On Wed, Mar 01, 2023 at 04:53:00PM +0000, Stuart Henderson wrote: > [from misc] > > > I don't see that in the iked.conf manual. There is some reference to not > > > using psk in /etc/examples/iked.conf but it's not clear whether that's > > > because of the need to share a single psk with all endpoints connecting > > > via the same iked.conf configuration line (certainly a problem when > > > you have multiple users from unknown IPs but perhaps not if used for > > > separately-configured lan-to-lan tunnels with strong randomly generated > > > psks) or whether it's something else. > > > > We should probably remove that comment. > > > > I think there is actually no reason to avoid PSK in IKEv2 if both endpoints > > are trusted. Of course it doesn't scale well and all security considerations > > for shared WiFi passwords apply here as well, but there isn't an obvious > > weakeness like the plain text passphrase being sent over the network. > > Expecting people to generate X509 certificates for simple peer-to-peer > > setups > > seems a lot worse. > > How about this? Show a strong psk in the example, plus the existing > "win7" config is a bit strange, using 'config address' to set a fixed > single address while tunnelling a subnet, so I've replaced it with a > config that is probably more common in real life where the tunnel is > used for all traffic (which is a bit more tricky to configure if > you're new to this).
Definitly better than what we had before. Thanks! > > > Index: iked.conf > =================================================================== > RCS file: /cvs/src/etc/examples/iked.conf,v > retrieving revision 1.1 > diff -u -p -r1.1 iked.conf > --- iked.conf 11 Jul 2014 21:20:10 -0000 1.1 > +++ iked.conf 1 Mar 2023 16:50:12 -0000 > @@ -6,13 +6,14 @@ > #user "user1" "password123" > #user "user2" "password456" > > -# Configuration for clients connecting with EAP authentication. > +# Configuration for clients connecting with EAP authentication > +# and sending all traffic over the IKEv2 tunnel. > # Remember to set up a PKI, see ikectl(8) for more information. > -#ikev2 "win7" passive esp \ > -# from 10.1.0.0/24 to 10.2.0.0/24 \ > +#ikev2 "eapclient" passive esp \ > +# from any to dynamic \ > # local any peer any \ > # eap "mschap-v2" \ > -# config address 10.2.0.1 \ > +# config address 10.2.0.0/24 \ > # config name-server 10.1.0.2 \ > # tag "$name-$id" > > @@ -22,4 +23,4 @@ > # from 10.5.0.0/24 to 10.1.0.0/24 \ > # from 10.5.0.0/24 to 172.16.1.0/24 \ > # local 192.168.1.1 peer 192.168.2.1 \ > -# psk "you-should-not-use-psk-authentication!" > +# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA" >
