[strongSwan] strongswan without client certifikate

Imran Akbar skunkwerk at gmail.com
Fri Dec 5 17:41:39 CET 2014


Hey Thomas,

Here's my latest attempt to get a setup working without requiring client
certificates.

Client is Strongswan Android, server is running Strongswan 5.2.2 on a fresh
Ubuntu 14 server on EC2 with UDP ports 500 and 4500 opened.
Client is connecting via IKEv2 username/password.

Is PSK the same as the "EAP username/password" option in the Strongswan
android client?  I have a feeling it's not, ie this config will not work
for EAP-MSCHAPv2:
http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/

But there's no documentation on a version of this one without the gateway
authenticating via a RSA key:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/

I've tried with the gateway authenticating itself using a certificate, and
with PSK - both have the same error:
*"peer requested EAP, config inacceptable"*

In addition, the gateway seems unable to parse my private server key:
*building CRED_PRIVATE_KEY - RSA failed*, tried 5 builders
Dec  5 16:15:13 ip-172-31-26-153 charon: 00[CFG]   loading private key from
'/etc/ipsec.d/private/serverKey.pem' failed
even though I see openssl, pkcs1, and pem in my plugins - though I'm not
sure which ones weren't loaded, as it doesn't say in the log.

attempt 1 - with gateway using public key:
ipsec.conf: https://pastee.org/z8234
ipsec.secrets: https://pastee.org/mva6t
server log: https://pastee.org/t2ahc

attempt 2 - with gateway using PSK:
ipsec.conf: https://pastee.org/f4fbp
ipsec.secrets: https://pastee.org/mva6t
server log: https://pastee.org/6yd8q

Can someone please help?

thanks,
imran

On Thu, Dec 4, 2014 at 3:21 AM, Thomas <jk at c.vu> wrote:

> Hi,
>
> ok, so I have to change my EAP-MSCHAPv2 configuration.
> I've tested a lot, but don't find any ipsec-configuration where the
> client don't need the certificate installed local.
>
> Do you have any ideas based on my posted ipsec.conf ?
>
> Best regards
> Thomas
>
> Am 04.12.2014 10:40, schrieb Martin Willi:
> > Hi,
> >
> >> Any idea whats the best authentication method for username/password only
> >> on client-side? EAP-MD5?
> >> The client should be able to connect via windows ikev2 native clients,
> >> the strongswan android-app,
> > If you want to use the native Windows IKEv2 Agile VPN client, there is
> > no way around EAP-MSCHAPv2 for username/password authentication. You
> > could wrap that in PEAP/TTLS, but that most likely makes no sense for
> > your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]
> > for configuration details.
> >
> >> and the native clients from osx/ios.
> > OS X does not natively support IKEv2. You'd have to stick to IKEv1 with
> > XAuth, so you need a separate configuration profile. Please note that
> > there are rekeying issues with that client, which usually breaks the
> > tunnel after ~45 minutes if you rely on username/passwords. Refer to [2]
> > for configuration details.
> >
> > iOS supports IKEv2 since version 8, older versions support IKEv1 only.
> > Refer to [3] for details about deploying configuration profiles.
> >
> > Regards
> > Martin
> >
> > [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
> > [2]https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> > [3]
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
> >
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141205/d32c61aa/attachment.html>


More information about the Users mailing list