[strongSwan] Windows connection and PSK
gilad
gilad at mail.hola.org
Fri Apr 24 02:06:07 CEST 2015
Hi,
Thanks for your feedback. Actually, security is not our main concern here but
rather a simple VPN setup.
We were able to setup connections using PSK on iOS device (both for L2TP and
IKEv2), but unable to do so for Windows users.
Our goal is to have Strongswan configured for most common platforms based on
username/password authentication (with/o PSK) without requiring our users to
install anything on their machines (not even a certificate). We are aware of
the fact that certificate based authentication is much more secured, but this
is not relevant in our case.
Thanks,
Gilad
On 2015-04-23 19:01, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Gilad,
>
> If you have several users, using PSKs is suicidal, as any person with the
> PSK
> can now act as a server and get your client's data. I hope you are aware of
> that.
>
> For mschapv2, the server needs a valid x509 certificate of a trusted CA.
> You can not get around certificates, if you want to make it in any way
> secure.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 23.04.2015 um 21:24 schrieb gilad:
>> Hi,
>>
>> Thanks for the reference. It does support PSK for L2TP connections (which
>> does not work as well). I would like to setup Strongswan with eap-mschapv2
>> authentication (which is supported on Windows) - but I am trying to avoid
>> having the users installing a certificate. Most of the users are not
>> technical and we don't want to force them to install anything. In addition,
>> we cannot sign a certificate for the host name since our VPN servers are
>> using dynamic DNS based on load balancing.
>>
>> -Gilad
>>
>> On 2015-04-23 15:13, Noel Kuntze wrote:
>> Hello Gilad,
>>
>> That's because Windows does not support PSK authentication[1].
>>
>> [1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 23.04.2015 um 21:04 schrieb gilad:
>> >>> I'm trying to setup Strongswan for both iOS devices and Windows machines. I would like to use PSK and/or passwords and not have the user install any certificate on his side.
>> >>>
>> >>> I've setup 2 types of connections: one using IKEv2 and one using IKEv1+XAuth. Both work well with iOS devices and PSK setup.
>> >>>
>> >>> The problem starts when I try to connect from a Windows machine. I was not able yet to setup Strongswan to accept connections from Windows without using a certificate. When using IKEv2 - Windows does not even offer an option to enter PSK.
>> >>>
>> >>> -Gilad
>> >>>
>> >>>
>> >>>
>> >>> Apr 23 14:43:46 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.13.0-43-generic, x86_64)
>> >>> Apr 23 14:43:46 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>> >>> Apr 23 14:43:46 00[CFG] loaded ca certificate "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
>> >>> Apr 23 14:43:46 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>> >>> Apr 23 14:43:46 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>> >>> Apr 23 14:43:46 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>> >>> Apr 23 14:43:46 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> >>> Apr 23 14:43:46 00[CFG] loading secrets from '/etc/ipsec.secrets'
>> >>> Apr 23 14:43:47 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/strongswanKey.pem'
>> >>> Apr 23 14:43:47 00[CFG] loaded IKE secret for %any
>> >>> Apr 23 14:43:47 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls xauth-generic
>> >>> Apr 23 14:43:47 00[JOB] spawning 16 worker threads
>> >>> Apr 23 14:43:47 10[CFG] received stroke: add connection 'ios8'
>> >>> Apr 23 14:43:47 10[CFG] conn ios8
>> >>> Apr 23 14:43:47 10[CFG] left=%any
>> >>> Apr 23 14:43:47 10[CFG] leftsubnet=0.0.0.0/0
>> >>> Apr 23 14:43:47 10[CFG] leftauth=psk
>> >>> Apr 23 14:43:47 10[CFG] leftid=vpn.hola.org
>> >>> Apr 23 14:43:47 10[CFG] right=%any
>> >>> Apr 23 14:43:47 10[CFG] rightsourceip=10.0.0.0/15
>> >>> Apr 23 14:43:47 10[CFG] rightdns=8.8.8.8,8.8.4.4
>> >>> Apr 23 14:43:47 10[CFG] rightauth=eap-mschapv2
>> >>> Apr 23 14:43:47 10[CFG] eap_identity=%any
>> >>> Apr 23 14:43:47 10[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
>> >>> Apr 23 14:43:47 10[CFG] esp=aes128-sha1,3des-sha1
>> >>> Apr 23 14:43:47 10[CFG] dpddelay=30
>> >>> Apr 23 14:43:47 10[CFG] dpdtimeout=150
>> >>> Apr 23 14:43:47 10[CFG] dpdaction=1
>> >>> Apr 23 14:43:47 10[CFG] mediation=no
>> >>> Apr 23 14:43:47 10[CFG] keyexchange=ikev2
>> >>> Apr 23 14:43:47 10[CFG] left nor right host is our side, assuming left=local
>> >>> Apr 23 14:43:47 10[CFG] adding virtual IP address pool 10.0.0.0/15
