diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 52 |
1 files changed, 47 insertions, 5 deletions
@@ -57,7 +57,7 @@ Contents 10. Monitoring functions 11. Firewall support functions 11.1 Environment variables in the updown script - 11.2 Automatic insertion and deletion of iptables firewall rules (NEW) + 11.2 Automatic insertion and deletion of iptables firewall rules 11.3 Sample Linux 2.6 _updown_espmark script for iptables < 1.3.5 12. Authentication with raw RSA public keys 13. Authentication with OpenPGP certificates @@ -71,6 +71,7 @@ Contents 14.3 Dead peer detection 14.4 IKE Mode Config Pull Mode 14.5 IKE Mode Config Push Mode + 14.6 XAUTH - Extended Authentication (NEW) 15. Copyright statement and acknowledgements @@ -105,7 +106,10 @@ and currently supports the following features: * NAT-Traversal (RFC 3947) - * Support of Virtual IPs via static configuratin and IKE Mode Config + * Support of Virtual IPs via static configuration and IKE Mode Config + + * XAUTH client and server functionality in conjunction with either PSK + or RSA IKE Main Mode authentication. * Support of Delete SA and informational Notification messages. @@ -3026,6 +3030,44 @@ as part of the connection definition in ipsec.conf. The default value is modeconfig=pull. +14.6 XAUTH - Extended Authentication + ------------------------------- + +The XAUTH protocol <draft-beaulieu-ike-xauth-02.txt> allows an extended +client authentication using e.g. a username/password paradigm in addition +to the IKE Main Mode authentication. Thus XAUTH can be used in conjunction +with Pre-Shared Keys (PSK) by defining + + authby=xauthpsk + +or with RSA signatures + + authby=xauthrsasig + +in the connection definition, correspondingly. strongSwan can act either as +an XAUTH client with + + xauth=client + +or as an XAUTH server with + + xauth=server + +with xauth=client being the default value. strongSwan integrates a default +implementation where the XAUTH user credentials are stored on both the +server and the client in the /etc/ipsec.secrets file, using the syntax + + : XAUTH john "rT6q!V2p" + +The client must not have more than one XAUTH entry whereas the server can +contain an unlimited number of user credentials in ipsec.secrets. + +Either the prompting on the client side or the verification of the user +credentials on the server side can be implemented as a customized XAUTH +dynamic library module. The corresponding library interface is defined +by the pluto/xauth.h header file. + + 15. Copyright statement and acknowledgements ---------------------------------------- @@ -3059,7 +3101,7 @@ modeconfig=pull. Copyright (c) 2002, Stephane Laroche - IKE Mode Config protocol: + IKE Mode Config and XAUTH protocol: Copyright (c) 2001-2002, Colubris Networks @@ -3090,7 +3132,7 @@ modeconfig=pull. scepclient: Copyright (c) 2005, Jan Hutter, Martin Willi - Copyright (c) 2005-2006, Andreas Steffen + Copyright (c) 2005-2007, Andreas Steffen University of Applied Sciences in Rapperswil, Switzerland @@ -3105,5 +3147,5 @@ modeconfig=pull. for more details. ----------------------------------------------------------------------------- -This file is RCSID $Id: README,v 1.36 2006/10/20 15:43:51 as Exp $ +This file is RCSID $Id: README,v 1.38 2007/01/14 18:16:51 as Exp $ |