[strongSwan] is it authenticate IPSec pre-shared keys (PSK) not from ipsec.secrets?
Oleksandr Yermolenko
aae at sumix.com
Fri Sep 26 13:35:47 CEST 2014
Hello, Martin,
Thanks a lot for your advices. Currently, I'm trying to discover
is my cisco RV082/RV200 EAP compatible. As far I understand, I can use
only PSK on these devices.
Reseller is not available. anyway, I have to check.
Could someone tell me client VPN Router which supports EAP.
I will find the docs and compare features with my RV082/RV200 ?
Thanks again for everyone.
Alex
On 25.09.14 15:54, Martin Willi wrote:
> Hi,
>
>> is there any possibility to authenticate IPSec pre-shared keys (PSK)
>> not from ipsec.secrets.
> As IKE PSK authentication has security implications and is not
> recommended for larger deployments, we don't provide any backend for
> preshared keys beyond ipsec.secrets or swanctl.conf. However, you may
> implement your own plugin that returns preshared keys from a custom
> source for authentication.
>
> Usually you'd use EAP that allows you to forward user authentication to
> your AAA backend using the eap-radius plugin [1].
>
>> It would be great for me to build some logic on radius server with
>> traditional start/stop/alive events..
> Such events can be realized using the accounting functionality in the
> eap-radius plugin. Even if you do authentication by other means,
> strongSwan can send such information to your AAA backend over RADIUS.
>
> Regards
> Martin
>
> [1]https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
>
More information about the Users
mailing list