[strongSwan] strongswan without client certifikate

Simon Deziel simon.deziel at gmail.com
Wed Dec 3 23:27:34 CET 2014


Hi Thomas,

Have you looked at [1]? It says:

> EAP-MSCHAPv2 requires MD4 to generate the NT-Hashes

HTH,
Simon

1:
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2

On 12/03/2014 04:59 PM, Thomas wrote:
> Hi Noel, Hi Imarn
> 
> thanks for your answers!
> Any idea whats the best authentication method for username/password only
> on client-side?
> EAP-MD5?
> 
> The client should be able to connect via windows ikev2 native clients,
> the strongswan android-app,
> and the native clients from osx/ios.
> 
> Best
> Thomas
> 
> Am 03.12.2014 19:40, schrieb Imran Akbar:
>> Hey Thomas,
>>     Seems like we're in the same boat.  Which client are you using to
> connect?
>> I'm going to try that config on my own gateway and see if works for me.
>> I'm also looking at this example for PSK authentication:
> http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/
>>
>> yours,
>> imarn
>>
>> On Wed, Dec 3, 2014 at 10:13 AM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
>>
>>
>> Hello Thomas,
>>
>> Using something like you already have in the conn win7 section will do.
>> Just don't set any authentication method for the client, that needs
>> certificates or psk and you're golden.
>> Assuming of course your client is configured the right way, of course.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 03.12.2014 um 14:54 schrieb Thomas:
>> > Hi,
>>
>> > I'm trying to setup strongswan to acceppt only username and password as
>> > logincredentials.
>> > So, the client do not need any certificate, only his username and
>> password.
>> > Is there any way to do that ?
>>
>>
>> > My actual ipsec.conf is this:
>>
>> > config setup
>>
>> > conn ios
>> >         keyexchange=ikev1
>> >         authby=xauthrsasig
>> >         xauth=server
>> >         left=%defaultroute
>> >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> >         leftfirewall=yes
>> >         leftcert=serverCert.pem
>> >         right=%any
>> >         rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>> >         rightsourceip=10.0.0.0/24 <http://10.0.0.0/24>
>> >         rightcert=clientCert.pem
>> >         auto=add
>>
>> > conn android
>> >         keyexchange=ikev2
>> >         left=%defaultroute
>> >         leftauth=pubkey
>> >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> >         leftcert=serverCert.pem
>> >         right=%any
>> >         rightauth=pubkey
>> >         rightsourceip=10.0.0.0/24 <http://10.0.0.0/24>
>> >         rightcert=clientCert.pem
>> >         auto=add
>>
>> > conn win7
>> >         keyexchange=ikev2
>> >         ike=aes256-sha1-modp1024!
>> >         esp=aes256-sha1!
>> >         dpdaction=clear
>> >         dpddelay=300s
>> >         rekey=no
>> >         left=%any
>> >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> >         leftauth=pubkey
>> >         leftcert=serverCert.pem
>> >         right=%any
>> >         rightsourceip=10.0.0.0/24 <http://10.0.0.0/24>
>> >         rightauth=eap-mschapv2
>> >         rightsendcert=never
>> >         eap_identity=%any
>> >         auto=add
>>
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>     https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 



More information about the Users mailing list