[strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi
Yuri D
p_port at mail.ru
Tue Jul 19 17:16:02 CEST 2016
Hi!
So, as You have BB device, You can find good how-to on crackberry.com for
PSK-based VPN IPv4 with Strongswan. That how-to about Amason service, not
Raspberry device, but You can transfer it with ease. I tested it and it
works definitely.
Another thing You should to keep in mind - BB OS 10.3.0 and upper uses IPv6
for its services, so simple IPv4 shuts down everything from BBM voice to BB
Link and Blend.
So, You have 2 ways:
1) You can stay on OS 10.2 and You'll be ready to use everything with IPv4
or
2) You must to expand VPN to IPv6 for OS 10.3
Regards,
Yuri
----- Исходное сообщение -----
От: "Tobias Brunner" <tobias at strongswan.org>
Кому: "Christian Klugesherz" <christian.klugesherz at gmail.com>
Копия: <Users at lists.strongswan.org>
Отправлено: 19 июля 2016 г. 16:21
Тема: Re: [strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi
> Hi Christian,
>
> > Nevertheless, by removing: `eap_identity` I got the same result.
>
> You might need it, but that depends on the client.
>
> > On basis, I wanted to use StrongSwan as simple as possible without
> > certificates CA.
>
> That probably won't work as authenticating clients with EAP requires
> authenticating the server with a certificate to be standard-compliant
> (RFC 7296, section 2.16). strongSwan can be configured to combine EAP
> with PSK authentication. But that's not recommended, as anybody knowing
> it could impersonate the server, and most other implementations probably
> don't support this combination. Using EAP-only authentication is also
> possible, if supported by the peer, but that calls for a strong mutual
> EAP method like EAP-TLS (EAP-MSCHAPv2 is not one).
>
> > Does that mean that in any case, you have to set-up a CA in order to
> > use strongSwan ?
> > Even with a VPN IKEv2 with preshared Key ?
>
> No. If the client supports it you could, of course, use plain PSK
> authentication (i.e. without EAP). Even though it's not recommended for
> larger roadwarrior deployments (again, anybody knowing the PSK could
> impersonate the server).
>
> Setting up a simple PKI (one CA certificate, one server certificate) is
> quite easy (see previous link). You could also use a free certificate
> from Let's Encrypt or StartSSL, which your client might already trust,
> which would relieve you from having to install your own CA certificate
> on the clients.
>
> Regards,
> Tobias
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list