[strongSwan] Is there a possiblity of MITM in this configuration?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Oct 19 17:41:42 CEST 2017 

Hi,

> The
> Hybrid mode allows to check a server using a installed custom CA. But I
> don't want to install to a custom CA into android as that shows a
> permanent security notification/warning. Secondly I don't understand WHY
> Android DOESN'T use the system CAs for IPSec.
Because VPNs are not supposed to be publicly accessible and there is no reason to
trust other companies with access to one's own private infrastructure.

> Without that I just cannot
> use a public CA like Letsencrypt or any other certificate on the server,
> the CA for which is already in system trust store of Android.
You can. Just get the CA certificate and import it in your user store.

> Now if I install the "server.pem" (leftcert=server.pem on Strongswan
> server) into Android and select that under "IPSec server certificate",
> it connects only if the VPN server presents server.pem. Is there a
> possibility that a faker can also present server.pem (w/o having its
> private key) and MITM the connection?
No.

Kind regards

Noel



On 19.10.2017 17:24, RA wrote:
> Hi.
>
> I really needed an efficient & secure way to use the native Android
> client to connect to my Strongswan VPN server.  After ruling out all
> L2TP and PSK options, I was left with:
>
> IPSec XAuth RSA
> IPSec Hybrid RSA
>
> Out of these I am more interested in the latter as it does not require a
> user certificate (installing which has been troublesome in my exp.). The
> Hybrid mode allows to check a server using a installed custom CA. But I
> don't want to install to a custom CA into android as that shows a
> permanent security notification/warning. Secondly I don't understand WHY
> Android DOESN'T use the system CAs for IPSec. Without that I just cannot
> use a public CA like Letsencrypt or any other certificate on the server,
> the CA for which is already in system trust store of Android. The hybrid
> modes give me these two configurables:
>
> IPSec CA certificate: A drop-down which has "(don't verify server)" as
> default along with a list of custom CAs installed (none in my case)
> IPSec server certificate: A drop-down which has "(received from server)"
> as default along with a list of custom certs installed.
>
> Leaving both of these to their default selection makes the VPN connect
> to server w/o any verification. Any certificate presented by the IPSec
> server is accepted by Android. Best scenario for MITM I guess.
>
> Now if I install the "server.pem" (leftcert=server.pem on Strongswan
> server) into Android and select that under "IPSec server certificate",
> it connects only if the VPN server presents server.pem. Is there a
> possibility that a faker can also present server.pem (w/o having its
> private key) and MITM the connection?
>
> Thanks in advance for any insights and help.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171019/ea0220c2/attachment.sig>

More information about the Users mailing list