[from misc] > > I don't see that in the iked.conf manual. There is some reference to not > > using psk in /etc/examples/iked.conf but it's not clear whether that's > > because of the need to share a single psk with all endpoints connecting > > via the same iked.conf configuration line (certainly a problem when > > you have multiple users from unknown IPs but perhaps not if used for > > separately-configured lan-to-lan tunnels with strong randomly generated > > psks) or whether it's something else. > > We should probably remove that comment. > > I think there is actually no reason to avoid PSK in IKEv2 if both endpoints > are trusted. Of course it doesn't scale well and all security considerations > for shared WiFi passwords apply here as well, but there isn't an obvious > weakeness like the plain text passphrase being sent over the network. > Expecting people to generate X509 certificates for simple peer-to-peer setups > seems a lot worse.
How about this? Show a strong psk in the example, plus the existing "win7" config is a bit strange, using 'config address' to set a fixed single address while tunnelling a subnet, so I've replaced it with a config that is probably more common in real life where the tunnel is used for all traffic (which is a bit more tricky to configure if you're new to this). Index: iked.conf =================================================================== RCS file: /cvs/src/etc/examples/iked.conf,v retrieving revision 1.1 diff -u -p -r1.1 iked.conf --- iked.conf 11 Jul 2014 21:20:10 -0000 1.1 +++ iked.conf 1 Mar 2023 16:50:12 -0000 @@ -6,13 +6,14 @@ #user "user1" "password123" #user "user2" "password456" -# Configuration for clients connecting with EAP authentication. +# Configuration for clients connecting with EAP authentication +# and sending all traffic over the IKEv2 tunnel. # Remember to set up a PKI, see ikectl(8) for more information. -#ikev2 "win7" passive esp \ -# from 10.1.0.0/24 to 10.2.0.0/24 \ +#ikev2 "eapclient" passive esp \ +# from any to dynamic \ # local any peer any \ # eap "mschap-v2" \ -# config address 10.2.0.1 \ +# config address 10.2.0.0/24 \ # config name-server 10.1.0.2 \ # tag "$name-$id" @@ -22,4 +23,4 @@ # from 10.5.0.0/24 to 10.1.0.0/24 \ # from 10.5.0.0/24 to 172.16.1.0/24 \ # local 192.168.1.1 peer 192.168.2.1 \ -# psk "you-should-not-use-psk-authentication!" +# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA"
