[strongSwan] Android VPN
martin at strongswan.org
Wed Jul 2 12:15:12 CEST 2014
Kindly asking to keep the discussion on the list, thanks.
> I am trying to load an internal CA cert to use x.509 for the client I
> will need to use the mutual authentication MSCHAPv2 as well it's a
> requirement for corporate security.
While EAP-MSCHAPv2 provides mutual authentication, it is not considered
secure, hence certificate authentication is used in IKEv2 to
authenticate the gateway before starting the EAP exchange.
> Each user has a user ID and PSK as well and then each has IMS
No PSK is required if you use certificate authentication of the gateway
before starting EAP-MSCHAPv2.
If you have unique and strong PSKs for each user, using PSK instead of
certificate server authentication is possible. Handling a large set of
PSK is cumbersome, forcing strong PSKs difficult. Certificate
authentication is superior, and therefore the currently supported option
in the Android client.
> Do I have to make configuration changes to use the MSK in EAP-MSCHAPv2?
EAP-MSCHAPv2 generates an MSK, and that is used in IKEv2 to generate the
AUTH payloads. Refer to RFC5996 for details.
More information about the Users