[strongSwan] Is there a possiblity of MITM in this configuration?

RA ss17 at fea.st
Thu Oct 19 18:13:02 CEST 2017 

Hi Noel,

Thanks for your input. Though:

> Because VPNs are not supposed to be publicly accessible and there is no reason to trust other companies with access to one's own private infrastructure.

I do consider Blackberry as a more secure device than Android. For IPSec
it uses the setting: "Gateway CA Certificate: All CA Certificates" as
default which essentially uses the system's trust store also. Android
doesn't have any such option. May be Google wants to enforce the point
you made about trusting other companies in the scope of VPN. But if we
start doubting public CAs, then the entire security around https:// also
falls apart. So that is being a bit paranoid I feel.

> You can. Just get the CA certificate and import it in your user store.

Which puts a ugly permanent notification/warning onto device: "A third
party is capable of monitoring your network activity, including emails,
apps and secure websites." Something that can give heart attack to
novice un-suspecting users. So I wanna avoid importing a CA (public or
mine).

> No.

Do you consider that as a secure setup then? Is sharing the server.pem
file that is used for the VPN server a harmless thing if its private key
is kept secure? Unlike importing client certs (which probably needs key
also) for  XAuth RSA mode, Android imports the server certs easily. You
simply have to tell the user to visit:
https://my-site.com/server.(pem|crt|cer) and it prompts.

Best Regards.

----- Original message -----
From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
To: RA <ss17 at fea.st>, users at lists.strongswan.org
Subject: Re: [strongSwan] Is there a possiblity of MITM in this
configuration?
Date: Thu, 19 Oct 2017 17:41:42 +0200

Hi,

> The
> Hybrid mode allows to check a server using a installed custom CA. But I
> don't want to install to a custom CA into android as that shows a
> permanent security notification/warning. Secondly I don't understand WHY
> Android DOESN'T use the system CAs for IPSec.
Because VPNs are not supposed to be publicly accessible and there is no
reason to
trust other companies with access to one's own private infrastructure.

> Without that I just cannot
> use a public CA like Letsencrypt or any other certificate on the server,
> the CA for which is already in system trust store of Android.
You can. Just get the CA certificate and import it in your user store.

> Now if I install the "server.pem" (leftcert=server.pem on Strongswan
> server) into Android and select that under "IPSec server certificate",
> it connects only if the VPN server presents server.pem. Is there a
> possibility that a faker can also present server.pem (w/o having its
> private key) and MITM the connection?
No.

Kind regards

Noel

More information about the Users mailing list