From cd4e20d58fb0d782ba9f7bd4bead4f333d670370 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Sun, 28 Jan 2007 21:00:49 +0000 Subject: - New upstream release, now _with_ XAUTH support. --- README | 52 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 47 insertions(+), 5 deletions(-) (limited to 'README') diff --git a/README b/README index c0480b069..9750e63c5 100644 --- a/README +++ b/README @@ -57,7 +57,7 @@ Contents 10. Monitoring functions 11. Firewall support functions 11.1 Environment variables in the updown script - 11.2 Automatic insertion and deletion of iptables firewall rules (NEW) + 11.2 Automatic insertion and deletion of iptables firewall rules 11.3 Sample Linux 2.6 _updown_espmark script for iptables < 1.3.5 12. Authentication with raw RSA public keys 13. Authentication with OpenPGP certificates @@ -71,6 +71,7 @@ Contents 14.3 Dead peer detection 14.4 IKE Mode Config Pull Mode 14.5 IKE Mode Config Push Mode + 14.6 XAUTH - Extended Authentication (NEW) 15. Copyright statement and acknowledgements @@ -105,7 +106,10 @@ and currently supports the following features: * NAT-Traversal (RFC 3947) - * Support of Virtual IPs via static configuratin and IKE Mode Config + * Support of Virtual IPs via static configuration and IKE Mode Config + + * XAUTH client and server functionality in conjunction with either PSK + or RSA IKE Main Mode authentication. * Support of Delete SA and informational Notification messages. @@ -3026,6 +3030,44 @@ as part of the connection definition in ipsec.conf. The default value is modeconfig=pull. +14.6 XAUTH - Extended Authentication + ------------------------------- + +The XAUTH protocol allows an extended +client authentication using e.g. a username/password paradigm in addition +to the IKE Main Mode authentication. Thus XAUTH can be used in conjunction +with Pre-Shared Keys (PSK) by defining + + authby=xauthpsk + +or with RSA signatures + + authby=xauthrsasig + +in the connection definition, correspondingly. strongSwan can act either as +an XAUTH client with + + xauth=client + +or as an XAUTH server with + + xauth=server + +with xauth=client being the default value. strongSwan integrates a default +implementation where the XAUTH user credentials are stored on both the +server and the client in the /etc/ipsec.secrets file, using the syntax + + : XAUTH john "rT6q!V2p" + +The client must not have more than one XAUTH entry whereas the server can +contain an unlimited number of user credentials in ipsec.secrets. + +Either the prompting on the client side or the verification of the user +credentials on the server side can be implemented as a customized XAUTH +dynamic library module. The corresponding library interface is defined +by the pluto/xauth.h header file. + + 15. Copyright statement and acknowledgements ---------------------------------------- @@ -3059,7 +3101,7 @@ modeconfig=pull. Copyright (c) 2002, Stephane Laroche - IKE Mode Config protocol: + IKE Mode Config and XAUTH protocol: Copyright (c) 2001-2002, Colubris Networks @@ -3090,7 +3132,7 @@ modeconfig=pull. scepclient: Copyright (c) 2005, Jan Hutter, Martin Willi - Copyright (c) 2005-2006, Andreas Steffen + Copyright (c) 2005-2007, Andreas Steffen University of Applied Sciences in Rapperswil, Switzerland @@ -3105,5 +3147,5 @@ modeconfig=pull. for more details. ----------------------------------------------------------------------------- -This file is RCSID $Id: README,v 1.36 2006/10/20 15:43:51 as Exp $ +This file is RCSID $Id: README,v 1.38 2007/01/14 18:16:51 as Exp $ -- cgit v1.2.3