[strongSwan] is it authenticate IPSec pre-shared keys (PSK) not from ipsec.secrets?

Martin Willi martin at strongswan.org
Thu Sep 25 14:54:31 CEST 2014


Hi,

> is there any possibility to authenticate IPSec pre-shared keys (PSK)
> not from ipsec.secrets.

As IKE PSK authentication has security implications and is not
recommended for larger deployments, we don't provide any backend for
preshared keys beyond ipsec.secrets or swanctl.conf. However, you may
implement your own plugin that returns preshared keys from a custom
source for authentication.

Usually you'd use EAP that allows you to forward user authentication to
your AAA backend using the eap-radius plugin [1].

> It would be great for me to build some logic on radius server with 
> traditional start/stop/alive events..

Such events can be realized using the accounting functionality in the
eap-radius plugin. Even if you do authentication by other means,
strongSwan can send such information to your AAA backend over RADIUS.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius



More information about the Users mailing list