How secure is IPsec w/RSA but without XAuth username/passwords

iphoneipsecpasswordxauth

I'm using pfSense 2.0 and have an IPsec VPN configured (which uses the Raccoon IPsec daemon).

I'm connecting to the VPN using my iPhone (iOS 5).

However, the iPhone doesn't allowing saving of XAuth username and passwords.

How secure is it to remove XAuth authentication (ie. blank password) and only use RSA certificate authentication?

Best Answer

Sorry, this isn't answering your question of "how secure ...", but this might side-step your problem. Have you tried xauth_psk_server and putting "save_passwd on;" into your mode_cfg section of racoon.conf?

This let my old iPod (Version 4.2.1) cache an XAuth username & password. Here is my racoon.conf:

path pre_shared_key "/etc/racoon/psk.txt";

listen {
    adminsock disabled;
}

remote anonymous {
    exchange_mode aggressive;
    my_identifier address;
    proposal_check strict;
    generate_policy on;
    nat_traversal on;
    dpd_delay 20;
    ike_frag on;
    proposal {
        encryption_algorithm aes;
        hash_algorithm sha1;
        authentication_method xauth_psk_server;
        # pre_shared_key
        # rsasig (for plain RSA authentication)
        # gssapi_krb
        # hybrid_rsa_server hybrid_rsa_client
        # xauth_rsa_server xauth_rsa_client
        # xauth_psk_server xauth_psk_client
        dh_group modp1024;
    }
}

mode_cfg {
    network4 10.99.99.2;
    pool_size 253;
    netmask4 255.255.255.0;
    auth_source pam;
    # dns4 10.99.99.1;
    # wins4 10.0.12.1;
    banner "/etc/racoon/motd";
    pfs_group 2;
    # Allow client to cache password:
    save_passwd on;
    split_dns "ad5ey.net";
    split_network include 10.99.99.0/24;
}

sainfo anonymous {
    pfs_group 2;
    lifetime time 1 hour;
    encryption_algorithm aes;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}

With my iPod (and my MacBook), I select "Cisco IPSec" for the VPN type, and then invent a group name and shared secret for your psk.txt.

# Example psk.txt
coolgroup   bigsecret

Now the question is, How secure is xauth_psk with a shared group secret? (This might not be secure for a corporate environment, because other employees might recycle the group shared secret to spoof being the vpn server to other employees and then sniff usernames and passwords... (runonsentencefun) but it's fine enough for my iPod when I don't share my group with anyone.)

Related Topic