Re: [Users] user authentification

• Next message: Andrea Dell'Amico: "Re: [Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets"
• Previous message: Sandy Harris: "Re: [Users] International Crypto restrictions"
• Maybe in reply to: Sebastien Georget: "[Users] user authentification"
• Next in thread: Markus Koellner: "Re: [Users] user authentification"
• Reply: Markus Koellner: "Re: [Users] user authentification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sebastien Georget wrote:
> Andreas Steffen wrote:
>
>> You can base user authentication on X.509 certificates.
>>
>> The required X.509 patch for Linux FreeS/WAN and a detailed
>> "Installation and Configuration Guide" can be downloaded from
>>
>> http://www.strongsec.com/freeswan/
>>
>> Kind regards
>>
>> Andreas
>>
>> Sebastien Georget wrote:
>>
>>> Hi,
>>>
>>> as IPSec doesn't provide user authentification (roadwarrior), I'm
>>> trying to set it over a pptp tunnel (auth provided by MS-CHAPv2). But
>>> I saw in a mailing-list archive that there can't be more than 4 ipsec
>>> interfaces. Is it still the case with freeswan 1.97 ?
>>>
>>> Does anybody have set up another solution to provide user auth ? Like
>>> the auth inside a the IPSec tunnel ?
>>>
>>> thx.
>
> I already use the X.509 patch to support both linux and win2k clients,
> but even with the CRLS if the laptop is stolen the VPN is accessible for
> some time.
> I'd like to authentify the user when he tries to access the VPN, not
> when I give him a certificate :)
>

I have been thinking about introducing a prompt for the passphrase
of a protected private key file if the passphrase field in ipsec.secrets
is left intentionally empty. This would mean that the pluto process would
have to connect to a console window either when FreeS/WAN starts up or
when

  ipsec auto --rereadsecrets

is executed. Otherwise the prompt would not pop up.

> If the solution cannot be found in ipsec, is it possible to set up an
> access list on the vpn-server with a firewall or behind the vpn server
> with another system ?
>
> thx.

The updown script gives you the possibility to do access control
on users. Just look up the user ID contained in the environment
variable $PLUTO_PEER_ID in your access control list prior to
inserting a dynamical firewall rule that lets the user in.

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andrea Dell'Amico: "Re: [Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets"
• Previous message: Sandy Harris: "Re: [Users] International Crypto restrictions"
• Maybe in reply to: Sebastien Georget: "[Users] user authentification"
• Next in thread: Markus Koellner: "Re: [Users] user authentification"
• Reply: Markus Koellner: "Re: [Users] user authentification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST