Hi Tobias, Many thanks for your help. I'm sorry that I consume your time. (I'm a not IPSec expert, even I've spent now weeks reading docs.) I must confess that it is really-really difficult to integrate all these information, between - configurations files -CA, different SAs - Device, ... So many possibilities, that I'm a bit lost :-( And I'm near to give it up..
Does that mean that with the configuration setup on my BB10, I have to change it now in order to integrate the CA (see below) CA created with ------------------------- $ sudo ipsec pki --gen --type rsa --size 4096 --outform pem > CAKey.pem $ sudo cp CAKey.pem /etc/ipsec.d/private $ sudo ipsec pki --self --ca --lifetime 3650 --in CAKey.pem --type rsa --dn "C=DE, O=Home Network, CN=Root CA" --outform pem > CACert.pem $ sudo cp CACert.pem /etc/ipsec.d/cacerts/ $ sudo ipsec pki --gen --type rsa --size 2048 --outform pem > VPNHostKey.pem $ sudo cp VPNHostKey.pem /etc/ipsec.d/private/ $ sudo ipsec pki --pub --in VPNHostKey.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert CACert.pem --cakey CAKey.pem --dn "C=DE, O=Home VPN, CN=ckl.freeboxos.fr" --san ckl.freeboxos.fr --flag serverAuth --flag ikeIntermediate --outform pem > VPNHostCert.pem Configuration on my BB10. Profile Name : home Server Address : 78.229.20.105 Gateway Type : Generic IKEv2 VPN Server Authentication Type : EAP-MSCHAPv2 Authentication ID Type : email ID Authentication : alice (not used can be enything) MSCHAPv2 EAP Identity : alice (not used can be enything) MSCHAPv2 Username : alice (-->username in ipsec.secrets) MSCHAPv2 Password : alicep (-->alice pasword in ipsec.secrets) Gateway Auth Type : PSK Gateway Auth ID Type : IPv4 Gateway Preshared Key : 123456# (-->PSK password in ipsec.secrets) Regards Christian 2016-07-19 15:21 GMT+02:00 Tobias Brunner <[email protected]>: > Hi Christian, > >> Nevertheless, by removing: `eap_identity` I got the same result. > > You might need it, but that depends on the client. > >> On basis, I wanted to use StrongSwan as simple as possible without >> certificates CA. > > That probably won't work as authenticating clients with EAP requires > authenticating the server with a certificate to be standard-compliant > (RFC 7296, section 2.16). strongSwan can be configured to combine EAP > with PSK authentication. But that's not recommended, as anybody knowing > it could impersonate the server, and most other implementations probably > don't support this combination. Using EAP-only authentication is also > possible, if supported by the peer, but that calls for a strong mutual > EAP method like EAP-TLS (EAP-MSCHAPv2 is not one). > >> Does that mean that in any case, you have to set-up a CA in order to >> use strongSwan ? >> Even with a VPN IKEv2 with preshared Key ? > > No. If the client supports it you could, of course, use plain PSK > authentication (i.e. without EAP). Even though it's not recommended for > larger roadwarrior deployments (again, anybody knowing the PSK could > impersonate the server). > > Setting up a simple PKI (one CA certificate, one server certificate) is > quite easy (see previous link). You could also use a free certificate > from Let's Encrypt or StartSSL, which your client might already trust, > which would relieve you from having to install your own CA certificate > on the clients. > > Regards, > Tobias > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
