Quoting Wikipedia:
It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise
However, Wikipedia discusses EAP-MD5 in the context of wireless authentication. If I understand correctly this is not a security risk in strongSwan since the authentication between the client and the server is encrypted. I'm I correct?
Best Answer
Yes, in the context of strongSwan, or more generally IKEv2, the EAP messages are transmitted encrypted in the IKE_AUTH exchanges. Man-in-the-middle attacks are averted by first authenticating the server with certificates using standard IKEv2 authentication. The security considerations in the IKEv2 RFC actually say:
That's the case unless an EAP method with mutual authentication (e.g. EAP-TLS, but not EAP-MD5) is used and the client supports EAP-only authentication.
If the EAP authentication is not terminated on the VPN server but e.g. a separate RADIUS server, one has to consider that the communication between these two is generally not encrypted. To not leak any information there it is also possible to use EAP-MD5 within other EAP methods (e.g. EAP-TTLS or EAP-PEAP), which provide a TLS tunnel within which the EAP-MD5 messages are transported to the authentication server. This also allows the client to authenticate that server, which is not possible with EAP-MD5 alone, as it does not provide mutual authentication. Combining such tunneling EAP methods with simple user authentication is also quite common for the WiFi use case (e.g. EAP-PEAP/EAP-MSCHAPv2).