[ previous ] [ next ] [ threads ]
 
 From:  "D. Ubevidste" <detubevidste at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  character limitations in IPSEC Pre-shared keys
 Date:  Tue, 16 Nov 2004 17:18:12 -0500
We have been testing m0n0wall IPSEC VPNs on a Soekris net4801,  with
quite pleasing results.

Phenomenon observed:

We used a fairly robust random number generator for generating a
pre-shared key for IPSEC
(http://www.irisa.fr/caps/projects/hipsor/HAVEGE.html). As this
generates binary, we were curious as to the character set allowed for
the psk. Our thought was that we would be usling very little of the
available keyspace iin normal  characters if a full set were allowed.

We opened our random data in a hex  ediitor, copied the equivalent
text (unprintable chars and all) into the psk field in m0n0wall, and
clicked "save".

Result:
 - Device displays "XML error: not well-formed (invalid token) at line
163" on all input.
 - Rebotting the device, it takes no IP, and the console interface
returns the same error message on input.

A couple of things, then:
 - I don't know if the limitation is on the underlying IPSEC backend,
or m0n0wall, but I would be appreciative of a legend in the GUI saying
something like "256 ASCII char max" or "1024 Unicode char max" or the
like
 - While this is a stupid move on a user's part (what testing is for,
thank goods!), should m0n0wall try and prevent it?

many kind thanks,

du