[strongSwan] server/client scenario with rsa auth or rsa plus xauth across all types of clients?

Noel Kuntze noel at familie-kuntze.de
Sat Sep 20 17:30:39 CEST 2014

Hash: SHA256

Hello Cindy,

As you want to require credentials to be able to login, as well as support IKEv1 AND IKEv2,
you need at least two conn definitions. The reason is, that there are different credential based
authentication methods implemented in IKEv1 and IKEv2. There's just XAUTH for IKEv1
and EAP for IKEv2. You can use any supported EAP method in IKEv2.
Many native Apps only support PSK and credentials or RSA and credentials,
so forcing people to use credentials anyway is the way to go, I think.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 19.09.2014 um 20:45 schrieb Cindy Moore:
> I wanted to step back and take a bigger picture look, because I feel
> like I'm getting really snarled in the middle of tiny details while
> possibly missing bigger issues.
> What I have:
> vpn server: Ubuntu 14.04 deploying the latest StrongSwan version in
> 14.04's repositories.
> clients: roadwarrior types: could be mac/windows/linux laptops, maybe
> some home desktops, possibly also android or apple devices, either
> tablets or phones.  The devices are not nearly as important.
> network: vpn and nat (separate severs) are on our public vlans.  the
> virtual ips are a small range of addresses within our private vlan
> networks that we'll dedicate to the vpn server's use.  The rest of the
> addresses are assigned to other servers, machines, etc. physically
> present on those vlans.
> What' I'd like to do:
> Assign any particular client (we have maybe 50 or so) to a static
> virtual ip address, that is to say each time BobClient.pem/equivalent
> connects, he gets the same virtual ip address.
> Ideally, I'd love for them all to authenticate via RSA certificate.
> I'd like to be able to accept either ikev1 or ikev2 connections.  (I
> now understand the presence of mac/apple means I must have ikev1).
> I could also go with everyone must RSA cert authenticate, then xauth
> via the xauth-pam module, but I'm not going to recompile strongswan
> for that module unless I know that's possible to get it to work with
> all the possible clients I have.  If I must, it could be RSA plus
> xauth via ipsec.secrets. But the vpn server is set up to authenticate
> logins via pam to our ldap and it'd be cool to hook into that if
> possible.
> Anyway, ideally everyone would authenticate the same way.   I don't
> want Carol asking me, "Well gee, Bob doesn't need username/password,
> how come I have to do that?"
> How I thought I'd approach this:
> First I thought I'd try to set up as generic as possible connections
> that would work for all of them (setting aside the static virtual ip
> for the moment).
> My question -- is this possible?  Is there some minimal roadwarrior
> conn definition that all of these laptops/devices could all connect
> to?  *Can* they all connect rsa only or rsa+xauth?
> I'm trying to use native apps client side wherever possible, as I want
> to minimize the work on the clients' end.  But it seems like between
> the native apps and the various plugins or apps (eg
> network-manager-strongswan, android strongswan app), I may have to
> have at least two types of conns because of different authentication
> types available/restrictions?
> Obviously, if I want ikev2 connections, I will have to have a minimum
> of two base conns because of mac/apple -- any other gotchas?  I don't
> want to use the mac app since it looks like that forces me to use EAP.
> Then once I got my minimum set of generic conns working for all the
> roadwarrior types,  I could start making individualized conns, etc,
> something like:
> conn roadwarrior-bob
>     also "basic-roadwarrior"
>     right=bobCert.pem    # or maybe rightid="...CN=bob at client.com"  ?
>     rightsourceip=
> conn roadwarrior-carol
>     also "basic-roadwarrior"
>     right=carolCert.pem # etc
>     rightsourceip=
> and so on.  If someone didn't have an individualized conn, they could
> drop down into a catchall conn that would dynamically assign a virtual
> ip.
> How feasible is this?
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2


More information about the Users mailing list