[strongSwan] IKE-EAP

[IL Ka]

EAP is authentication protocol framework.
It encapsulates authentication method, giving both sides ability to choose
method they both support.

There were originally only PAP and CHAP protocols to authenticate peers,
then EAP was invented as extensible framework.

See more on EAP:
https://tools.ietf.org/html/rfc3748


See more on some EAP protocols:
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
Currently defined methods are eap-aka,
eap-gtc, eap-md5, eap-mschapv2, eap-peap, eap-sim, eap-tls, eap-ttls,
eap-dynamic, and eap-radius.

In DO example they use mschapv2.

Here it is: https://tools.ietf.org/html/rfc2759
but you may need to read https://www.ietf.org/rfc/rfc1994.txt first

On server, open /etc/ipsec.secrets and set
someuser : EAP "somepass"

On Android, use "someuser" as login and "somepass" as pass.

Server and Android will agree on EAP protocol (mschapv2 in this case),
then mschapv2 will take place (as covered in rf1994 and rfc2759) and
android will auth itself to server.

EAP is used for authentication only. It is not used to encrypt data after
it.




On Tue, Dec 11, 2018 at 5:08 PM eyas barhouk <eyas37 at hotmail.com> wrote:

> Hello dears ,
>
> I'm trying to build IPsec tunneling mode to use it with strong-swan
> android client as the following tutorial:
>
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
>
> But i didn't understand how IKEV2-EAP work, to be clear i know that the
> EAP is asymmetric cryptographic way, but i didn't get what is the privet &
> public key on it , and based on what the server encrypting and
> authenticating the messages, and is the username equal to the public key
> and the password equal to the privet key ?
>
>
> Thanks in advance
> Best regards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181211/f72c8c81/attachment.html>