is the IKE preshared key, the only thing that actually secures the IKE
session -- and then you can present the XAUTH challenge to the other
hapless sucker who happens to be at the same hotspot you are, and steal
his sonic.net username and password.
Nice, huh? You should thank your ISP for endangering the security of
your account in this way.
FWIW, though Cisco has repeatedly claimed that this configuration is
'obviously' dangerous and that it should not be used (by way of excuse
for not removing it from their software, period), their sales engineers,
consultants, and other field personnel continue to push it on customers.
Nice, huh? In an ideal world, they'd be assuming massive liability by
doing that, but in the real world, I guess they'll probably get away with
it no matter how badly their customers eventually get burned.