Re: Generic IPSEC vpn plugin

[Paul Wouters <paul xelerance com>]

On Fri, 24 Apr 2009, David Woodhouse wrote:

> >     - interactive authentication instead of one-shot credentials
>
> This is actually working in some cases, like openconnect. The
> auth-dialog there is a standalone GUI program in its own right which
> does a whole bunch of stuff including SSL certificates from file system
> or TPM, and letting the user fill in arbitrary forms. Then when it's
> rewarded for a successful login with an HTTP cookie from the server, it
> just passes that cookie back to the nm-openconnect-service which uses it
> to make the actual connection.
>
> Can IPSec-based VPNs do something similar?

Yes. The only question is who "caches" the credentials. Currently openswan
can cache xauth passwords (from ipsec.secrets, but once we can take them
from the socket, NM can give it to us). Upon closing the connection, these
credentials could be purged.

> > person to have access to my VPN.  Connections can be *both* per-user
> > in a single-user system, or system-wide on any system.
>
> I'm guessing that you're in the minority, if you actually bother to set
> up an account for them and switch to it. To be honest, I don't even know
> how to do that without resorting to the command line.

With fedora, NM seems to be the default manager for all connections, so
if it becomes the defacto tool to configure site-to-site tunnels, then
this might not even be the minority case.

> And I bet that even _fewer_ people actually remove the account after the
> guest is done using the computer, thus actually preventing said guest
> from logging into your laptop later from elsewhere, while you're on the
> VPN...

A real "guest" account should automatically purge and put back a skeleton
account. I know debian/ubuntu has this feature. I am not sure if Fedora
has it.

Paul