Hello Martin, I have the split authentication running. I tried it out, if I can authenticate me as server, if I get the psk from the client (split authentication (psk-rsa sig). So I changed the ipsec.conf of the server. I added "authby=secret" and commented out the lines which are for the rsa authentication. I changed the ipsec.secrets: : PSK "psk_client"
But it doesnt work: Authentication failed. Are you sure that it is possible in split authentication to masquerade the vpn-gateway with the psk from the client ? Kind Regards -------- Original-Nachricht -------- > Datum: Wed, 17 Dec 2008 09:02:59 +0100 > Von: Martin Willi <[email protected]> > An: "\\"Peter" Müller" <[email protected]> > CC: [email protected] > Betreff: Re: [strongSwan] ikev2 split authentication - DoS? > Hi, > > > I use the split authentication of ikev2 (client with psk, gateway with > > cert) > > Keep in mind to use such a setup only with strong secrets. PSK client > authentication is subject to dictionary attacks, don't use it with > simple passwords. > > > in the split modus it is for an attacker also possible to play mitm, if > > he gets the psk from the client. > > A compromised PSK will not allow a MITM to do valid RSA signatures. But > when using ipsec.conf, there is currently no way to enforce the > authentication method the other peer should use. The client will accept > a forged PSK authentication of the server, as it signs with a valid > secret. > Therefore, using the same secret for each client is probably not a good > idea. A better solution would: > 1. use a separate secret for each client > 2. use EAP, e.g. MD5 > 3. use a CA signed certificate for each client > 4. extend strongSwan to enforce an authentication method > > Regards > Martin > -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
