[strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Tobias Brunner tobias at strongswan.org
Tue Jul 19 15:21:08 CEST 2016

Hi Christian,

> Nevertheless, by removing: `eap_identity` I got the same result.

You might need it, but that depends on the client.

> On basis, I wanted to use StrongSwan as simple as possible without
> certificates CA.

That probably won't work as authenticating clients with EAP requires
authenticating the server with a certificate to be standard-compliant
(RFC 7296, section 2.16).  strongSwan can be configured to combine EAP
with PSK authentication.  But that's not recommended, as anybody knowing
it could impersonate the server, and most other implementations probably
don't support this combination.  Using EAP-only authentication is also
possible, if supported by the peer, but that calls for a strong mutual
EAP method like EAP-TLS (EAP-MSCHAPv2 is not one).

> Does that mean that in any case, you have to set-up a CA in order to
> use strongSwan ?
> Even with a VPN IKEv2 with preshared Key ?

No.  If the client supports it you could, of course, use plain PSK
authentication (i.e. without EAP).  Even though it's not recommended for
larger roadwarrior deployments (again, anybody knowing the PSK could
impersonate the server).

Setting up a simple PKI (one CA certificate, one server certificate) is
quite easy (see previous link).  You could also use a free certificate
from Let's Encrypt or StartSSL, which your client might already trust,
which would relieve you from having to install your own CA certificate
on the clients.


More information about the Users mailing list