strongSwan without password on iOS

Question

I have the following problem: I need to authenticate on VPN with iOS without password, but with certificate only. The reason is I need "VPN on demand", which is active on certificate authentication only.

I found this tutorial, but it uses certificate+password authentication. But I need certificate only. I've been trying to remove xauth authentication from config, but I failed.

ecdsa · Accepted Answer · 2014-05-12T14:08:02.443

4

The iPhone VPN client does not allow a configuration without XAuth (at least not in the graphical configuration interface). Luckily, it doesn't mind if the VPN gateway simply concludes the expected XAuth exchange without actually requesting any user credentials. I recently created a patch for strongSwan 5.0.2 that adds a plugin that allows to configure this kind of XAuth "authentication". With the patch applied you can configure

leftauth=rsa
rightauth=rsa
rightauth2=xauth-noauth

in ipsec.conf to essentially use only RSA authentication.

Update: The xauth-noauth plugin has been released with strongSwan 5.0.3.

edited May 12 '14 at 14:08

answered Feb 06 '13 at 17:01

ecdsa

3,973
15
29

Thank you, @ecdsa! You patch worked like a charm! That's what I needed! :) – Alex Petrov Feb 13 '13 at 15:43
Your link is not working anymore. please provide some link to that. Because i need to done this Please – M.Shuaib Imran May 12 '14 at 11:49
1

@ShabiTech Updated the link. The plugin was released with strongSwan 5.0.3 and is available in all versions since then. – ecdsa May 12 '14 at 14:09

score 1 · Answer 2 · edited Apr 13 '17 at 12:45

This question has some insight into what you are asking. I think by default the VPN configurations that iPhones support require some type of user authentication or token in the case of L2TP and PPTP (RSA Secure ID). You for an IPsec connection which is described in the strongswan documentation you included in your link you can enter the correct password and username when the VPN configuration is set up on the device so that you will only have to enable or disable the VPN and the user shouldn't see any prompts for a password when they turn on VPN unless there is a problem with the VPN configuration. This apple support page has some general information and links to some other pages that describe setup for vpn on iOS. I added another thread too that implies it might be a configuration that you need to set on the server so that users can save their passwords on the device and on won't be prompted. This an email thread I came across in the archives for the strongswan list regarding issues with password prompting on iOS 5 on an iPhone 4 which could also be useful hope this helps some.

I'm suggesting mainly that you configure the iOS client with the certificat and password credentials (from what I can see i don't see many options that disable some other form authentication in addition to having the certificate.) setting the password and username for xauth for example if the iOS device is an iphone should be sufficient to prevent having the user authenticate each time they enable the vpn. The links are mainly there as a references — dudebrobro, Feb 06 '13 at 15:16

strongSwan without password on iOS

2 Answers2