I'm trying to setup a host-host configuration using strongSwan. I did manage to set it up using certificates and now I wish to set it up using certificates + EAP authentication.
I mixed this configuration with my previous certificate configuration and connected successfully. However, this configuration requires that the client will save the password locally. I must say that I don't understand why should I use a password instead of a certificate if it's saved locally anyway. What I want is to use 2 factor authentication – clients without a valid certificate should not be able to authenticate even if they know the password, and clients with a valid certificate should be prompted for a password when trying to connect. If I understand correctly, my options are:
- Use NetworkManager which can prompt for a password
- Use md5-id-prompt
I don't want to be bound to NetworkManager if I don't have to.
The second option didn't work as ipsec stroke command on my machine doesn't have user-creds subcommand. This might be because I use strongSwan 4.x. Even if it did work, there are two major problems with this:
- The password has to be entered in the command line instead of being interactivly prompted by
ipsec, which is a bad security practice. - If I understand correctly, once the password was entered the ipsec daemon will remember it until it's restarted, instead of prompting for it in each connection.
Is there any way to accomplish my goal without using NetworkManager?
Best Answer
Definitely not with strongSwan 4.x. In newer releases (since 5.1.0) you could use charon-cmd, which is a simple command line IKE client that will prompt you for EAP passwords.
The rw-eap-md5-id-prompt example is an automated test case, so naturally the password is provided directly on the command line when calling
ipsec stroke user-creds. But if you don't do that you will be prompted for it interactively.Yes, that's correct. The username and password are cached until the daemon is restarted.