description.txt

ipsec vpn

The purpose of this test case is to demonstrate how to setup road warrior
access using XAUTH+self-signed certificates.

The intent is to use RSA signatures and Main Mode for phase 1.
XAUTH provides the authentication for phase 2.

The initial policy is that of opportunistic encryption - a random client
connects for phase 1, however it offers XAUTHInitRSA as the method.

The gateway does not have the client's key. In this test case, it is
sent by self-signed certificate payload. This completes phase 1.
The client already has the gateway's certificate, pre-configured or retrieved
by DNS. (KEY, IPSECKEY or CERT). This uni-directional authentication will
detect a MITM that is done at the network layer. 
It may not detect it at the application layer, so CHAP method is recommended.

Then the gateway challenges the client with XAUTH. CHAP preferred.