On Fri, 15 May 2020, Jeremy Hayward wrote:
I want to set up a connection on my libreswan that will allow anyone to connect with just the username and password. I understand the security implications of this, but I want to be able to access a system from anywhere in the world, from any device. The main client will be Android phone, but again, I don't want to have to install specific software on that phone - just use the built in android vpn facility. I used to do this with PPTP for many years and it worked well, but I think that would now be too dangerous but the Android phones now support relatively IPSec which I think will be good enough.
That is still unwise. The problem is with user/password is that you have to use authby=secret, giving out this preshared key to everyone, meaning that everyone who has the client information (legitimately or maliciously obtained) would be able to forge messages from the gateway or other clients. It is also only supported in the old IKEv1 method, not the new IKEv2 method.
I've built a conf, but as a bit of a noob, I'm not sure if I've made a rookie error, or it just won't work in the way I'm intending. Here is my .conf conn Warrior dpdaction=clear dpddelay=30 dpdtimeout=120 fragmentation=yes ike=3des-md5;modp1024
Doing 3des-md5 wasn't even good in 1999. It is surely not good now. Worse, modp1024 is DH2 which we don't even compile in support for anymore because university style computing budgets can break it, so surely nation states can too.
ikev2=insist
android only just got ikev2 support (or will get in in the next version?) and so basically no android client in the wild supports native ikev2. Also see the above. For ikev2 you would want to at least use one certificate on the server (even if clients would use authby=secret to identity themselves. But these kind of ikev2' configurations can only be done using EAP, which libreswan currently does not support. You really seem to want this type of config: https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK I still recommend you change your requirements for a more secure deployment. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
