'[strongSwan] Accounting IPSec connections with RSA authentication'

[prev in list] [next in list] [prev in thread] [next in thread] 

List: strongswan-users
Subject: [strongSwan] Accounting IPSec connections with RSA authentication
From: Illia Muzichuk <i.muzichuk () gmail ! com>
Date: 2015-06-14 22:07:22
Message-ID: CAJN7StgXsYYCC5rtRmr1WP0bErONFGXfE80dKN0p=EMUZAOsAw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

Apple iOS has "VPN On Demand" function. With this function the VPN
connection is made whenever the device tries to connect to certain domains
or to the internet at all. iOS supports "VPN On Demand" only with
certificated-based authentication.

To provide "VPN On Demand" for iOS users of my office VPN server we are
using next IPSec solution:

   - Ubuntu 14.04 - the VPN server OS.
   - strongSwan 5.1.2 - IKE daemon.
   - For each peer I am generating an individual private key and issue a
   matching certificate. Client (iOS IKEv1) authenticates using RSA and Xauth.
   - iPhone and iPad can't use IPSec without Xauth (so-called Cisco IPSec).
   And "VPN On Demand" can't use VPN profile which requires password entering,
   but username/password usually are required by Xauth. To handle this problem
   we are using xauth-noauth - fake Xauth authenticator which allows any
   username and password. In this case we are using only client certificate to
   authenticate it.

This solution is working fine for us. But we got new requirement - setup
several VPN servers with one users database and make accounting of the VPN
usage.

This is a common practice for this task to use RADIUS and strongSwan has
plugin for it. But strongSwan with IKEv1/Xauth uses username/password for
authenticating user on the backend RADIUS server. username/password is not
using in my solution.

My questions:

   1. How to use Radius accounting if Xauth is not using username/password?
   2. Is it possible to delegate RSA authentication check to RADIUS server?

P.S. Most of my iOS clients use iOS 8 which supports IKEv2. There is
EAP-TLS in IKEv2. Can I use EAP-TLS to delegate RSA authentication check to
RADIUS server? Or I am digging in the wrong direction with EAP-TLS?

P.S. P.S. My second thing was about VICI interface of strongSwan. I
supposed to get notifications about each new IPSec connection, but looks
like VICI works different way.

[Attachment #5 (text/html)]

<div dir="ltr">Apple iOS has &quot;VPN On \
Demand&quot; function. With this function the VPN connection is made whenever the \
device tries to connect to certain domains or to the internet at all. iOS supports \
&quot;VPN On Demand&quot; only with certificated-based authentication.To provide &quot;VPN On \
Demand&quot; for iOS users of my office VPN server we are using next IPSec \
solution:<ul style="margin:0px 0px 1em \
30px;padding:0px;border:0px;font-size:15px;font-family:&#39;Helvetica \
Neue&#39;,Helvetica,Arial,sans-serif;line-height:19.5px"><li style="margin:0px 0px \
0.5em;padding:0px;border:0px;word-wrap:break-word">Ubuntu 14.04 - the VPN server \
OS.</li><li style="margin:0px 0px \
0.5em;padding:0px;border:0px;word-wrap:break-word">strongSwan 5.1.2 - IKE \
daemon.</li><li style="margin:0px 0px \
0.5em;padding:0px;border:0px;word-wrap:break-word">For each peer I am generating an \
individual private key and issue a matching certificate. Client (iOS IKEv1) \
authenticates using RSA and Xauth.</li><li style="margin:0px 0px \
0.5em;padding:0px;border:0px;word-wrap:break-word">iPhone and iPad can&#39;t use \
IPSec without Xauth (so-called Cisco IPSec). And &quot;VPN On Demand&quot; can&#39;t \
use VPN profile which requires password entering, but username/password usually are \
required by Xauth. To handle this problem we are using xauth-noauth - fake Xauth \
authenticator which allows any username and password. In this case we are using only \
client certificate to authenticate it.</li></ul>This solution is working \
fine for us. But we got new requirement - setup several VPN servers with one users \
database and make accounting of the VPN usage.This is a common practice \
for this task to use RADIUS and strongSwan has plugin for it. But strongSwan with \
IKEv1/Xauth uses username/password for authenticating user on the backend RADIUS \
server. username/password is not using in my solution.My questions:<ol \
style="margin:0px 0px 1em \
30px;padding:0px;border:0px;font-size:15px;font-family:&#39;Helvetica \
Neue&#39;,Helvetica,Arial,sans-serif;line-height:19.5px"><li style="margin:0px 0px \
0.5em;padding:0px;border:0px;word-wrap:break-word">How to use Radius accounting if \
Xauth is not using username/password?</li><li style="margin:0px 0px \
0.5em;padding:0px;border:0px;word-wrap:break-word">Is it possible to delegate RSA \
authentication check to RADIUS server?</li></ol>P.S. Most of my iOS clients \
use iOS 8 which supports IKEv2. There is EAP-TLS in IKEv2. Can I use EAP-TLS to \
delegate RSA authentication check to RADIUS server? Or I am digging in the wrong \
direction with EAP-TLS?P.S. P.S. My second thing \
was about VICI interface of strongSwan. I supposed to get notifications about each \
new IPSec connection, but looks like VICI works different way.</div>

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[prev in list] [next in list] [prev in thread] [next in thread] 