[strongSwan] Android VPN

Martin Willi martin at strongswan.org
Wed Jul 2 12:15:12 CEST 2014


Kindly asking to keep the discussion on the list, thanks.

> I am trying to load an internal CA cert to use x.509 for the client I
> will need to use the mutual authentication MSCHAPv2 as well it's a
> requirement for corporate security.

While EAP-MSCHAPv2 provides mutual authentication, it is not considered
secure, hence certificate authentication is used in IKEv2 to
authenticate the gateway before starting the EAP exchange.

> Each user has a user ID and PSK as well and then each has IMS
> credentials

No PSK is required if you use certificate authentication of the gateway
before starting EAP-MSCHAPv2.

If you have unique and strong PSKs for each user, using PSK instead of
certificate server authentication is possible. Handling a large set of
PSK is cumbersome, forcing strong PSKs difficult. Certificate
authentication is superior, and therefore the currently supported option
in the Android client.

> Do I have to make configuration changes to use the MSK in EAP-MSCHAPv2?

EAP-MSCHAPv2 generates an MSK, and that is used in IKEv2 to generate the
AUTH payloads. Refer to RFC5996 for details.


More information about the Users mailing list