[strongSwan] strongswan without client certifikate
Simon Deziel
simon.deziel at gmail.com
Wed Dec 3 23:27:34 CET 2014
Hi Thomas,
Have you looked at [1]? It says:
> EAP-MSCHAPv2 requires MD4 to generate the NT-Hashes
HTH,
Simon
1:
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
On 12/03/2014 04:59 PM, Thomas wrote:
> Hi Noel, Hi Imarn
>
> thanks for your answers!
> Any idea whats the best authentication method for username/password only
> on client-side?
> EAP-MD5?
>
> The client should be able to connect via windows ikev2 native clients,
> the strongswan android-app,
> and the native clients from osx/ios.
>
> Best
> Thomas
>
> Am 03.12.2014 19:40, schrieb Imran Akbar:
>> Hey Thomas,
>> Seems like we're in the same boat. Which client are you using to
> connect?
>> I'm going to try that config on my own gateway and see if works for me.
>> I'm also looking at this example for PSK authentication:
> http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/
>>
>> yours,
>> imarn
>>
>> On Wed, Dec 3, 2014 at 10:13 AM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
>>
>>
>> Hello Thomas,
>>
>> Using something like you already have in the conn win7 section will do.
>> Just don't set any authentication method for the client, that needs
>> certificates or psk and you're golden.
>> Assuming of course your client is configured the right way, of course.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 03.12.2014 um 14:54 schrieb Thomas:
>> > Hi,
>>
>> > I'm trying to setup strongswan to acceppt only username and password as
>> > logincredentials.
>> > So, the client do not need any certificate, only his username and
>> password.
>> > Is there any way to do that ?
>>
>>
>> > My actual ipsec.conf is this:
>>
>> > config setup
>>
>> > conn ios
>> > keyexchange=ikev1
>> > authby=xauthrsasig
>> > xauth=server
>> > left=%defaultroute
>> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> > leftfirewall=yes
>> > leftcert=serverCert.pem
>> > right=%any
>> > rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>> > rightsourceip=10.0.0.0/24 <http://10.0.0.0/24>
>> > rightcert=clientCert.pem
>> > auto=add
>>
>> > conn android
>> > keyexchange=ikev2
>> > left=%defaultroute
>> > leftauth=pubkey
>> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> > leftcert=serverCert.pem
>> > right=%any
>> > rightauth=pubkey
>> > rightsourceip=10.0.0.0/24 <http://10.0.0.0/24>
>> > rightcert=clientCert.pem
>> > auto=add
>>
>> > conn win7
>> > keyexchange=ikev2
>> > ike=aes256-sha1-modp1024!
>> > esp=aes256-sha1!
>> > dpdaction=clear
>> > dpddelay=300s
>> > rekey=no
>> > left=%any
>> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> > leftauth=pubkey
>> > leftcert=serverCert.pem
>> > right=%any
>> > rightsourceip=10.0.0.0/24 <http://10.0.0.0/24>
>> > rightauth=eap-mschapv2
>> > rightsendcert=never
>> > eap_identity=%any
>> > auto=add
>>
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
More information about the Users
mailing list