[strongSwan] strongswan without client certifikate
Imran Akbar
skunkwerk at gmail.com
Fri Dec 5 20:39:28 CET 2014
Hey Noel,
Do you mean using a trusted root CA certificate on Android will allow a
MITM attack if someone tries to impersonate our gateway? But if we
restrict clients to only connect to our gateway - and not others signed by
the same CA, would that still be an issue?
The VPN itself doesn't have access to any protected resources - which is
why I'm not worried about the lack of a PIN code on devices. It's ease of
use that I'm aiming for.
yours,
imran
On Fri, Dec 5, 2014 at 11:15 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Imran,
>
> I strongly recommend NOT doing that, as the clients would then trust any
> server with a certificate of the CA
> and try to authenticate against them with their credentials, which may
> expose them to attackers.
> Also, you should really advise your clients to set up pin code
> authentication to their phone's home screen, as
> an individual getting their hands on on a client's phone would get access
> to the VPN, if the phone wasn't locked with a code.
>
> You might want to use a p12 file then to make this easier. See this
> website [1] for an example command to create one.
> The clients can get it sent by email and they just need to open it and
> accept the certificates.
> I'm sorry for the last email. It seems I experienced a bug with enigmail
> on Thunderbird.
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#PKCS12-file
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 05.12.2014 um 19:53 schrieb Imran Akbar:
> > Hey Noel,
> >
> > thanks for your continued help.
> > I generated a self-signed CA on my server and put it into the correct
> directories.
> >
> > While I can (and have previously) installed the CA certificate myself on
> the Android client, I don't want the other users who aren't as tech-savvy
> to have to do this step. It also requires them to set up a PIN code for
> their phone's home screen, which not everyone wants to have to do.
> >
> > If I used a paid, non-self-signed CA certificate that's tied back to one
> of the root certificates already installed on Android, would that solve
> this issue?
> >
> > regards,
> > imran
> >
> >
> >
> >
> >
> > On Fri, Dec 5, 2014 at 10:19 AM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Imran,
> >
> > Do you have a CA? You need to have your CA installed on all devices.
> >
> > Try adding the DNS name you're connecting to in an additional SAN field
> by adding --san DNSNAME to
> > the ipsec pki command used to generate the server certificate.
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 05.12.2014 um 19:16 schrieb Imran Akbar:
> > > I've gotten past that issue by ensuring I was using the IP when
> generating the certificates, as in:
> > >
> http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
> >
> > > but now the client cannot verify the server with the message
> "verifying gateway authentication failed"
> > > and in the client log:
> > > "no trusted RSA public key found for 'C=CN, O=strongSwan,
> CN=54.169.64.53'"
> >
> > > How can I verify the server without installing its public key on every
> client, or using a PSK (which the Android client doesn't support)?
> >
> > > thanks,
> > > imran
> >
> > > On Fri, Dec 5, 2014 at 9:04 AM, Imran Akbar <skunkwerk at gmail.com
> <mailto:skunkwerk at gmail.com> <mailto:skunkwerk at gmail.com <mailto:
> skunkwerk at gmail.com>>> wrote:
> >
> > > When I change the ipsec.conf from:
> > > rightauth=psk
> > > righauth2=eap-mschapv2
> >
> > > to:
> > > rightauth=eap-mschapv2
> >
> > > the server log now contains:
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] looking for peer
> configs matching 172.31.26.153[%any]...172.56.39.247[app]
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] selected peer
> config 'android'
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] initiating
> EAP_IDENTITY method (id 0x00)
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] peer supports
> MOBIKE
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] no IDr
> configured, fall back on IP address
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] authentication of
> '172.31.26.153' (myself) with pre-shared key
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[ENC] generating
> IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 14[NET] sending packet:
> from 172.31.26.153[4500] to 172.56.39.247[63277] (124 bytes)
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 15[NET] received packet:
> from 172.56.39.247[63277] to 172.31.26.153[4500] (76 bytes)
> > > Dec 5 16:46:34 ip-172-31-26-153 charon: 15[ENC] parsed
> INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> >
> > > and I get a different error message in the client log:
> > > no shared key found for 'app'
> >
> > > As I was never prompted for the PSK in the app, I'm guessing the
> Android client doesn't support it?
> > > Therefore, the only way to get this working is for the server to
> authenticate with a certificate, it seems.
> > > Which isn't working, as it's not parsing my private key properly.
> >
> > > thanks,
> > > imran
> >
> > > On Fri, Dec 5, 2014 at 8:41 AM, Imran Akbar <skunkwerk at gmail.com
> <mailto:skunkwerk at gmail.com> <mailto:skunkwerk at gmail.com <mailto:
> skunkwerk at gmail.com>>> wrote:
> >
> > > Hey Thomas,
> >
> > > Here's my latest attempt to get a setup working without
> requiring client certificates.
> >
> > > Client is Strongswan Android, server is running Strongswan
> 5.2.2 on a fresh Ubuntu 14 server on EC2 with UDP ports 500 and 4500 opened.
> > > Client is connecting via IKEv2 username/password.
