[strongSwan] Android VPN

Andreas Steffen andreas.steffen at strongswan.org
Mon Jun 30 17:27:39 CEST 2014


Hi David,

the IKEv2 RFC 5996 explicitly states in the second
paragraph on page 112 of section 5 Security Considerations

    http://tools.ietf.org/html/rfc5996#section-5

    An implementation using EAP MUST also use a public-key-based
    authentication of the server to the client before the EAP
    authentication begins, even if the EAP method offers mutual
    authentication.  This avoids having additional IKEv2 protocol
    variations and protects the EAP data from active attackers.

Since strongSwan strictly adheres to Internet Standards your mode
of operation using PSK with EAP is not admissible.

Best regards

Andreas

On 30.06.2014 17:13, Mcginniss, David S [NTK] wrote:
> The real problem is we have no need of the certificate for IPSEC with PSK and MSCHAPv2 but can't disable it in the strong swan client.
>
> -----Original Message-----
> From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of Noel Kuntze
> Sent: Friday, June 27, 2014 2:07 PM
> To: users at lists.strongswan.org
> Subject: Re: [strongSwan] Android VPN
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello David,
>
> I advise looking at [1]. For importing certificates on Android devices, you need to import them into the Android key store.
> You do this by packaging the CA, private key of the user certificate as well as the user certificate into a p12-file and importing it on the Android device by opening it with a file manager.
> After you imported it, you can set it in the strongSwan VPN app, or whatever app you're using (or the integrated client).
>
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
>
> Regards,
> Noel Kuntze
>
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.06.2014 20:49, schrieb Mcginniss, David S [NTK]:
>> I am looking for support for android vpn for the following client config with an IKEv2 client supporting MSK. I would try with a cert as long as I can install a cert and I can’t figure out how to install a cert without rooting the device which I don’t want to do.
>>
>>
>>
>>
>>
>>
>>
>> IKEv2 using PSK and MSCHAPv2 example
>>
>>
>>
>> SEgw.xxx.yyy.net FQDN
>>
>> SEGWID  segw at xxx.xxx.net <mailto:segw at xxx.xxx.net>
>>
>> SEGW PSK a1b2c3
>>
>>
>>
>> EAP- MSCHAPv2
>>
>> AAA User ID at xxx.xxx.net <mailto:ID at xxx.xxx.net>
>>
>> AAA Password d3e4f5g6
>>
>>
>>
>>
>>
>>
>>
>> David S. McGinniss
>>
>> Sr Telecom Design Engineer
>>
>> Service Platform Development
>>
>> David.McGinniss at Sprint.com <mailto:David.McGinniss at Sprint.com>
>>
>> (m) 630-926-3184
>>
>> http://img.talkandroid.com/uploads/2011/03/sprint-logo.jpg
>>
>>
>>
>>
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------
>>
>> This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJTrcDxAAoJEDg5KY9j7GZYGXEQAJzMBwrc6u4uHebMFd3yy26V
> fct4Gm/b1BUV3AZaZX57Zf5jTydHdEuAzjsC+mR+BKIfAgE/zCn4pQYKKX1zMrnQ
> wsu4CwZuMlJFy5oOE+P7JpSXFLLOrcdQcy/duNlnzyGZAqpFs7J44+tfbwKuVFec
> p/Pd6KxHGJQpDWLm72NuFPfqDlbHprJNXI3IlwwQjsLuIUraDJX/DyhApBb2a4pH
> oXO0Hjj+QLkwPvs9W882XLSOfrG0ydv3xpbXvEOSfMc1agZKE3G94FANexXJgyvk
> XjhCmaJrh4W7Rl4MaChgitrW7Gq2jrjTMBvSokj43tP81qZKkXfdM1kBG0hHPzDo
> Z9I2zYLv5qxepk1aDXmpICFhG8OGXns4l4tXmtzAp1gOtHbqYTLnQxC4cYKnjsfA
> uEOOfT/MdrNt2stWKxwPLHhU6uAweCHTjSaMZ/A+pswl8YXIt30Qk3uyu1iGsw/R
> GnBHBfkdPjc1nqipAIpNoJZldpr+ECXuufxnRu3ONd2Fwyk1MfrHJ3TjD3yLTUx+
> xp9GTdy/ezbBydxJFwcxG6KRmf24nEVmWKx7klosjVF38SZE8ysTUkEPotl2UfC3
> pPqqY6u+N+/9IIX+ftXVfJcTBtgBhfSWEWFgR3Amx7J1hfaWsTrAGecj+pkAKGN2
> bP/+T347ZhC/rUV7QCjh
> =0vgY
> -----END PGP SIGNATURE-----
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
> ________________________________
>
> This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140630/ad73d00a/attachment-0001.bin>


More information about the Users mailing list