[strongSwan] Windows connection and PSK
Noel Kuntze
noel at familie-kuntze.de
Fri Apr 24 02:30:47 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Gilad,
As I wrote in my last email, you need to use an x509 certificate on the server side for mschapv2 to work in strongswan.
If you use IPsec/l2tp, you can of course use strongswan to build a PSK based IKEv1 transport mode VPN and use l2tp inside that.
user based authentication is set up in xl2tpd, which handles l2tp and therefore, mschapv2 is handled in xl2tpd.
Use strongSwan 5.3.0 for the IPsec part, because of the connmark plugin[1].
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Connmark
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 24.04.2015 um 02:06 schrieb gilad:
> Hi,
>
> Thanks for your feedback. Actually, security is not our main concern here but rather a simple VPN setup.
>
> We were able to setup connections using PSK on iOS device (both for L2TP and IKEv2), but unable to do so for Windows users.
>
> Our goal is to have Strongswan configured for most common platforms based on username/password authentication (with/o PSK) without requiring our users to install anything on their machines (not even a certificate). We are aware of the fact that certificate based authentication is much more secured, but this is not relevant in our case.
>
> Thanks,
> Gilad
>
>
> On 2015-04-23 19:01, Noel Kuntze wrote:
> Hello Gilad,
>
> If you have several users, using PSKs is suicidal, as any person with the PSK
> can now act as a server and get your client's data. I hope you are aware of that.
>
> For mschapv2, the server needs a valid x509 certificate of a trusted CA.
> You can not get around certificates, if you want to make it in any way secure.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 23.04.2015 um 21:24 schrieb gilad:
> >>> Hi,
> >>>
> >>> Thanks for the reference. It does support PSK for L2TP connections (which does not work as well). I would like to setup Strongswan with eap-mschapv2 authentication (which is supported on Windows) - but I am trying to avoid having the users installing a certificate. Most of the users are not technical and we don't want to force them to install anything. In addition, we cannot sign a certificate for the host name since our VPN servers are using dynamic DNS based on load balancing.
> >>>
> >>> -Gilad
> >>>
> >>> On 2015-04-23 15:13, Noel Kuntze wrote:
> >>> Hello Gilad,
> >>>
> >>> That's because Windows does not support PSK authentication[1].
> >>>
> >>> [1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
> >>>
> >>> Mit freundlichen Grüßen/Kind Regards,
> >>> Noel Kuntze
> >>>
> >>> GPG Key ID: 0x63EC6658
> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>
> >>> Am 23.04.2015 um 21:04 schrieb gilad:
> >>> >>> I'm trying to setup Strongswan for both iOS devices and Windows machines. I would like to use PSK and/or passwords and not have the user install any certificate on his side.
> >>> >>>
> >>> >>> I've setup 2 types of connections: one using IKEv2 and one using IKEv1+XAuth. Both work well with iOS devices and PSK setup.
> >>> >>>
> >>> >>> The problem starts when I try to connect from a Windows machine. I was not able yet to setup Strongswan to accept connections from Windows without using a certificate. When using IKEv2 - Windows does not even offer an option to enter PSK.
