[strongSwan] iPhone, iOS with TLS+EAP

Sven Anders anders at anduras.de
Mon Dec 18 09:56:54 CET 2017 

Hello!

I'm trying to get the IPSec connection of the iPhone to work with StrongSwan.

Currently it runs with the old racoon (ipsec-tools) and IKEv1. In the old
configuration the password is checked against the AD via the LDAP module.
We want to change to StrongSwan and use IKEv2.

I've got the connection running following the instructions on the web-site
and many experiments. In my configuration I'm using the 'eap-mschapv2' module
and specified the password in the /etc/ipsec.secret file.

I have three questions:

1) Is it possible to check the EAP password without using a radius server?
   If so, which module must I use?

2) Can I use a IKEv2 iOS <-> StrongSwan connection verified by certificates only?

3) I experimented with the parameters and have the feeling if I use the
   EAP password check the certificate isn't check any longer?

   I replaced the CA certificate on the server with a wrong (none-matching) CA
   but I still can connect to the server.
   Do I have an error in reasoning here?

   I expected the connection to fail, because the server could not match the
   incoming certificate from the iPhone to the servers CA!?


Some details:

Linux strongSwan U5.5.1/K4.1.39

ipsec.conf:

config setup
    uniqueids=no
    charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 3, knl 2

conn rw-base
    fragmentation=yes
    dpdtimeout=90s
    dpddelay=30s
    dpdaction=clear

conn rw-config
    also=rw-base
    keyexchange=ikev2
    reauth=no
    rekey=no
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072

    leftsubnet=0.0.0.0/0,::/0
    leftid="ipsec.domain.net"
    leftcert=server.crt
    leftsendcert=always

    rightdns=10.1.3.10
    #rightca="C=DE, L=Somewhere, O=Firm, OU=IT, DC=local, DC=group, CN=Firm CA"
    rightsourceip=172.16.252.0/24

conn ikev2-pubkey
    also=rw-config
    auto=add

conn ikev2-eap-mschapv2
    also=rw-config
    auto=add
    rightauth=eap-mschapv2
    eap_identity=%identity

ipsec.secrets:

: RSA server.key
user : PSK "test"
user %any% : EAP "test"



Regards
 Sven Anders

-- 
 Sven Anders <anders at anduras.de>                 () UTF-8 Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS intranet security AG
 Messestrasse 3 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
  - Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: anders.vcf
Type: text/x-vcard
Size: 339 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171218/d33c81cd/attachment.vcf>

More information about the Users mailing list