>> >>> Apr 23 14:43:47 10[CFG] added configuration 'ios8'
>> >>> Apr 23 14:43:47 12[CFG] received stroke: add connection 'ios7'
>> >>> Apr 23 14:43:47 12[CFG] conn ios7
>> >>> Apr 23 14:43:47 12[CFG] left=%any
>> >>> Apr 23 14:43:47 12[CFG] leftsubnet=0.0.0.0/0
>> >>> Apr 23 14:43:47 12[CFG] leftauth=psk
>> >>> Apr 23 14:43:47 12[CFG] right=%any
>> >>> Apr 23 14:43:47 12[CFG] rightsourceip=10.0.0.0/15
>> >>> Apr 23 14:43:47 12[CFG] rightdns=8.8.8.8,8.8.4.4
>> >>> Apr 23 14:43:47 12[CFG] rightauth=psk
>> >>> Apr 23 14:43:47 12[CFG] rightauth2=xauth-generic
>> >>> Apr 23 14:43:47 12[CFG] eap_identity=%any
>> >>> Apr 23 14:43:47 12[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
>> >>> Apr 23 14:43:47 12[CFG] esp=aes128-sha1,3des-sha1
>> >>> Apr 23 14:43:47 12[CFG] dpddelay=30
>> >>> Apr 23 14:43:47 12[CFG] dpdtimeout=150
>> >>> Apr 23 14:43:47 12[CFG] dpdaction=1
>> >>> Apr 23 14:43:47 12[CFG] mediation=no
>> >>> Apr 23 14:43:47 12[CFG] keyexchange=ikev1
>> >>> Apr 23 14:43:47 12[CFG] left nor right host is our side, assuming left=local
>> >>> Apr 23 14:43:47 12[CFG] reusing virtual IP address pool 10.0.0.0/15
>> >>> Apr 23 14:43:47 12[CFG] added configuration 'ios7'
>> >>> Apr 23 14:45:16 14[NET] <1> received packet: from 52.8.76.87[500] to 104.236.254.145[500] (880 bytes)
>> >>> Apr 23 14:45:16 14[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>> >>> Apr 23 14:45:16 14[CFG] <1> looking for an ike config for 104.236.254.145...52.8.76.87
>> >>> Apr 23 14:45:16 14[CFG] <1> candidate: %any...%any, prio 28
>> >>> Apr 23 14:45:16 14[CFG] <1> found matching ike config: %any...%any with prio 28
>> >>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
>> >>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
>> >>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
>> >>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>> >>> Apr 23 14:45:16 14[IKE] <1> 52.8.76.87 is initiating an IKE_SA
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>> >>> Apr 23 14:45:16 14[CFG] <1> proposal matches
>> >>> Apr 23 14:45:16 14[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
>> >>> Apr 23 14:45:16 14[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>> >>> Apr 23 14:45:16 14[CFG] <1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> >>> Apr 23 14:45:16 14[IKE] <1> remote host is behind NAT
>> >>> Apr 23 14:45:16 14[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>> >>> Apr 23 14:45:16 14[NET] <1> sending packet: from 104.236.254.145[500] to 52.8.76.87[500] (308 bytes)
>> >>> Apr 23 14:45:16 15[NET] <1> received packet: from 52.8.76.87[4500] to 104.236.254.145[4500] (676 bytes)
>> >>> Apr 23 14:45:16 15[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
>> >>> Apr 23 14:45:16 15[IKE] <1> received 12 cert requests for an unknown ca
>> >>> Apr 23 14:45:16 15[CFG] <1> looking for peer configs matching 104.236.254.145[%any]...52.8.76.87[172.31.18.184]
>> >>> Apr 23 14:45:16 15[CFG] <1> candidate "ios8", match: 1/1/28 (me/other/ike)
>> >>> Apr 23 14:45:16 15[CFG] <ios8|1> selected peer config 'ios8'
>> >>> Apr 23 14:45:16 15[IKE] <ios8|1> initiating EAP_IDENTITY method (id 0x00)
>> >>> Apr 23 14:45:16 15[IKE] <ios8|1> peer supports MOBIKE
>> >>> Apr 23 14:45:16 15[IKE] <ios8|1> authentication of 'vpn.hola.org' (myself) with pre-shared key
>> >>> Apr 23 14:45:16 15[ENC] <ios8|1> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
>> >>> Apr 23 14:45:16 15[NET] <ios8|1> sending packet: from 104.236.254.145[4500] to 52.8.76.87[4500] (116 bytes)
>> >>> Apr 23 14:45:46 16[JOB] <ios8|1> deleting half open IKE_SA after timeout
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users at lists.strongswan.org
>> >>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVOXnMAAoJEDg5KY9j7GZY9s0P/AonbGs7m+BxdV5G692mD83u
> TCyWI8gzX9qklVpYNUQEfV1m52FC3LJJZPfCwQ0qklfmP6ATuhwRos8/zWp/YcVi
> /CI9fLIUNN0QBRHlKPSwhU0tNR5JYBcFiTuqYNSmwHHkN9wPoTw6zPxbkeXtw6dS
> ogX2iZjlBPgjDlmxH2iB7MSOOxJmKD4Z/Y8e2Hp3yyNH+ZQCflEE0W54aqAtbcKt
> 3hFNAFdgxUXYBT83RCmal4nhB+qtLXaqZriVsidtlRBSHYfbIujEjOmbleFNkABS
> EFEMiIDu2+ZyDZd/jojFfh/hBVrjuskx1eZeX1+yj6qj/9ugF+Cyp0je+EbLx67l
> hrbL4hLhCbzSp90qNZIR/PPokILADexcAXMFRwvAXUKYKTXVBoQ6zXEl1ttbXLqL
> rqMaPOuInsPnGpGOsQ3EJCMy7w5hbKnoYQV8cIEjCjrwa752TzqGmic9DV0myj6Z
> qX6Gf3CRIWJ3J5G9+OBLwOLLp9FKu+f7CQ3VKrAOaQuxKGDdwZeN5E0NSdHjE3A4
> 5h5dwm3RZgSUCL5vAJlIrta5wIQLXawlyruizGQh9nRXlBKvW8brPd0HWVB/m5YM
> hHBGPizum7epvbpbja+ZkH5D2PjpGPlpEQPVX+36aYHGVxRbH/V1ADQu1+GDRVfQ
> N5vju9ZzEpGRBsG4OByM
> =w4L6
> -----END PGP SIGNATURE-----
More information about the Users
mailing list