> >>> >>>
> >>> >>> -Gilad
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>> Apr 23 14:43:46 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.13.0-43-generic, x86_64)
> >>> >>> Apr 23 14:43:46 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> >>> >>> Apr 23 14:43:46 00[CFG] loaded ca certificate "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
> >>> >>> Apr 23 14:43:46 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> >>> >>> Apr 23 14:43:46 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> >>> >>> Apr 23 14:43:46 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> >>> >>> Apr 23 14:43:46 00[CFG] loading crls from '/etc/ipsec.d/crls'
> >>> >>> Apr 23 14:43:46 00[CFG] loading secrets from '/etc/ipsec.secrets'
> >>> >>> Apr 23 14:43:47 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/strongswanKey.pem'
> >>> >>> Apr 23 14:43:47 00[CFG] loaded IKE secret for %any
> >>> >>> Apr 23 14:43:47 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls xauth-generic
> >>> >>> Apr 23 14:43:47 00[JOB] spawning 16 worker threads
> >>> >>> Apr 23 14:43:47 10[CFG] received stroke: add connection 'ios8'
> >>> >>> Apr 23 14:43:47 10[CFG] conn ios8
> >>> >>> Apr 23 14:43:47 10[CFG] left=%any
> >>> >>> Apr 23 14:43:47 10[CFG] leftsubnet=0.0.0.0/0
> >>> >>> Apr 23 14:43:47 10[CFG] leftauth=psk
> >>> >>> Apr 23 14:43:47 10[CFG] leftid=vpn.hola.org
> >>> >>> Apr 23 14:43:47 10[CFG] right=%any
> >>> >>> Apr 23 14:43:47 10[CFG] rightsourceip=10.0.0.0/15
> >>> >>> Apr 23 14:43:47 10[CFG] rightdns=8.8.8.8,8.8.4.4
> >>> >>> Apr 23 14:43:47 10[CFG] rightauth=eap-mschapv2
> >>> >>> Apr 23 14:43:47 10[CFG] eap_identity=%any
> >>> >>> Apr 23 14:43:47 10[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
> >>> >>> Apr 23 14:43:47 10[CFG] esp=aes128-sha1,3des-sha1
> >>> >>> Apr 23 14:43:47 10[CFG] dpddelay=30
> >>> >>> Apr 23 14:43:47 10[CFG] dpdtimeout=150
> >>> >>> Apr 23 14:43:47 10[CFG] dpdaction=1
> >>> >>> Apr 23 14:43:47 10[CFG] mediation=no
> >>> >>> Apr 23 14:43:47 10[CFG] keyexchange=ikev2
> >>> >>> Apr 23 14:43:47 10[CFG] left nor right host is our side, assuming left=local
> >>> >>> Apr 23 14:43:47 10[CFG] adding virtual IP address pool 10.0.0.0/15
> >>> >>> Apr 23 14:43:47 10[CFG] added configuration 'ios8'
> >>> >>> Apr 23 14:43:47 12[CFG] received stroke: add connection 'ios7'
> >>> >>> Apr 23 14:43:47 12[CFG] conn ios7
> >>> >>> Apr 23 14:43:47 12[CFG] left=%any
> >>> >>> Apr 23 14:43:47 12[CFG] leftsubnet=0.0.0.0/0
> >>> >>> Apr 23 14:43:47 12[CFG] leftauth=psk
> >>> >>> Apr 23 14:43:47 12[CFG] right=%any
> >>> >>> Apr 23 14:43:47 12[CFG] rightsourceip=10.0.0.0/15
> >>> >>> Apr 23 14:43:47 12[CFG] rightdns=8.8.8.8,8.8.4.4
> >>> >>> Apr 23 14:43:47 12[CFG] rightauth=psk
> >>> >>> Apr 23 14:43:47 12[CFG] rightauth2=xauth-generic
> >>> >>> Apr 23 14:43:47 12[CFG] eap_identity=%any
> >>> >>> Apr 23 14:43:47 12[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
> >>> >>> Apr 23 14:43:47 12[CFG] esp=aes128-sha1,3des-sha1
> >>> >>> Apr 23 14:43:47 12[CFG] dpddelay=30
> >>> >>> Apr 23 14:43:47 12[CFG] dpdtimeout=150
> >>> >>> Apr 23 14:43:47 12[CFG] dpdaction=1
> >>> >>> Apr 23 14:43:47 12[CFG] mediation=no
> >>> >>> Apr 23 14:43:47 12[CFG] keyexchange=ikev1
> >>> >>> Apr 23 14:43:47 12[CFG] left nor right host is our side, assuming left=local
> >>> >>> Apr 23 14:43:47 12[CFG] reusing virtual IP address pool 10.0.0.0/15
> >>> >>> Apr 23 14:43:47 12[CFG] added configuration 'ios7'
> >>> >>> Apr 23 14:45:16 14[NET] <1> received packet: from 52.8.76.87[500] to 104.236.254.145[500] (880 bytes)