> >
> > > Is PSK the same as the "EAP username/password" option in the
> Strongswan android client? I have a feeling it's not, ie this config will
> not work for EAP-MSCHAPv2:
> http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/
> >
> > > But there's no documentation on a version of this one without
> the gateway authenticating via a RSA key:
> > >
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/
> >
> > > I've tried with the gateway authenticating itself using a
> certificate, and with PSK - both have the same error:
> > > *"peer requested EAP, config inacceptable"*
> >
> > > In addition, the gateway seems unable to parse my private
> server key:
> > > *building CRED_PRIVATE_KEY - RSA failed*, tried 5 builders
> > > Dec 5 16:15:13 ip-172-31-26-153 charon: 00[CFG] loading
> private key from '/etc/ipsec.d/private/serverKey.pem' failed
> > > even though I see openssl, pkcs1, and pem in my plugins -
> though I'm not sure which ones weren't loaded, as it doesn't say in the log.
> >
> > > attempt 1 - with gateway using public key:
> > > ipsec.conf: https://pastee.org/z8234
> > > ipsec.secrets: https://pastee.org/mva6t
> > > server log: https://pastee.org/t2ahc
> >
> > > attempt 2 - with gateway using PSK:
> > > ipsec.conf: https://pastee.org/f4fbp
> > > ipsec.secrets: https://pastee.org/mva6t
> > > server log: https://pastee.org/6yd8q
> >
> > > Can someone please help?
> >
> > > thanks,
> > > imran
> >
> > > On Thu, Dec 4, 2014 at 3:21 AM, Thomas <jk at c.vu <mailto:
> jk at c.vu <mailto:jk at c.vu>>> wrote:
> >
> > > Hi,
> >
> > > ok, so I have to change my EAP-MSCHAPv2 configuration.
> > > I've tested a lot, but don't find any ipsec-configuration
> where the
> > > client don't need the certificate installed local.
> >
> > > Do you have any ideas based on my posted ipsec.conf ?
> >
> > > Best regards
> > > Thomas
> >
> > > Am 04.12.2014 10:40, schrieb Martin Willi:
> > > > Hi,
> > > >
> > > >> Any idea whats the best authentication method for
> username/password only
> > > >> on client-side? EAP-MD5?
> > > >> The client should be able to connect via windows ikev2
> native clients,
> > > >> the strongswan android-app,
> > > > If you want to use the native Windows IKEv2 Agile VPN
> client, there is
> > > > no way around EAP-MSCHAPv2 for username/password
> authentication. You
> > > > could wrap that in PEAP/TTLS, but that most likely makes
> no sense for
> > > > your setup. The Android App supports EAP-MSCHAPv2 as
> well. Refer to [1]
> > > > for configuration details.
> > > >
> > > >> and the native clients from osx/ios.
> > > > OS X does not natively support IKEv2. You'd have to
> stick to IKEv1 with
> > > > XAuth, so you need a separate configuration profile.
> Please note that
> > > > there are rekeying issues with that client, which
> usually breaks the
> > > > tunnel after ~45 minutes if you rely on
> username/passwords. Refer to [2]
> > > > for configuration details.
> > > >
> > > > iOS supports IKEv2 since version 8, older versions
> support IKEv1 only.
> > > > Refer to [3] for details about deploying configuration
> profiles.
> > > >
> > > > Regards
> > > > Martin
> > > >
> > > > [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
> > > > [2]
> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> > > > [3]
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
> > > >
> > > >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:
> Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:
> Users at lists.strongswan.org>>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUggRcAAoJEDg5KY9j7GZYubgQAJH1qCiuFlG4xrUGSXt/Onju
> 0vxxS+cIcXa/kHB+zAnC+dQZccfy60IQvyMiFq3vd8MhbhJdMFD6ThD6s5FrStRr
> 4Q4QzGBELNpTsQNXBklbNtNLQz8ViOfzv39dMlpzYUAmkV0czTIBKTnDcEpgE7s8
> ssEVkiWah7z7C+TmrpYujQMLo7ieabWKM+c+z1ExDuE1/OGRO1YHWG1pmpwfywE8
> IMyG0tKU3Jy7KlcBfEkr8ii1rP2Ce3qU0HIebpj3FUps1QoU/iLGJwIVuVdZRGBr
> WVwU5WBWA+4NKiAmKHu0V5XRpIzOvNzcb6lnUwMevaUm4XS5vxthpRh+NpMX5h3e
> OUPfmr6fQ9RUkNoIOMAmDfw5qVv0e0zpo3fOCHIPHjBHyEcTjiND0jmTPdG4O3Jh
> 6/x0/qtGWrENRWBp1zhPxq29ep13PXOwKbB0Th5jn0MdIcurmYux5W2n651FQ/St
> rHSAk0i36xX/ZssTIqWO4n5HYyKHhriGJ1RC3DTtVlbMpFc/DZip/DrayjBhBL0K
> Nfc0tXeDTuYbk+04id0MeNNfOf7sGaxxkNVIsNFE+qVimoi06p8IS+w7mnB9CpbB
> 6bMmiAbnOlih/weoshxTJBvtXitmC/h+nKe0nrYW7V7sqXN689N/2FvnQroLkSdK
> xo32z+IVrifIwBA+6gwW
> =1Qjj
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141205/d6c3cec0/attachment-0001.html>
More information about the Users
mailing list