XAUTH Server Support Based on FlexS/WAN code from Colubris Networks (www.colubris.com) Ported to Openswan by Xelerance (www.xelerance.com) Sponsored by Astaro AG (www.astaro.com) Ported to OpenSwan by Sean Mathews Nu Tech Software (www.nutech.com) Also added MD5/DES password file support and reworked the PAM code. XAUTH server code rewritten for Openswan 2.1.0 to permit both client and server side code. Many changes, most visible to user. Installation: 1. In addition to the normal OpenSwan pre-reqs, you will also need pam-devel if you choose to use PAM authentication. (SEE PAM below) 2. Edit Makefile.inc. Set "USE_XAUTH" to "true" We ship with this disabled by default, as it is not useful for most folks, and has additional requirements. 3. If you wish to use PAM for authentication then set USE_XAUTHPAM=true. 4. Build & Install as normal. 4. If you compiled with PAM then Copy contrib/pam.d/pluto to /etc/pam.d/pluto (or wherever your distro of choice puts it) 5. If you choose the MD5/DES password file then create /etc/ipsec.d/passwd with the following format. userid:password:conname comments are allowed by putting a '#' as the first character of any line. You can allow a user access to any connection class in ipsec.conf by leaving the last field of the password file blank or '*', or set this field to the connection name in your ipsec.conf that you wish this person to have access. Note: If your libc does not support MD5 then you will need to generate DES passwords. These can be generated by any typical htpasswd utility. Configuration: One way to use XAUTH is to have a single shared secret (PSK) for all road warriors. This is not the best, but it does work. Configure as normal in /etc/ipsec.secrets - eg: 0.0.0.0 1.2.3.4 : PSK "a secret for the xauth users" On your conn block, simply add "{left|right}xauthserver=yes" to enable XAUTH, and "{right|left}xauthclient=yes" for the client side. We are working on a way to use XAUTH to upgrade OE connections to RW connections. Client Configurations - these assume you already have a working non-XAUTH connection setup. These are tested and known to work. SSH Sentinel 1.4.1 Note: 1.4.0 has a bug where it will only propose Single DES, even if Single DES is disabled. Please upgrade to 1.4.1 1. On the Rule Properties page, enabled Extended Authentication. 2. Click [Settings], and check "Use authentication method types" 3. Optionally set it to save your login information. SafeNet SoftRemote LT 10.0 1. In Security Policy Editor, open your connection. 2. Expand Authentication (Phase 1) 3. Click on Proposal, and set the Authentication Method to "Pre-Shared Key; Extended Authentication" Note: SoftRemote does not let you save your Username and Password. PAM We DO NOT RECOMMEND use of PAM, as it uses threads, and does not do so in a safe manner. The code supports /etc/ipsec.d/passwd, as an htpasswd-style password file. There are some problems with MD5-style passwords that we have not tracked down as yet. Perhaps libc differences between test environment and where htpasswd was run. $Id: README.XAUTH,v 1.3 2004/09/30 23:25:57 paul Exp $