[strongSwan] strongswan without client certifikate

Noel Kuntze noel at familie-kuntze.de
Fri Dec 5 20:09:09 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Imran,

I strongly recommend NOT doing that, as the clients would then trust any server and try to authenticate against them with their credentials, which may
expose them to criminals. Also, you should really advise your clients to set up pin code authentication to their phone's home screen, as
an individual getting their hands on on a client's phone would get access to the VPN.

You might want to use a p12 file then to make this easier. The clients can get it sent by email and they just need to open it and accept the certificates.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 05.12.2014 um 19:53 schrieb Imran Akbar:
> Hey Noel,
>
> thanks for your continued help.
> I generated a self-signed CA on my server and put it into the correct directories.
>
> While I can (and have previously) installed the CA certificate myself on the Android client, I don't want the other users who aren't as tech-savvy to have to do this step.  It also requires them to set up a PIN code for their phone's home screen, which not everyone wants to have to do.
>
> If I used a paid, non-self-signed CA certificate that's tied back to one of the root certificates already installed on Android, would that solve this issue?
>
> regards,
> imran
>
>
>
>
>
> On Fri, Dec 5, 2014 at 10:19 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Imran,
>
> Do you have a CA? You need to have your CA installed on all devices.
>
> Try adding the DNS name you're connecting to in an additional SAN field by adding --san DNSNAME to
> the ipsec pki command used to generate the server certificate.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 05.12.2014 um 19:16 schrieb Imran Akbar:
> > I've gotten past that issue by ensuring I was using the IP when generating the certificates, as in:
> > http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
>
> > but now the client cannot verify the server with the message "verifying gateway authentication failed"
> > and in the client log:
> > "no trusted RSA public key found for 'C=CN, O=strongSwan, CN=54.169.64.53'"
>
> > How can I verify the server without installing its public key on every client, or using a PSK (which the Android client doesn't support)?
>
> > thanks,
> > imran
>
> > On Fri, Dec 5, 2014 at 9:04 AM, Imran Akbar <skunkwerk at gmail.com <mailto:skunkwerk at gmail.com> <mailto:skunkwerk at gmail.com <mailto:skunkwerk at gmail.com>>> wrote:
>
> >     When I change the ipsec.conf from:
> >     rightauth=psk
> >     righauth2=eap-mschapv2
>
> >     to:
> >     rightauth=eap-mschapv2
>
> >     the server log now contains:
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] looking for peer configs matching 172.31.26.153[%any]...172.56.39.247[app]
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] selected peer config 'android'
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] peer supports MOBIKE
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] no IDr configured, fall back on IP address
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] authentication of '172.31.26.153' (myself) with pre-shared key
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[NET] sending packet: from 172.31.26.153[4500] to 172.56.39.247[63277] (124 bytes)
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 15[NET] received packet: from 172.56.39.247[63277] to 172.31.26.153[4500] (76 bytes)
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 15[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>
> >     and I get a different error message in the client log:
> >     no shared key found for 'app'
>
> >     As I was never prompted for the PSK in the app, I'm guessing the Android client doesn't support it?
> >     Therefore, the only way to get this working is for the server to authenticate with a certificate, it seems.
> >     Which isn't working, as it's not parsing my private key properly.
>
> >     thanks,
> >     imran
>
> >     On Fri, Dec 5, 2014 at 8:41 AM, Imran Akbar <skunkwerk at gmail.com <mailto:skunkwerk at gmail.com> <mailto:skunkwerk at gmail.com <mailto:skunkwerk at gmail.com>>> wrote:
>
> >         Hey Thomas,
>
> >         Here's my latest attempt to get a setup working without requiring client certificates.
>
> >         Client is Strongswan Android, server is running Strongswan 5.2.2 on a fresh Ubuntu 14 server on EC2 with UDP ports 500 and 4500 opened.
> >         Client is connecting via IKEv2 username/password.
>
> >         Is PSK the same as the "EAP username/password" option in the Strongswan android client?  I have a feeling it's not, ie this config will not work for EAP-MSCHAPv2: http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/
>
> >         But there's no documentation on a version of this one without the gateway authenticating via a RSA key:
> >         http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/
>
> >         I've tried with the gateway authenticating itself using a certificate, and with PSK - both have the same error:
> >         *"peer requested EAP, config inacceptable"*
>
> >         In addition, the gateway seems unable to parse my private server key:
> >         *building CRED_PRIVATE_KEY - RSA failed*, tried 5 builders
> >         Dec  5 16:15:13 ip-172-31-26-153 charon: 00[CFG]   loading private key from '/etc/ipsec.d/private/serverKey.pem' failed
> >         even though I see openssl, pkcs1, and pem in my plugins - though I'm not sure which ones weren't loaded, as it doesn't say in the log.
>
> >         attempt 1 - with gateway using public key:
> >         ipsec.conf: https://pastee.org/z8234
> >         ipsec.secrets: https://pastee.org/mva6t
> >         server log: https://pastee.org/t2ahc
>
> >         attempt 2 - with gateway using PSK:
> >         ipsec.conf: https://pastee.org/f4fbp
> >         ipsec.secrets: https://pastee.org/mva6t
> >         server log: https://pastee.org/6yd8q
>
> >         Can someone please help?
>
> >         thanks,
> >         imran
>
> >         On Thu, Dec 4, 2014 at 3:21 AM, Thomas <jk at c.vu <mailto:jk at c.vu <mailto:jk at c.vu>>> wrote:
>
> >             Hi,
>
> >             ok, so I have to change my EAP-MSCHAPv2 configuration.
> >             I've tested a lot, but don't find any ipsec-configuration where the
> >             client don't need the certificate installed local.
>
> >             Do you have any ideas based on my posted ipsec.conf ?
>
> >             Best regards
> >             Thomas
>
> >             Am 04.12.2014 10:40, schrieb Martin Willi:
> >             > Hi,
> >             >
> >             >> Any idea whats the best authentication method for username/password only
> >             >> on client-side? EAP-MD5?
> >             >> The client should be able to connect via windows ikev2 native clients,
> >             >> the strongswan android-app,
> >             > If you want to use the native Windows IKEv2 Agile VPN client, there is
> >             > no way around EAP-MSCHAPv2 for username/password authentication. You
> >             > could wrap that in PEAP/TTLS, but that most likely makes no sense for
> >             > your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]
> >             > for configuration details.
> >             >
> >             >> and the native clients from osx/ios.
> >             > OS X does not natively support IKEv2. You'd have to stick to IKEv1 with
> >             > XAuth, so you need a separate configuration profile. Please note that
> >             > there are rekeying issues with that client, which usually breaks the
> >             > tunnel after ~45 minutes if you rely on username/passwords. Refer to [2]
> >             > for configuration details.
> >             >
> >             > iOS supports IKEv2 since version 8, older versions support IKEv1 only.
> >             > Refer to [3] for details about deploying configuration profiles.
> >             >
> >             > Regards
> >             > Martin
> >             >
> >             > [1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
> >             > [2]https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> >             > [3]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
> >             >
> >             >
>
> >             _______________________________________________
> >             Users mailing list
> >             Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> >             https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>     https://lists.strongswan.org/mailman/listinfo/users
>
>




More information about the Users mailing list