[strongSwan] iPhone, iOS with TLS+EAP
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Dec 19 21:04:10 CET 2017
Hi,
> 1) Is it possible to check the EAP password without using a radius server?
> If so, which module must I use?
The corresponding module for the corresponding EAP method. eap-mschapv2 for, well, EAP MSCHAPv2.
> 2) Can I use a IKEv2 iOS <-> StrongSwan connection verified by certificates only?
Yes, see the article about AppleClients.
> 3) I experimented with the parameters and have the feeling if I use the
> EAP password check the certificate isn't check any longer?
That's wrong.
> I replaced the CA certificate on the server with a wrong (none-matching) CA
> but I still can connect to the server.
> Do I have an error in reasoning here?
strongSwan doesn't flush certificates when you reload the configuration or load new ones. The best way to ensure it doesn't have a cert is to
restart the daemon. So in your case, it still had the right CA certificate.
The CA constraint obviously doesn't do anything if it's commented out. AFAIR it's implicitely dropped if no such CA certificate is known.
Kind regards
Noel
On 18.12.2017 09:56, Sven Anders wrote:
> Hello!
>
> I'm trying to get the IPSec connection of the iPhone to work with StrongSwan.
>
> Currently it runs with the old racoon (ipsec-tools) and IKEv1. In the old
> configuration the password is checked against the AD via the LDAP module.
> We want to change to StrongSwan and use IKEv2.
>
> I've got the connection running following the instructions on the web-site
> and many experiments. In my configuration I'm using the 'eap-mschapv2' module
> and specified the password in the /etc/ipsec.secret file.
>
> I have three questions:
>
> 1) Is it possible to check the EAP password without using a radius server?
> If so, which module must I use?
>
> 2) Can I use a IKEv2 iOS <-> StrongSwan connection verified by certificates only?
>
> 3) I experimented with the parameters and have the feeling if I use the
> EAP password check the certificate isn't check any longer?
>
> I replaced the CA certificate on the server with a wrong (none-matching) CA
> but I still can connect to the server.
> Do I have an error in reasoning here?
>
> I expected the connection to fail, because the server could not match the
> incoming certificate from the iPhone to the servers CA!?
>
>
> Some details:
>
> Linux strongSwan U5.5.1/K4.1.39
>
> ipsec.conf:
>
> config setup
> uniqueids=no
> charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 3, knl 2
>
> conn rw-base
> fragmentation=yes
> dpdtimeout=90s
> dpddelay=30s
> dpdaction=clear
>
> conn rw-config
> also=rw-base
> keyexchange=ikev2
> reauth=no
> rekey=no
> ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
> esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072
>
> leftsubnet=0.0.0.0/0,::/0
> leftid="ipsec.domain.net"
> leftcert=server.crt
> leftsendcert=always
>
> rightdns=10.1.3.10
> #rightca="C=DE, L=Somewhere, O=Firm, OU=IT, DC=local, DC=group, CN=Firm CA"
> rightsourceip=172.16.252.0/24
>
> conn ikev2-pubkey
> also=rw-config
> auto=add
>
> conn ikev2-eap-mschapv2
> also=rw-config
> auto=add
> rightauth=eap-mschapv2
> eap_identity=%identity
>
> ipsec.secrets:
>
> : RSA server.key
> user : PSK "test"
> user %any% : EAP "test"
>
>
>
> Regards
> Sven Anders
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171219/4332f375/attachment.sig>
More information about the Users
mailing list