[strongSwan] EAP-MSCHAPV2/PEAP client connection from Network Manager

Tobias Brunner tobias at strongswan.org
Thu Apr 18 10:23:24 CEST 2019

Hi Chris,

> So I guess the question is, what's the security risk here? I always knew
> that with PEAP, there is PKI as an outer method. What am I missing
> without that outer method encryption. Guess I need to read some more....

One aspect is whether the EAP-MSCHAPv2 authentication is terminated on
the VPN gateway directly (e.g. via eap-mschapv2 plugin) or on a separate
RADIUS server.  In the latter scenario EAP-PEAP/TTLS authenticates the
AAA server to the client and the connection between VPN gateway and
RADIUS server is also encrypted.

>     # strongswan.conf - strongSwan configuration file
>     #
>     # Refer to the strongswan.conf(5) manpage for details
>     #
>     # Configuration changes should be made in the included files
>     charon {
>             charon-nm.plugins.eap-peap.load = no

That's not actually the correct syntax.  See [1].


[1] https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

More information about the Users mailing list