> >>> >>> Apr 23 14:45:16 14[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> >>> >>> Apr 23 14:45:16 14[CFG] <1> looking for an ike config for 104.236.254.145...52.8.76.87
> >>> >>> Apr 23 14:45:16 14[CFG] <1> candidate: %any...%any, prio 28
> >>> >>> Apr 23 14:45:16 14[CFG] <1> found matching ike config: %any...%any with prio 28
> >>> >>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> >>> >>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> >>> >>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> >>> >>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> >>> >>> Apr 23 14:45:16 14[IKE] <1> 52.8.76.87 is initiating an IKE_SA
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> >>> >>> Apr 23 14:45:16 14[CFG] <1> proposal matches
> >>> >>> Apr 23 14:45:16 14[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
> >>> >>> Apr 23 14:45:16 14[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> >>> >>> Apr 23 14:45:16 14[CFG] <1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>> >>> Apr 23 14:45:16 14[IKE] <1> remote host is behind NAT
> >>> >>> Apr 23 14:45:16 14[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> >>> >>> Apr 23 14:45:16 14[NET] <1> sending packet: from 104.236.254.145[500] to 52.8.76.87[500] (308 bytes)
> >>> >>> Apr 23 14:45:16 15[NET] <1> received packet: from 52.8.76.87[4500] to 104.236.254.145[4500] (676 bytes)
> >>> >>> Apr 23 14:45:16 15[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> >>> >>> Apr 23 14:45:16 15[IKE] <1> received 12 cert requests for an unknown ca
> >>> >>> Apr 23 14:45:16 15[CFG] <1> looking for peer configs matching 104.236.254.145[%any]...52.8.76.87[172.31.18.184]
> >>> >>> Apr 23 14:45:16 15[CFG] <1> candidate "ios8", match: 1/1/28 (me/other/ike)
> >>> >>> Apr 23 14:45:16 15[CFG] <ios8|1> selected peer config 'ios8'
> >>> >>> Apr 23 14:45:16 15[IKE] <ios8|1> initiating EAP_IDENTITY method (id 0x00)
> >>> >>> Apr 23 14:45:16 15[IKE] <ios8|1> peer supports MOBIKE
> >>> >>> Apr 23 14:45:16 15[IKE] <ios8|1> authentication of 'vpn.hola.org' (myself) with pre-shared key
> >>> >>> Apr 23 14:45:16 15[ENC] <ios8|1> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
> >>> >>> Apr 23 14:45:16 15[NET] <ios8|1> sending packet: from 104.236.254.145[4500] to 52.8.76.87[4500] (116 bytes)
> >>> >>> Apr 23 14:45:46 16[JOB] <ios8|1> deleting half open IKE_SA after timeout
> >>> >>> _______________________________________________
> >>> >>> Users mailing list
> >>> >>> Users at lists.strongswan.org
> >>> >>> https://lists.strongswan.org/mailman/listinfo/users
> >>>
> >>>>
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at lists.strongswan.org
> >>>> https://lists.strongswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVOY60AAoJEDg5KY9j7GZYTrgP/3/yk6rwdzXMU1v3RA1JqXnt
S+n1gG67e0rMLR8MeeMspmj8LGh8bikNoWlqe/Yb5fgsg2Cj1InxnWm7uGcFhjDT
+D/4eGoMlJOr/bRPh6eCi/7ENMy7YNPwLphkNFdnlEPan3FgzVjy9o8bL35Wb/lu
8G9rVd6r4EW595HzeMsmI0cJ/a1iQ7ugbCwHKwggq0Dlw9TlK0AcqbexouCdjSSo
hOvgcU40+IxsyBzTdIwRYxmItrZT/lriRMe27w0qq9bY1sl20CK+xZUX5eQlnjjz
ClQSnhYRCXo0S3h4p4qY22BY+TIGYQr6ao9hUiBxA/07v0J0rwRR5NDIPe/V1ULk
5n3wf7ioDwuWIZ2xIZwB17xPjvVststM4/iJpzCA5bhu/JMhttUsLBbzScxTokbh
z3dSJ2sFShd8lcHyM7hTnePoDyQujUNStjgTenh1pP/Fczl8oeis1vJZyrwT1Rsv
VpUXUVReCPD4BLPPu5s4BxcNYyBb63/dCHCGhWznUIdMSb7Kee9YCJhQ/3wDxHfx
CDyGKvyamSzanOLm/xa3rKARmSMgYqXwbtezAwMh8Eg8S/LRX3zePkTKu1H4u5Zq
aPh3lwCAYWhVZPlOQ3ps+H/xYw1DqfqkluZ1HOPY+tMalvyve4hqfJ6xPXo+/7OD
gD4Qrtfu40pTjwv5FYoM
=4UIF
-----END PGP SIGNATURE-----
More information about the Users
mailing list