On 29.01.2017 18:53, Chase Douglas wrote: > Strongswan fits the bill, but the PSK > secrets are stored in plaintext. > > Here's what I would like to do, and I want to find out from people who > are much more knowledgeable than I whether this is feasible and > reasonable: > > 1. End user interacts with our product and provides a > username/password for VPN access > 2. Instead of adding username/password to ipsec.secrets as plaintext > EAP, add password as bcrypt hashed value > 3. Store new ipsec.secrets as a privately accessible file (say in AWS > S3 so the VPN server can just grab the latest file when the server > starts up) > 3. StrongSwan verifies new connections using bcrypt hash > > Is this possible to implement? I don't really know how all the IPSec > protocols work, so I'm hoping someone here can provide some guidance.
With PSK and challenge based EAP authentication methods, it's impossible, due to technical constraints of PSK authentication and the particular EAP method. It is only possible to implement this with EAP-GTC. However, this method is not supported by any builtin client. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
