Thanks, Noel! Just the feedback I needed. We'll figure out a way to make it easy to use certs instead. -- Chase Douglas CTO @ Techstars '17 (234) 567-9652
On Sun, Jan 29, 2017 at 11:51 AM, Noel Kuntze <[email protected]> wrote: > On 29.01.2017 18:53, Chase Douglas wrote: >> Strongswan fits the bill, but the PSK >> secrets are stored in plaintext. >> >> Here's what I would like to do, and I want to find out from people who >> are much more knowledgeable than I whether this is feasible and >> reasonable: >> >> 1. End user interacts with our product and provides a >> username/password for VPN access >> 2. Instead of adding username/password to ipsec.secrets as plaintext >> EAP, add password as bcrypt hashed value >> 3. Store new ipsec.secrets as a privately accessible file (say in AWS >> S3 so the VPN server can just grab the latest file when the server >> starts up) >> 3. StrongSwan verifies new connections using bcrypt hash >> >> Is this possible to implement? I don't really know how all the IPSec >> protocols work, so I'm hoping someone here can provide some guidance. > > With PSK and challenge based EAP authentication methods, it's impossible, due > to technical constraints > of PSK authentication and the particular EAP method. It is only possible to > implement this > with EAP-GTC. However, this method is not supported by any builtin client. > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
