Re: [strongSwan] Windows connection and PSK

gilad Thu, 23 Apr 2015 17:06:33 -0700

Hi,

Thanks for your feedback. Actually, security is not our main concern here butrather a simple VPN setup.

We were able to setup connections using PSK on iOS device (both for L2TP andIKEv2), but unable to do so for Windows users.

Our goal is to have Strongswan configured for most common platforms based onusername/password authentication (with/o PSK) without requiring our users toinstall anything on their machines (not even a certificate). We are aware ofthe fact that certificate based authentication is much more secured, but thisis not relevant in our case.


Thanks,
Gilad


On 2015-04-23 19:01, Noel Kuntze wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Gilad,

If you have several users, using PSKs is suicidal, as any person with thePSKcan now act as a server and get your client's data. I hope you are aware ofthat.


For mschapv2, the server needs a valid x509 certificate of a trusted CA.

You can not get around certificates, if you want to make it in any waysecure.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 23.04.2015 um 21:24 schrieb gilad:

Hi,

Thanks for the reference. It does support PSK for L2TP connections (whichdoes not work as well). I would like to setup Strongswan with eap-mschapv2authentication (which is supported on Windows) - but I am trying to avoidhaving the users installing a certificate. Most of the users are nottechnical and we don't want to force them to install anything. In addition,we cannot sign a certificate for the host name since our VPN servers areusing dynamic DNS based on load balancing.


-Gilad

On 2015-04-23 15:13, Noel Kuntze wrote:
Hello Gilad,

That's because Windows does not support PSK authentication[1].

