I'm using Windows 8 client to connect to my new strongswan VPN, and I don't see the option to do preshared keys with IKEv2? Did they leave this feature out?
Asked
Active
Viewed 1.7k times
1
-
Why was this question closed? – Evan Carroll Aug 10 '13 at 18:20
-
Because you didn't do your homework first. I found the answer at the first search result for `windows 8 ipsec`. – Michael Hampton Aug 11 '13 at 16:52
-
@MichaelHampton Seems to me as if Windows 8 doesn't support PSKs, but if you merely don't want to generate certificates, you can use EAP-MScHAPv2. – Evan Carroll Aug 11 '13 at 18:49
-
1@MichaelHampton still like to see this mysterious link that talks about Windows 8 and PSK. – Evan Carroll Aug 12 '13 at 02:50
2 Answers
5
Neither the IKEv2 VPN client in Windows 7, nor the one in Windows 8 support pre-shared keys for authentication.
The clients support either machine certificates or the Extensible Authentication Protocol (EAP) with methods that use either username/password (EAP-MSCHAPv2), or user certificates (EAP-TLS).
Windows 7 also supports Protected EAP (PEAP), which wraps another EAP method (like EAP-MSCHAPv2) in a TLS tunnel. In addition to that, Windows 8 provides a number of other EAP methods (EAP-TTLS, EAP-AKA, EAP-AKA', EAP-SIM). Both systems also support third-party EAP modules e.g. provided by Cisco (EAP-FAST, EAP-LEAP, EAP-PEAP).
Most of these authentication methods have one thing in common, they require that the server is authenticated with a trusted certificate. That is, you'll have to install the server or CA certificate on the clients. The strongSwan wiki provides a tutorial on setting up a simple PKI (make sure you follow the requirements regarding Windows clients).
Davor Josipovic
- 125
- 5
ecdsa
- 3,973
- 15
- 29
-
That's exactly what I was looking for! The client itself doesn't support it for ike2? but it supports it for lt2p/ipsec? That doesn't make much sense to me. – Evan Carroll Jul 26 '13 at 02:26
-
@EvanCarroll You have to understand that the IKEv1 (L2TP) and IKEv2 clients in Windows are practically two different products that have not much in common. The IKEv2 client was basically developed from scratch for Windows 7. Also, pre-shared keys are not very commonly used for IKEv2 road-warrior scenarios (at least at a corporate level), where they were, or still are, for IKEv1 (XAuth with PSK is still very common in Cisco environments). – ecdsa Jul 26 '13 at 06:55
-
I didn't understand (prior to you telling me) at all. I was thinking PSK would be /good enough/, or at the very least a stable point in troubleshooting as I got certs up. I'm not very comfortable yet with my understanding of SSL. It has always /just worked/. – Evan Carroll Jul 26 '13 at 07:14
1
Judging by this listing, it's a regression issue with Strongswan and Windows 8. It does mention a potential workaround but has security risks. I would personally file a bug and see what the developers say.
Nathan C
- 15,059
- 4
- 43
- 62
-
1The mentioned problem has nothing to do with pre-shared key authentication, but with Windows 8 using the wrong identity, which was actually fixed by Microsoft in the meantime (the fix is included in [KB 2785094](http://support.microsoft.com/kb/2785094) but that is currently not documented). – ecdsa Jul 25 '13 at 22:12
-
@ecdsa It broke IKEv2, which was what the issue was. Thank you for pointing out the hotfix, though. – Nathan C Jul 25 '13 at 22:43