[vpn-help] Locked VPN profile

[Matthew Grooms]

On 11/23/2010 12:52 PM, Sławomir Krok wrote:
> Hi
>
> Is it possible to create locekd *.vpn file for Shrew which could be
> imported and used to connect to end device, but couldn't be modified?
> Something similar like in Netscreen client.
>

No. The short answer is that it would be difficult considering most of 
the components of the VPN client are open source. When a client 'locks' 
down configuration information, it still needs to be readable by the 
tools that manage VPN connections. This means that if the information is 
encrypted, the decryption key needs to be statically compiled into the 
tools. This isn't secure.

The long answer is that to retain cross platform compatibility, the key 
data and the method used to protect configuration info would be easily 
obtained by looking at the source code. In reality, even if we only 
included the key in a binary only distribution of the Windows client, 
anyone who knows how to use a disassembler could reverse engineer the 
protection format and extract the key data from a memory dump or the 
binary itself. This is the same reason why the Shrew Soft client and a 
number of other tools can import pcf files with so-called encrypted 
pre-shared key information. The key data that protects the information 
is static, and that key is well known. Its a common case of security by 
obscurity even though in this case the secret isn't even that obscure. 
If you don't believe me, do a quick google search for "pcf encrypted 
group password" and you will quickly discover lots of tools similar to 
this one ...

http://coreygilmore.com/projects/decrypt-cisco-vpn-password/

Hope this answers your question,

-Matthew