0

I use Linux IPSec VPN-server based on strongSwan 5.2.1 with eap-mschapv2 authentication using passwords in ipsec.secrets file.

Now I need to add one more VPN-server for the same users and I want to have a single user/password database on the remote host.

Is it possible to implement external authentication in strongSwan using some kind of script?

I know that it is possible to implement some kind of RADIUS server for this case, but I think there should be a better way to do this.

I also tries to use ext-auth plugin for this case, but this plugin can access only user IDs, not user passwords.

I'll be grateful for any advice.

Anton
  • 451
  • 1
  • 4
  • 5
  • My advice is to not use pre-shared keys. Ever. They are not secure against certain advanced persistent threats. – Michael Hampton Feb 27 '15 at 14:48
  • We don't use PSK. We use server certificate verification to avoid MiTM attacks and eap-mschapv2 (user/password) authentication. If you think it is not safe enough, could you explain why? Thanks. – Anton Feb 27 '15 at 17:34
  • OK, your post was not clear about that. – Michael Hampton Feb 27 '15 at 17:56
  • I think you can configure FreeRADIUS Server on your network, then integrate StrongSwan Servers with FreeRADIUS ! something like [this](https://serverfault.com/questions/716552/can-one-use-a-mysql-backend-for-user-authentication-in-a-strongswan-vpn-server) – Ehsan Hedayatpour Jul 06 '17 at 10:11

0 Answers0