Extended authentication (xauth), Identifiers – equinux VPN Tracker 6.4.6 User Manual

Page 50

Advertising

The VPN gateway's certificate can in most cases be sent by the VPN gateway,
but it is also possible to add it to the local keychain and set that specific cer-
tificate in VPN Tracker.

Related Settings: (certificates only) Advanced > Certificates
(pre-shared key only) Advanced > Phase 1 Diffie-Hellman Group, Advanced >
Additional Settings > Credentials > Display credentials prompt

Availability: According to the selected device profile. Hybrid-Mode authenti-
cation and smart card-based authentication requires VPN Tracker Profes-
sional or Player Edition.

VPN Gateway Setting: (Pre-Shared Key) Pre-shared secret, shared secret,
password, key
(Certificates) X.509 certificates, RSA signatures

Extended Authentication (XAUTH)

Extended authentication is a way of authenticating individual users on top of
one of the general authentication methods, pre-shared key or certificates (hy-
brid mode already incorporates XAUTH). In its basic form, XAUTH asks for a
username and password, however it is also possible for the VPN gateway to
ask for pass-codes (such as the ones generated by RSA SecurID tokens) etc.

It is possible to store the XAUTH username and password in the Mac OS X
keychain, or be prompted every time the VPN connections.

With most VPN gateways, XAUTH can be set to "When re-
quested", even if it is not used: When the VPN gateway requests
XAUTH to be performed, VPN Tracker will ask for the appropriate
credentials, if the VPN gateway does not request XAUTH, noth-
ing will happen. However, there are VPN gateways that need
XAUTH specifically turned on or off, that's where the "Off" and
"Always" settings can help.

Related Settings: Advanced > Additional Settings > Credentials

Availability: According to the selected device profile.

VPN Gateway Setting: XAUTH, user authentication

Identifiers

The identifiers are small pieces of identifying information that VPN Tracker and
the VPN gateway use to recognize each other.

It is crucial that the Local Identifier in VPN Tracker matches what
the VPN gateway expects, otherwise the VPN gateway will not
be able to identify the connection, and refuse or silently drop it.

Related Settings: Basic > Network > Local Address (for “Local IP Address”)
Basic > Authentication > Certificates (for “Local/Remote Certificate”)

Availability: Identifiers are not configurable when SonicWALL Simple Client
Provisioning is used.

VPN Gateway Setting: The local identifier from VPN Tracker's perspective is
the remote identifier from the VPN gateway's perspective, and vice versa.
Therefore you will normally have to swap the identifiers configured on the
VPN gateway when entering them in VPN Tracker:

Local Identifier:

Remote Identifier:

Remote Identifier (or client/peer identifier/identity/ID)
Local Identifier (or own/my identifier/identity/ID)

Local Identifier

The identifier that VPN Tracker uses to identify itself to the VPN gateway.

IP Address
An IP address is used for identification. Make sure to enter the IP address the
VPN gateway expects.

Local Endpoint IP Address
Same as “IP Address”, but VPN Tracker will automatically use the IP address of
the local endpoint of the VPN. That means that the “Local Address” setting is
used, if configured, otherwise the IP address of the Mac’s en0 network inter-
face is used.

Fully Qualified Domain Name (FQDN)
A fully qualified domain name (FQDN) is used for identification (e.g.
vpntracker.example.com). Make sure to enter the FQDN the VPN gateway ex-
pects.

Advertising

Popular Brands

Popular manuals