[strongSwan] StrongSwan Mac OS X app questions

Martin Willi martin at strongswan.org
Mon Mar 16 09:23:36 CET 2015 

Ken,

> Are there any issues with DNS & StrongSwan Mac OS X app?  

The osx-attr plugin prepends the negotiated DNS servers to the currently
configured ones. You may check with scutil if that works as expected.

Not sure if keeping the current DNS servers installed is the best
approach, maybe we should remove the previous servers. But we currently
just add them to have them as a fallback.

> 2. EAP-GTC authentication.  I would like to use EAP-GTC authentication
>    with the Mac app and would be willing to modify the app to add this
>    feature.

Currently the eap-gtc plugin is not included in the build we provide.
But I can do so for a next release. You may also check the build
instructions [1] if you want to try that yourself (a note of warning:
you need a code signing certificate to get thinks working).

> 3.  Machine authentication.  Why doesn’t the Mac app require a client
>     certificate for machine authentication, as is required for the native
>     Mac client?

The native OS X client uses IKEv1, and usually XAuth. XAuth does both,
Certificate and Password client authentication, but it also can use
Hybrid Mode which skips certification authentication.

The strongSwan App uses IKEv2, currently with EAP. In that protocol
certificate client authentication is not included unless you do EAP-TTLS
and a password based EAP method. Of course one could use Multiple
Authentication as per RFC 4739, but as of now there is no option to
configure that on the client.

> 4. Password configuration.  It would be nice to be able to configure
>    the user’s password, instead of having to enter it on every tunnel
>    invocation.

I agree, but such a functionality is still missing. Patches welcome; but
we should rely on the Keychain to have some level of security for that
password.

> Does the client cache the password for the entire session lifetime?
> Does the Mac app present the original password during
> re-authentication?

No, I don't think that makes sense. If you want to re-evaluate user
credentials and check if the same user still sits on that client, you'd
need to re-prompt for the password.

If you don't want to do that, instead of caching the password you may
just disable re-authentication on the server, and use rekeying instead.
You may do so in ipsec.conf by setting reauth=no. There is no security
benefit in going through re-authentaction if you cache the password
anyway.

While re-prompting for the password in some scenarios might make sense,
I don't think that this currently works. So there is probably no way
around setting reauth=no on your server.

Regards
Martin

[1]https://github.com/strongswan/strongswan/blob/master/src/frontends/osx/README.md

More information about the Users mailing list