[strongSwan-dev] Is this conceptually possible: EAP PSK secrets stored in ipsec.secrets as bcrypt hash?

Noel Kuntze noel at familie-kuntze.de
Sun Jan 29 20:51:16 CET 2017

On 29.01.2017 18:53, Chase Douglas wrote:
> Strongswan fits the bill, but the PSK
> secrets are stored in plaintext.
> Here's what I would like to do, and I want to find out from people who
> are much more knowledgeable than I whether this is feasible and
> reasonable:
> 1. End user interacts with our product and provides a
> username/password for VPN access
> 2. Instead of adding username/password to ipsec.secrets as plaintext
> EAP, add password as bcrypt hashed value
> 3. Store new ipsec.secrets as a privately accessible file (say in AWS
> S3 so the VPN server can just grab the latest file when the server
> starts up)
> 3. StrongSwan verifies new connections using bcrypt hash
> Is this possible to implement? I don't really know how all the IPSec
> protocols work, so I'm hoping someone here can provide some guidance.

With PSK and challenge based EAP authentication methods, it's impossible, due to technical constraints
of PSK authentication and the particular EAP method. It is only possible to implement this
with EAP-GTC. However, this method is not supported by any builtin client.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20170129/ad54499b/attachment.sig>

More information about the Dev mailing list