X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=blobdiff_plain;f=README;h=de32312b8421b0ac6054c68abeeb494a07adad6b;hp=d40d887a3519657b9a048954f95d39071604e079;hb=26e24676922445a7f63defac5a675191d987d09b;hpb=997358a6c475c8886cce388ab325184a1ff733c9 diff --git a/README b/README index d40d887..de32312 100644 --- a/README +++ b/README @@ -57,7 +57,7 @@ Contents 10. Monitoring functions 11. Firewall support functions 11.1 Environment variables in the updown script - 11.2 Automatic insertion and deletion of iptables firewall rules (NEW) + 11.2 Automatic insertion and deletion of iptables firewall rules 11.3 Sample Linux 2.6 _updown_espmark script for iptables < 1.3.5 12. Authentication with raw RSA public keys 13. Authentication with OpenPGP certificates @@ -69,7 +69,9 @@ Contents 14.1 Authentication and encryption algorithms 14.2 NAT traversal 14.3 Dead peer detection - 14.4 IKE Mode Config + 14.4 IKE Mode Config Pull Mode + 14.5 IKE Mode Config Push Mode + 14.6 XAUTH - Extended Authentication (NEW) 15. Copyright statement and acknowledgements @@ -104,7 +106,10 @@ and currently supports the following features: * NAT-Traversal (RFC 3947) - * Support of Virtual IPs via static configuratin and IKE Mode Config + * Support of Virtual IPs via static configuration and IKE Mode Config + + * XAUTH client and server functionality in conjunction with either PSK + or RSA IKE Main Mode authentication. * Support of Delete SA and informational Notification messages. @@ -2650,7 +2655,7 @@ and can be used when the following prerequisites are fulfilled: - Linux 2.4.x kernel, KLIPS IPsec stack, and arbitrary iptables version. Filtering of tunneled traffic is based on ipsecN interfaces. - - Linux 2.4.16 kernel or newer, native NETKEY IPsec stack, and + - Linux 2.6.16 kernel or newer, native NETKEY IPsec stack, and iptables-1.3.5 or newer. Filtering of tunneled traffic is based on IPsec policy matching rules. @@ -2918,8 +2923,8 @@ even if they might be supported by the responder. Currently please refer to README.NAT-Traversal document in the strongSwan distribution. - - + + 14.3 Dead peer detection -------------------- @@ -2969,14 +2974,15 @@ dpdaction=clear for dynamic roadwarrior connections. The default value is dpdaction=none, which disables DPD. -14.4 IKE Mode Config - --------------- - +14.4 IKE Mode Config Pull Mode + ------------------------- + The IKE Mode Config protocol allows the dynamic assignment of virtual IP addresses and optional DNS and WINS server -information to IPsec clients. Currently only "Mode Config Pull Mode" is -implemented where the client actively sends a Mode Config request to the server -in order to obtain a virtual IP. +information to IPsec clients. As a default the "Mode Config Pull Mode" is +used where the client actively sends a Mode Config request to the server +in order to obtain a virtual IP. The server answers with a Mode Config reply +message containing the requested information. Client side configuration (carol): @@ -3008,6 +3014,60 @@ the virtual IP address defined by the rightsourceip parameter. In the future an LDAP-based lookup mechanism will be supported. +14.5 IKE Mode Config Push Mode + ------------------------- + +Cisco VPN equipment uses the alternative "Mode Config Push Mode" where the +initiating clients waits for the server to push down a virtual address via +a Mode Config set message. The receipt is acknowledged by the client with a +Mode Config ack message. + +Mode Config Push Mode is activated by the parameter + + modeconfig=push + +as part of the connection definition in ipsec.conf. The default value is +modeconfig=pull. + + +14.6 XAUTH - Extended Authentication + ------------------------------- + +The XAUTH protocol allows an extended +client authentication using e.g. a username/password paradigm in addition +to the IKE Main Mode authentication. Thus XAUTH can be used in conjunction +with Pre-Shared Keys (PSK) by defining + + authby=xauthpsk + +or with RSA signatures + + authby=xauthrsasig + +in the connection definition, correspondingly. strongSwan can act either as +an XAUTH client with + + xauth=client + +or as an XAUTH server with + + xauth=server + +with xauth=client being the default value. strongSwan integrates a default +implementation where the XAUTH user credentials are stored on both the +server and the client in the /etc/ipsec.secrets file, using the syntax + + : XAUTH john "rT6q!V2p" + +The client must not have more than one XAUTH entry whereas the server can +contain an unlimited number of user credentials in ipsec.secrets. + +Either the prompting on the client side or the verification of the user +credentials on the server side can be implemented as a customized XAUTH +dynamic library module. The corresponding library interface is defined +by the pluto/xauth.h header file. + + 15. Copyright statement and acknowledgements ---------------------------------------- @@ -3041,7 +3101,7 @@ an LDAP-based lookup mechanism will be supported. Copyright (c) 2002, Stephane Laroche - IKE Mode Config protocol: + IKE Mode Config and XAUTH protocol: Copyright (c) 2001-2002, Colubris Networks @@ -3058,7 +3118,7 @@ an LDAP-based lookup mechanism will be supported. Copyright (c) 2000, Kai Martius X.509, OCSP and smartcard functionality: - +° Copyright (c) 2000, Andreas Hess, Patric Lichtsteiner, Roger Wegmann Copyright (c) 2001, Marco Bertossa, Andreas Schleiss Copyright (c) 2002, Uli Galizzi, Ariane Seiler, Mario Strasser @@ -3072,7 +3132,7 @@ an LDAP-based lookup mechanism will be supported. scepclient: Copyright (c) 2005, Jan Hutter, Martin Willi - Copyright (c) 2005-2006, Andreas Steffen + Copyright (c) 2005-2007, Andreas Steffen University of Applied Sciences in Rapperswil, Switzerland @@ -3087,5 +3147,5 @@ an LDAP-based lookup mechanism will be supported. for more details. ----------------------------------------------------------------------------- -This file is RCSID $Id: README,v 1.33 2006/04/24 21:27:49 as Exp $ +This file is RCSID $Id$