[strongSwan] Android VPN

[Mcginniss, David S [NTK]]

How can I install a certificate on the android device I have an entrust cert on server but it can't validate going to create an openssl cert and install.

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org]
Sent: Tuesday, July 01, 2014 9:11 AM
To: Mcginniss, David S [NTK]
Cc: dev at lists.strongswan.org; users at lists.strongswan.org
Subject: Re: [strongSwan] Android VPN

David,

> IKEv2 using PSK and MSCHAPv2 example
>
> SEgw.xxx.yyy.net FQDN
> SEGWID  segw at xxx.xxx.net<mailto:segw at xxx.xxx.net>
> SEGW PSK a1b2c3
>
> EAP- MSCHAPv2
> AAA User ID at xxx.xxx.net<mailto:ID at xxx.xxx.net>
> AAA Password d3e4f5g6

EAP authentication in conjunction with PSK server authentication can be very problematic, and is therefore not allowed by RFC 5996, and not supported by our Android client.

If I understand correctly, you'd like to authenticate a large set of users to a security gateway. Each user authenticates itself using the mentioned AAA credentials. The gateway, on the other hand, uses a single
(?) PSK to authenticate itself against all users.

The problem is that each client has to know the security gateway PSK to verify it. Having that PSK, it can easily impersonate the gateway against all other users, and collect all the AAA credentials of all users. Something you really should avoid, especially with larger/open user groups.

It is therefore recommended to use public key authentication together with EAP. There also is the mutual EAP-only authentication extension [1], which is supported in strongSwan. However, EAP-MSCHAPv2 can not be considered secure, so you can't use it with that extension.

Regards
Martin

[1]http://tools.ietf.org/html/rfc5998


________________________________

This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.