[strongSwan-dev] Is this conceptually possible: EAP PSK secrets stored in ipsec.secrets as bcrypt hash?

Chase Douglas chase at stackery.io
Mon Jan 30 16:37:42 CET 2017

Thanks, Noel! Just the feedback I needed. We'll figure out a way to
make it easy to use certs instead.
-- Chase Douglas
Techstars '17
(234) 567-9652

On Sun, Jan 29, 2017 at 11:51 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> On 29.01.2017 18:53, Chase Douglas wrote:
>> Strongswan fits the bill, but the PSK
>> secrets are stored in plaintext.
>> Here's what I would like to do, and I want to find out from people who
>> are much more knowledgeable than I whether this is feasible and
>> reasonable:
>> 1. End user interacts with our product and provides a
>> username/password for VPN access
>> 2. Instead of adding username/password to ipsec.secrets as plaintext
>> EAP, add password as bcrypt hashed value
>> 3. Store new ipsec.secrets as a privately accessible file (say in AWS
>> S3 so the VPN server can just grab the latest file when the server
>> starts up)
>> 3. StrongSwan verifies new connections using bcrypt hash
>> Is this possible to implement? I don't really know how all the IPSec
>> protocols work, so I'm hoping someone here can provide some guidance.
> With PSK and challenge based EAP authentication methods, it's impossible, due to technical constraints
> of PSK authentication and the particular EAP method. It is only possible to implement this
> with EAP-GTC. However, this method is not supported by any builtin client.
> --
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

More information about the Dev mailing list