Hi David, the IKEv2 RFC 5996 explicitly states in the second paragraph on page 112 of section 5 Security Considerations
http://tools.ietf.org/html/rfc5996#section-5 An implementation using EAP MUST also use a public-key-based authentication of the server to the client before the EAP authentication begins, even if the EAP method offers mutual authentication. This avoids having additional IKEv2 protocol variations and protects the EAP data from active attackers. Since strongSwan strictly adheres to Internet Standards your mode of operation using PSK with EAP is not admissible. Best regards Andreas On 30.06.2014 17:13, Mcginniss, David S [NTK] wrote:
The real problem is we have no need of the certificate for IPSEC with PSK and MSCHAPv2 but can't disable it in the strong swan client. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Noel Kuntze Sent: Friday, June 27, 2014 2:07 PM To: [email protected] Subject: Re: [strongSwan] Android VPN -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello David, I advise looking at [1]. For importing certificates on Android devices, you need to import them into the Android key store. You do this by packaging the CA, private key of the user certificate as well as the user certificate into a p12-file and importing it on the Android device by opening it with a file manager. After you imported it, you can set it in the strongSwan VPN app, or whatever app you're using (or the integrated client). [1] http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 27.06.2014 20:49, schrieb Mcginniss, David S [NTK]:I am looking for support for android vpn for the following client config with an IKEv2 client supporting MSK. I would try with a cert as long as I can install a cert and I can’t figure out how to install a cert without rooting the device which I don’t want to do. IKEv2 using PSK and MSCHAPv2 example SEgw.xxx.yyy.net FQDN SEGWID [email protected] <mailto:[email protected]> SEGW PSK a1b2c3 EAP- MSCHAPv2 AAA User [email protected] <mailto:[email protected]> AAA Password d3e4f5g6 David S. McGinniss Sr Telecom Design Engineer Service Platform Development [email protected] <mailto:[email protected]> (m) 630-926-3184 http://img.talkandroid.com/uploads/2011/03/sprint-logo.jpg ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---------- This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTrcDxAAoJEDg5KY9j7GZYGXEQAJzMBwrc6u4uHebMFd3yy26V fct4Gm/b1BUV3AZaZX57Zf5jTydHdEuAzjsC+mR+BKIfAgE/zCn4pQYKKX1zMrnQ wsu4CwZuMlJFy5oOE+P7JpSXFLLOrcdQcy/duNlnzyGZAqpFs7J44+tfbwKuVFec p/Pd6KxHGJQpDWLm72NuFPfqDlbHprJNXI3IlwwQjsLuIUraDJX/DyhApBb2a4pH oXO0Hjj+QLkwPvs9W882XLSOfrG0ydv3xpbXvEOSfMc1agZKE3G94FANexXJgyvk XjhCmaJrh4W7Rl4MaChgitrW7Gq2jrjTMBvSokj43tP81qZKkXfdM1kBG0hHPzDo Z9I2zYLv5qxepk1aDXmpICFhG8OGXns4l4tXmtzAp1gOtHbqYTLnQxC4cYKnjsfA uEOOfT/MdrNt2stWKxwPLHhU6uAweCHTjSaMZ/A+pswl8YXIt30Qk3uyu1iGsw/R GnBHBfkdPjc1nqipAIpNoJZldpr+ECXuufxnRu3ONd2Fwyk1MfrHJ3TjD3yLTUx+ xp9GTdy/ezbBydxJFwcxG6KRmf24nEVmWKx7klosjVF38SZE8ysTUkEPotl2UfC3 pPqqY6u+N+/9IIX+ftXVfJcTBtgBhfSWEWFgR3Amx7J1hfaWsTrAGecj+pkAKGN2 bP/+T347ZhC/rUV7QCjh =0vgY -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users ________________________________ This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
