[strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Christian Klugesherz christian.klugesherz at gmail.com
Tue Jul 19 17:05:09 CEST 2016

Hi Tobias,

Many thanks for your help.
I'm sorry that I consume your time.
(I'm a not IPSec expert, even I've spent now weeks reading docs.)
I must confess that it is really-really difficult to integrate all
these information, between - configurations files -CA, different SAs -
Device, ...
So many possibilities, that I'm a bit lost :-(
And I'm near to give it up..

Does that mean that with the configuration setup on my BB10, I have to
change it now in order to integrate the CA (see below)

CA created with
$ sudo ipsec pki --gen --type rsa --size 4096 --outform pem > CAKey.pem
$ sudo cp CAKey.pem /etc/ipsec.d/private
$ sudo ipsec pki --self --ca --lifetime 3650 --in CAKey.pem --type rsa
--dn "C=DE, O=Home Network, CN=Root CA" --outform pem > CACert.pem
$ sudo cp CACert.pem /etc/ipsec.d/cacerts/
$ sudo ipsec pki --gen --type rsa --size 2048 --outform pem > VPNHostKey.pem
$ sudo cp VPNHostKey.pem /etc/ipsec.d/private/
$ sudo ipsec pki --pub --in VPNHostKey.pem --type rsa | ipsec pki
--issue --lifetime 3650 --cacert CACert.pem --cakey CAKey.pem --dn
"C=DE, O=Home VPN, CN=ckl.freeboxos.fr" --san ckl.freeboxos.fr --flag
serverAuth --flag ikeIntermediate --outform pem > VPNHostCert.pem

Configuration on my BB10.
Profile Name             : home
Server Address           :
Gateway Type             : Generic IKEv2 VPN Server
Authentication Type      : EAP-MSCHAPv2
Authentication ID Type   : email
ID Authentication        : alice            (not used can be enything)
MSCHAPv2 EAP Identity    : alice            (not used can be enything)
MSCHAPv2 Username        : alice            (-->username in ipsec.secrets)
MSCHAPv2 Password        : alicep        (-->alice pasword in ipsec.secrets)
Gateway Auth Type        : PSK
Gateway Auth ID Type     : IPv4
Gateway Preshared Key    : 123456#    (-->PSK password in ipsec.secrets)



2016-07-19 15:21 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Christian,
>> Nevertheless, by removing: `eap_identity` I got the same result.
> You might need it, but that depends on the client.
>> On basis, I wanted to use StrongSwan as simple as possible without
>> certificates CA.
> That probably won't work as authenticating clients with EAP requires
> authenticating the server with a certificate to be standard-compliant
> (RFC 7296, section 2.16).  strongSwan can be configured to combine EAP
> with PSK authentication.  But that's not recommended, as anybody knowing
> it could impersonate the server, and most other implementations probably
> don't support this combination.  Using EAP-only authentication is also
> possible, if supported by the peer, but that calls for a strong mutual
> EAP method like EAP-TLS (EAP-MSCHAPv2 is not one).
>> Does that mean that in any case, you have to set-up a CA in order to
>> use strongSwan ?
>> Even with a VPN IKEv2 with preshared Key ?
> No.  If the client supports it you could, of course, use plain PSK
> authentication (i.e. without EAP).  Even though it's not recommended for
> larger roadwarrior deployments (again, anybody knowing the PSK could
> impersonate the server).
> Setting up a simple PKI (one CA certificate, one server certificate) is
> quite easy (see previous link).  You could also use a free certificate
> from Let's Encrypt or StartSSL, which your client might already trust,
> which would relieve you from having to install your own CA certificate
> on the clients.
> Regards,
> Tobias

More information about the Users mailing list