[strongSwan] Multiple Authentication Rounds

Tobias Brunner tobias at strongswan.org
Wed Jul 18 15:56:24 CEST 2018

Hi Christian,

> To quote your page [1] "With IKEv2 it is possible to use multiple
> authentication rounds"

This refers to using multiple authentication rounds per RFC 4739 [1].
There aren't that many implementations that support it (i.e. neither
Windows, nor macOS does).

> could this be PSK and eap-mschapv2

Theoretically yes, but combining PSK with EAP isn't strictly compliant
with RFC 7296, according to which [2] the server has to be authenticated
with a pubkey based authentication.  The problem is that using a shared
PSK to authenticate the server allows active attackers that know it - if
the PSK is weak they could even find it by connecting to the server and
then attacking the AUTH payload offline - to impersonate the server and
get potentially weak EAP password hashes from clients.

By the way, using PSK authentication for the server and EAP
authentication for the client (like Emanuil does) is not using multiple
authentication rounds (it just uses a PSK instead of a certificate to
authenticate the server).  With multiple authentication rounds the first
round would authenticate both client and server with a PSK and then the
EAP authentication would follow (but that doesn't really improve the
overall security, in particular if the same PSK is used for client and
server or the client PSKs are weak).  Multiple authentication rounds are
more intended e.g. to first authenticate the client device with a
machine certificate (and the server with its certificate) and then do a
user authentication based on EAP in the second round.

> The clients are OSX and Windows native clients so I am curious if it
> will work.

No, as mentioned they don't support multiple IKEv2 authentication rounds.


[1] https://tools.ietf.org/html/rfc4739
[2] https://tools.ietf.org/html/rfc7296#section-2.16

More information about the Users mailing list