Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Attaching through a Cisco IPSec/UDP gateway

>>>>> "hf" == Hubert Feyrer <> writes:

    hf> The client section doesn't mention how to get "hybrid"
    hf> authentication going, though, which is what recent Cisco VPN
    hf> does.

so, to be more specific on the cisco side, there are three types of
phase 1/1.5 that work with the cisco road warrior ``vpndialer''
program.  You can tell which one your VPN is using by right-clicking
on its row in Connection Entries, picking Modify, and noting which of
the following three radio buttons is checked in the Authentication

  Group Authentication -- this is pre-shared key + XAUTH, where any
                          roadwarrior VPN client has enough
                          passphrases loaded into it to impersonate
                          the head-end.  The PSK is obfuscated in the
                          config file, but if you can un-rot13 it, you
                          can set up a spoof head-end and MITM nearby
                          wireless coworkers' passwords, not only
                          hijaaking your way into the VPN without a
                          password but probably also getting their
                          Master Windows Password to Everything, too,
                          thus imagineably making them LESS secure
                          than if they'd had no VPN at all.

  Mutual Group Authentication -- This uses a certificate on the
                                 head-end, but the road warrior
                                 presents no certificate.  Road
                                 warriors validate the cert against a
                                 CA certificate pubkey which you must
                                 load into roadwarriors and use to
                                 issue the head-end's cert, to stop
                                 the MITM attack above.  It seems to
                                 be un-confusing, so a lot of sites
                                 probably use it.  It only works in
                                 aggressive mode, though, because the
                                 ``client has no identity,'' or some
                                 other weird IPsec standards-ism.

                                 This is probably the 'hybrid' you are
                                 talking about, also known as 'hybrid
                                 XAUTH'.  I understood once but am now
                                 a bit rusty on how all Cisco's messy 
                                 configuration stanzas reference each
                                 other, but have this in my notes (for
                                 requesting it on PIX7.x/ASA head-end):

tunnel-group RoadWarrior ipsec-attributes
 isakmp ikev1-user-authentication hybrid

  Certificate Authentication -- This uses certificates on both clients
                                and servers, and can work in main mode
                                instead of aggressive mode.  It's
                                possible to load a different cert into
                                each client and not use XAuth at all,
                                like in a site-to-site VPN.  The VPN
                                dialer supports this, but almost
                                everyone uses XAuth.

                                But some shops load all their road
                                warriors with the same cert, same
                                private key, and then use XAuth to
                                distinguish one client from another.
                                Sometimes the VPN client .zip with the
                                client cert, private key and all, is
                                available for download on some open
                                external web page.  Even with the
                                common client cert so freely
                                distributed, this behaves the same as
                                Mutual Group Authentication.  It's
                                older, and it's probably better than
                                mutual group auth / hybrid xauth.

                                upside: works in Main Mode, not as
                                cisco-proprietary.  downside: confuses
                                netadmins, fails-open on
                                misconfiguration (if you don't add
                                XAuth).  And the configuration is a
                                tangled mess.

I don't think you have to configure XAuth in their VPN dialer at all.
It pops up a box if asked.  That's it.

I don't know racoon well, but it's more likely to support Certificate
Authentication and PSK, less likely to support Mutual Group

There is also MTU fun.  Two IOS devices supposedly will to PMTU-D on
various kinds of tunnels including gre and ipsec.  I'm not sure PIXen
or the Windows/Mac VPNClient _ever_ do PMTU-D---in some packet dumps
they seem to punt by quietly defaulting to a small MTU like 1200 -
1300.  and I think BSD/Linux doesn't do PMTU-D either but might
confuse you by having a larger default.

Attachment: pgpIvaVClbVZt.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index