Re: [Users] RW with dynamic IP and dynamic dns + PSK in main mode

tim v. wrote:
> with respect to
> Michael Schwartzkopff's posts of 2 jan 2004 10:32:17 and 8 Jan 2004
> 11:19:24 and it's replies
> Can someone clear this out for me?
>
> when doing this in ipsec.conf:
>
> conn me-rw1
> left=1.1.1.1
> right=rw1.dyndns.net
>
> conn me-rw2
> left=1.1.1.1
> right=rw2.dyndns.net
>
> the following happens:
> The client (rw) has dyndns enabled and initiates the negotiating (main
> mode message 1). When the ipsec gateway receives this, he cannot find a
> policy for that ip address, so he looks it up in reverse dns and finds
> that the identity of rw1 is rw1.dyndns.net.
> So main mode goes on and at the fifth message the problem of choosing
> the right secret for the right identity is not a problem anymore because
> the identity is known as rw1.dyndns.net (so the gateway can pick the
> shared secret that he has configured with this Identity).
>
> -first question: is this correct?

No, your assumption is not correct. rw1.dyndns.net and rw2.dyndns.net are resolved to the current IP addresses when the Pluto daemon is started. Thus when a dynamic IP address changes, Pluto will not know about it and will not do another lookup out of free will.

> -second question: if this was correct, why the need for the script that
> replaces the connection when rw1 gets a new ip address? the only
> possible reason for me seems to be that at startup time freeswan
> resolves the dns name and stores the shared keys according to an IP
> address in case of a dns name (if so, why?).

Yes, your reasoning is correct.
>
> -third question: suppose i own a domain name mydomain.net and have 1000
> possible road warriors using dynamic dns (rw<x>.mydomain.net where x
> ranges from 1-1000). Then i would have to make for each of them:
> conn me-rw<x>
> left=1.1.1.1
> right=rw<x>.mydomain.net
> secret="secret-rw<x>"
> That's a lot of work. It's possible to put
> left=1.1.1.1
> right=*.mydomain.net
> for all my road warriors at once. But have do i have to tell freeswan
> that if rw65.mydomain.net connect, it has to use shared secret
> "secret-rw65" for authentication?

The problem is that with IKE Main Mode you cannot select the correct preshared secret based on a hostname since this is transmitted by the peer in encrypted form. In order to decrypt the ID you would net the correct secret but in order to select the correct secret you would have to know the correct ID. Thus this becomes a hen and egg problem.

The workarounds that exist are:

• use the same PSK for all roadwarriors (which is not practical and also rather insecure)
• use IKE Aggressive Mode instead of IKE Main Mode (if used with weak preshared secrets, Aggressive Mode is extremely vulnerable to off-line dictionary attacks).
• user either individual raw RSA keys or X.509 certificates for the roadwarriors (this is the most secure and versatile solution).

>
> if someone can answer my questions, i'll be very grateful;
>
> greets,
> Tim Vissers
>

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Regards

Andreas

Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   
http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64

==========================================[strong internet security]===

_______________________________________________