Hi! So, as You have BB device, You can find good how-to on crackberry.com for PSK-based VPN IPv4 with Strongswan. That how-to about Amason service, not Raspberry device, but You can transfer it with ease. I tested it and it works definitely. Another thing You should to keep in mind - BB OS 10.3.0 and upper uses IPv6 for its services, so simple IPv4 shuts down everything from BBM voice to BB Link and Blend. So, You have 2 ways: 1) You can stay on OS 10.2 and You'll be ready to use everything with IPv4 or 2) You must to expand VPN to IPv6 for OS 10.3
Regards, Yuri ----- Исходное сообщение ----- От: "Tobias Brunner" <[email protected]> Кому: "Christian Klugesherz" <[email protected]> Копия: <[email protected]> Отправлено: 19 июля 2016 г. 16:21 Тема: Re: [strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi > Hi Christian, > > > Nevertheless, by removing: `eap_identity` I got the same result. > > You might need it, but that depends on the client. > > > On basis, I wanted to use StrongSwan as simple as possible without > > certificates CA. > > That probably won't work as authenticating clients with EAP requires > authenticating the server with a certificate to be standard-compliant > (RFC 7296, section 2.16). strongSwan can be configured to combine EAP > with PSK authentication. But that's not recommended, as anybody knowing > it could impersonate the server, and most other implementations probably > don't support this combination. Using EAP-only authentication is also > possible, if supported by the peer, but that calls for a strong mutual > EAP method like EAP-TLS (EAP-MSCHAPv2 is not one). > > > Does that mean that in any case, you have to set-up a CA in order to > > use strongSwan ? > > Even with a VPN IKEv2 with preshared Key ? > > No. If the client supports it you could, of course, use plain PSK > authentication (i.e. without EAP). Even though it's not recommended for > larger roadwarrior deployments (again, anybody knowing the PSK could > impersonate the server). > > Setting up a simple PKI (one CA certificate, one server certificate) is > quite easy (see previous link). You could also use a free certificate > from Let's Encrypt or StartSSL, which your client might already trust, > which would relieve you from having to install your own CA certificate > on the clients. > > Regards, > Tobias > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
