Hi, the IKEv2 encryption effectively protects the weak EAP-MSCHAPv2 challenge/protocol so you could call this mode "secure". But please be aware that if the user authentication does not take place on the VPN gateway itself but on a separate AAA server then EAP-MSCHAPv2 is only marginally protected by the RADIUS protocol run between VPN and AAA server. In that case better use MSCHAPv2 within EAP-TTLS (supported since Windows 8) or EAP-PEAP (supported since Windows 7) because then the authentication is protected end-to-end all between VPN client and AAA server.
Regards Andreas On 24.06.2016 03:31, Artyom Aleksyuk wrote:
Hello. Currently I'm using X.509 client certs with my own CA. To make things simpler, I'm going to move to a password-based authentication. As I understand, the only EAP method that works with both strongSwan Android and Windows 8 is EAP-MSCHAPv2. I've heard that this EAP method was broken (for example, https://technet.microsoft.com/en-us/library/security/2743314.aspx). However this article mentions PPTP, not IKEv2. So, should I avoid EAP-MSCHAPv2 in IKEv2, or it still can be considered secure? The second question is: is it possible to use Let's Encrypt-generated certs together with strongSwan?
====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
