I'm using pfSense 2.0 and have an IPsec VPN configured (which uses the Raccoon IPsec daemon).
I'm connecting to the VPN using my iPhone (iOS 5).
However, the iPhone doesn't allowing saving of XAuth username and passwords.
How secure is it to remove XAuth authentication (ie. blank password) and only use RSA certificate authentication?
Sorry, this isn't answering your question of "how secure ...", but this might side-step your problem. Have you tried xauth_psk_server and putting "save_passwd on;" into your mode_cfg section of racoon.conf?
This let my old iPod (Version 4.2.1) cache an XAuth username & password. Here is my racoon.conf:
path pre_shared_key "/etc/racoon/psk.txt";
listen {
adminsock disabled;
}
remote anonymous {
exchange_mode aggressive;
my_identifier address;
proposal_check strict;
generate_policy on;
nat_traversal on;
dpd_delay 20;
ike_frag on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server;
# pre_shared_key
# rsasig (for plain RSA authentication)
# gssapi_krb
# hybrid_rsa_server hybrid_rsa_client
# xauth_rsa_server xauth_rsa_client
# xauth_psk_server xauth_psk_client
dh_group modp1024;
}
}
mode_cfg {
network4 10.99.99.2;
pool_size 253;
netmask4 255.255.255.0;
auth_source pam;
# dns4 10.99.99.1;
# wins4 10.0.12.1;
banner "/etc/racoon/motd";
pfs_group 2;
# Allow client to cache password:
save_passwd on;
split_dns "ad5ey.net";
split_network include 10.99.99.0/24;
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
With my iPod (and my MacBook), I select "Cisco IPSec" for the VPN type, and then invent a group name and shared secret for your psk.txt.
# Example psk.txt
coolgroup bigsecret
Now the question is, How secure is xauth_psk with a shared group secret? (This might not be secure for a corporate environment, because other employees might recycle the group shared secret to spoof being the vpn server to other employees and then sniff usernames and passwords... (runonsentencefun) but it's fine enough for my iPod when I don't share my group with anyone.)
XAuth is an additional (i.e. a second) authentication round. It is usually username/password given by one side only. If both side authenticate beforehand via certificates (both means: server certificate and client certificate), no additional XAuth is needed at all.
XAuth is usually used like HTTPS websites often are: the client usually authenticates the webserver via certificates, and the server recognizes you via username/password. I.e. the first round is certificate (from one side) and the second round username/password from the other side.
Have you ever used client certificates with your browser?? If you have, why would you still need to enter a password on websites? – Maybe because the framework of that specific website is not adapted to client certificates yet. – Same is true with IPsec clients: can they actually do without XAuth??
But anyway: is it secure? Yes. – Unless you believe 2 condoms is better than 1.
