[strongSwan-dev] Is this conceptually possible: EAP PSK secrets stored in ipsec.secrets as bcrypt hash?

Chase Douglas chase at stackery.io
Sun Jan 29 18:53:43 CET 2017


I'm working on a product that makes it easier for people to deploy
infrastructure on cloud services. I would love to offer a simple VPN
that works with built-in OS X/Windows/etc. clients using
username/password of some form. Strongswan fits the bill, but the PSK
secrets are stored in plaintext.

Here's what I would like to do, and I want to find out from people who
are much more knowledgeable than I whether this is feasible and

1. End user interacts with our product and provides a
username/password for VPN access
2. Instead of adding username/password to ipsec.secrets as plaintext
EAP, add password as bcrypt hashed value
3. Store new ipsec.secrets as a privately accessible file (say in AWS
S3 so the VPN server can just grab the latest file when the server
starts up)
3. StrongSwan verifies new connections using bcrypt hash

Is this possible to implement? I don't really know how all the IPSec
protocols work, so I'm hoping someone here can provide some guidance.


More information about the Dev mailing list