Interoperation Guide - NBM 3.8.4 VPN Client and Server, Xauth-PSK Method
Novell Cool Solutions: Feature
By Barochia Bhavatosh
Digg This -
Posted: 29 Dec 2005
Interoperation Guide - NBM 3.8.4 VPN Client and NBM 3.8.4 VPN Server with Xauth-PSK Method in Main Mode
This article highlights the Xauth support of NBM 3.8.4 VPN server which provides connectivity to any Virtual Private Network (VPN) client capable of authenticating using the Xauth- Pre-Shared Key (PSK) method in the Main mode of IKEv1.
The article considers the NBM 3.8.10 VPN Client as an Xauth-capable VPN client.
The NBM 3.8.4 VPN Server provides Xauth-PSK support in the Main mode. The NBM 3.8.10 VPN Client provides Xauth-PSK Support in Main and Aggressive modes. These modes are described in more detail later in the article.
About IKE Xauth (from the RFC)
"Internet Key Exchange protocol (IKE) Extended Authentication (Xauth) is a draft RFC developed by the Internet Engineering Task Force (IETF) based on the Internet Key Exchange (IKE) protocol. The Xauth feature is an enhancement to the existing Internet Key Exchange (IKE) Protocol feature. Xauth allows authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange."
"The Xauth feature is an extension to the IKE feature, and does not replace the IKE authentication."
The Xauth-PSK Method
The Xauth-PSK Method is a type of authentication in which pre-configured secrets are used for client extended authentication. There are two basic modes of establishing an authenticated key exchange, namely:
- Main Mode: A mode of establishing ISAKMP SA in which the two peer identities are not revealed.
- Aggressive Mode: A mode of establishing ISAKMP SA with a fewer number of message exchanges. This mode does not protect the identities of two endpoints. Both the modes generate authenticated keying material from an ephemeral Diffie-Hellman exchange (DH group).
Main mode negotiation is more secure than Aggressive mode negotiation. For more information, see RFC 2409 - The Internet Key Exchange.
The Xauth-PSK method must be configured in the NBM 3.8.4 VPN server in Main mode in order to establish a connection between the NBM 3.8.10 VPN client and the NBM 3.8.4 VPN server.
Configuring the NBM 3.8.4 VPN Server
The NBM 3.8.4 VPN server can be configured for the Xauth-PSK method in the Main mode as follows:
1. Run "set ike xauth pre-shared key=1" on the system console.
2. Enter the following information when prompted:
- Username: Any user having admin rights.
- Password: Password for that user.
- Pre-shared Key: Pre-shared key for Phase1 IKE mode authentication for Xauth-PSK mode.
Configuring the NBM 3.8.10 VPN Client
1. Click the Configuration tab, then select Xauth-PSK from the Authentication mode drop-down list.
Figure 1: Selecting the Xauth=PSK authentication mode
2. Click the VPN tab, then provide the following information:
- VPN Server's IP address: IP address of the Racoon server
- Username: Username along with the context. For example, admin.novell.
- Password: Password for the user
- Shared secret: Shared secrets setup on the server
Figure 2: Providing VPN information
3. Click the Policy editor button. The Policy editor dialog box appears.
Figure 3: Policy Editor dialog
4. In the Proposal tab, enter the following information:
- IKE mode: Select Main Mode from the drop-down list
- PFS mode: Select Yes from the drop-down list
5. Click OK.
6. Check the Use My Policy checkbox.
7. Click OK to establish the connection. The following dialog appears after a successful connection.
Figure 4: VPN statistics - General information and security
The following VPN Client and Server scenarios have been tested:
- NBM 3.8.10 VPN Client Platform: Windows XP SP2, Windows 2000, Windows 98
- NBM 3.8.10 VPN VPN Client Version: 3.8.10
- NBM 3.8.4 VPN Server Version: 6.5 SP3 (OES),5.1 SP8
The Xauth feature adds more value to the interoperating capabilities of the NBM 3.8.4 VPN server with any Xauth-capable VPN client in the Main mode. You can connect to the NBM 3.8.4 VPN server from any Xauth-capable VPN client with the Xauth-PSK method in Main mode.
For more information on Novell Border Manager, visit the Novell documentation Web page at:
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com