[1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 23.04.2015 um 21:04 schrieb gilad:
>>> I'm trying to setup Strongswan for both iOS devices and Windows machines. I 
would like to use PSK and/or passwords and not have the user install any certificate on 
his side.
>>>
>>> I've setup 2 types of connections: one using IKEv2 and one using 
IKEv1+XAuth. Both work well with iOS devices and PSK setup.
>>>
>>> The problem starts when I try to connect from a Windows machine. I was not 
able yet to setup Strongswan to accept connections from Windows without using a 
certificate. When using IKEv2 - Windows does not even offer an option to enter PSK.
>>>
>>> -Gilad
>>>
>>>
>>>
>>> Apr 23 14:43:46 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 
3.13.0-43-generic, x86_64)
>>> Apr 23 14:43:46 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>>> Apr 23 14:43:46 00[CFG]   loaded ca certificate "C=AU, ST=Some-State, O=Internet 
Widgits Pty Ltd" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
>>> Apr 23 14:43:46 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>>> Apr 23 14:43:46 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
>>> Apr 23 14:43:46 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
>>> Apr 23 14:43:46 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>> Apr 23 14:43:46 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>> Apr 23 14:43:47 00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/strongswanKey.pem'
>>> Apr 23 14:43:47 00[CFG]   loaded IKE secret for %any
>>> Apr 23 14:43:47 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 
md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
sshkey pem gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve 
socket-default connmark farp stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls 
eap-ttls xauth-generic
>>> Apr 23 14:43:47 00[JOB] spawning 16 worker threads
>>> Apr 23 14:43:47 10[CFG] received stroke: add connection 'ios8'
>>> Apr 23 14:43:47 10[CFG] conn ios8
>>> Apr 23 14:43:47 10[CFG]   left=%any
>>> Apr 23 14:43:47 10[CFG]   leftsubnet=0.0.0.0/0
>>> Apr 23 14:43:47 10[CFG]   leftauth=psk
>>> Apr 23 14:43:47 10[CFG]   leftid=vpn.hola.org
>>> Apr 23 14:43:47 10[CFG]   right=%any
>>> Apr 23 14:43:47 10[CFG]   rightsourceip=10.0.0.0/15
>>> Apr 23 14:43:47 10[CFG]   rightdns=8.8.8.8,8.8.4.4
>>> Apr 23 14:43:47 10[CFG]   rightauth=eap-mschapv2
>>> Apr 23 14:43:47 10[CFG]   eap_identity=%any
>>> Apr 23 14:43:47 10[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
>>> Apr 23 14:43:47 10[CFG]   esp=aes128-sha1,3des-sha1
>>> Apr 23 14:43:47 10[CFG]   dpddelay=30
>>> Apr 23 14:43:47 10[CFG]   dpdtimeout=150
>>> Apr 23 14:43:47 10[CFG]   dpdaction=1
>>> Apr 23 14:43:47 10[CFG]   mediation=no
>>> Apr 23 14:43:47 10[CFG]   keyexchange=ikev2
>>> Apr 23 14:43:47 10[CFG] left nor right host is our side, assuming left=local
>>> Apr 23 14:43:47 10[CFG] adding virtual IP address pool 10.0.0.0/15
>>> Apr 23 14:43:47 10[CFG] added configuration 'ios8'
>>> Apr 23 14:43:47 12[CFG] received stroke: add connection 'ios7'
>>> Apr 23 14:43:47 12[CFG] conn ios7
>>> Apr 23 14:43:47 12[CFG]   left=%any
>>> Apr 23 14:43:47 12[CFG]   leftsubnet=0.0.0.0/0
>>> Apr 23 14:43:47 12[CFG]   leftauth=psk
>>> Apr 23 14:43:47 12[CFG]   right=%any
>>> Apr 23 14:43:47 12[CFG]   rightsourceip=10.0.0.0/15
>>> Apr 23 14:43:47 12[CFG]   rightdns=8.8.8.8,8.8.4.4
>>> Apr 23 14:43:47 12[CFG]   rightauth=psk
>>> Apr 23 14:43:47 12[CFG]   rightauth2=xauth-generic
>>> Apr 23 14:43:47 12[CFG]   eap_identity=%any
>>> Apr 23 14:43:47 12[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
>>> Apr 23 14:43:47 12[CFG]   esp=aes128-sha1,3des-sha1
>>> Apr 23 14:43:47 12[CFG]   dpddelay=30
>>> Apr 23 14:43:47 12[CFG]   dpdtimeout=150
>>> Apr 23 14:43:47 12[CFG]   dpdaction=1
>>> Apr 23 14:43:47 12[CFG]   mediation=no
>>> Apr 23 14:43:47 12[CFG]   keyexchange=ikev1
>>> Apr 23 14:43:47 12[CFG] left nor right host is our side, assuming left=local
>>> Apr 23 14:43:47 12[CFG] reusing virtual IP address pool 10.0.0.0/15
>>> Apr 23 14:43:47 12[CFG] added configuration 'ios7'
>>> Apr 23 14:45:16 14[NET] <1> received packet: from 52.8.76.87[500] to 
104.236.254.145[500] (880 bytes)
>>> Apr 23 14:45:16 14[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>>> Apr 23 14:45:16 14[CFG] <1> looking for an ike config for 
104.236.254.145...52.8.76.87
>>> Apr 23 14:45:16 14[CFG] <1>   candidate: %any...%any, prio 28
>>> Apr 23 14:45:16 14[CFG] <1> found matching ike config: %any...%any with 
prio 28
>>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 
1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
>>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 
fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
>>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 
26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
>>> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>>> Apr 23 14:45:16 14[IKE] <1> 52.8.76.87 is initiating an IKE_SA
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable DIFFIE_HELLMAN_GROUP found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable PSEUDO_RANDOM_FUNCTION found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable PSEUDO_RANDOM_FUNCTION found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable DIFFIE_HELLMAN_GROUP found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable PSEUDO_RANDOM_FUNCTION found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable PSEUDO_RANDOM_FUNCTION found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
>>> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
>>> Apr 23 14:45:16 14[CFG] <1>   proposal matches
>>> Apr 23 14:45:16 14[CFG] <1> received proposals: 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
>>> Apr 23 14:45:16 14[CFG] <1> configured proposals: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>>> Apr 23 14:45:16 14[CFG] <1> selected proposal: 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>> Apr 23 14:45:16 14[IKE] <1> remote host is behind NAT
>>> Apr 23 14:45:16 14[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>> Apr 23 14:45:16 14[NET] <1> sending packet: from 104.236.254.145[500] to 
52.8.76.87[500] (308 bytes)
>>> Apr 23 14:45:16 15[NET] <1> received packet: from 52.8.76.87[4500] to 
104.236.254.145[4500] (676 bytes)
>>> Apr 23 14:45:16 15[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ 
N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
>>> Apr 23 14:45:16 15[IKE] <1> received 12 cert requests for an unknown ca
>>> Apr 23 14:45:16 15[CFG] <1> looking for peer configs matching 
104.236.254.145[%any]...52.8.76.87[172.31.18.184]
>>> Apr 23 14:45:16 15[CFG] <1>   candidate "ios8", match: 1/1/28 (me/other/ike)
>>> Apr 23 14:45:16 15[CFG] <ios8|1> selected peer config 'ios8'
>>> Apr 23 14:45:16 15[IKE] <ios8|1> initiating EAP_IDENTITY method (id 0x00)
>>> Apr 23 14:45:16 15[IKE] <ios8|1> peer supports MOBIKE
>>> Apr 23 14:45:16 15[IKE] <ios8|1> authentication of 'vpn.hola.org' (myself) 
with pre-shared key
>>> Apr 23 14:45:16 15[ENC] <ios8|1> generating IKE_AUTH response 1 [ IDr AUTH 
EAP/REQ/ID ]
>>> Apr 23 14:45:16 15[NET] <ios8|1> sending packet: from 104.236.254.145[4500] 
to 52.8.76.87[4500] (116 bytes)
>>> Apr 23 14:45:46 16[JOB] <ios8|1> deleting half open IKE_SA after timeout
>>> _______________________________________________
>>> Users mailing list
>>> [email protected]
>>> https://lists.strongswan.org/mailman/listinfo/users


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Windows connection and PSK

Reply via email to