On 3/1/23 11:53, Stuart Henderson wrote:
> [from misc]
>>> I don't see that in the iked.conf manual. There is some reference to not
>>> using psk in /etc/examples/iked.conf but it's not clear whether that's
>>> because of the need to share a single psk with all endpoints connecting
>>> via the same iked.conf configuration line (certainly a problem when
>>> you have multiple users from unknown IPs but perhaps not if used for
>>> separately-configured lan-to-lan tunnels with strong randomly generated
>>> psks) or whether it's something else.
>> We should probably remove that comment.
>>
>> I think there is actually no reason to avoid PSK in IKEv2 if both endpoints
>> are trusted. Of course it doesn't scale well and all security considerations
>> for shared WiFi passwords apply here as well, but there isn't an obvious
>> weakeness like the plain text passphrase being sent over the network.
>> Expecting people to generate X509 certificates for simple peer-to-peer setups
>> seems a lot worse.
> How about this? Show a strong psk in the example, plus the existing
> "win7" config is a bit strange, using 'config address' to set a fixed
> single address while tunnelling a subnet, so I've replaced it with a
> config that is probably more common in real life where the tunnel is
> used for all traffic (which is a bit more tricky to configure if
> you're new to this).
Looks really good, just a bikeshedding question inlined.
>
> Index: iked.conf
> ===================================================================
> RCS file: /cvs/src/etc/examples/iked.conf,v
> retrieving revision 1.1
> diff -u -p -r1.1 iked.conf
> --- iked.conf 11 Jul 2014 21:20:10 -0000 1.1
> +++ iked.conf 1 Mar 2023 16:50:12 -0000
> @@ -6,13 +6,14 @@
> #user "user1" "password123"
> #user "user2" "password456"
>
> -# Configuration for clients connecting with EAP authentication.
> +# Configuration for clients connecting with EAP authentication
> +# and sending all traffic over the IKEv2 tunnel.
> # Remember to set up a PKI, see ikectl(8) for more information.
Is a PKI still needed in this example config? The comment seems to imply
that I need one even with PSK auth.
Like PKI is an alternative, so maybe something like - Setting up a PKI
is an alternative to using a PSK, see ikectl(8) for more information.
> -#ikev2 "win7" passive esp \
> -# from 10.1.0.0/24 to 10.2.0.0/24 \
> +#ikev2 "eapclient" passive esp \
> +# from any to dynamic \
> # local any peer any \
> # eap "mschap-v2" \
> -# config address 10.2.0.1 \
> +# config address 10.2.0.0/24 \
> # config name-server 10.1.0.2 \
> # tag "$name-$id"
>
> @@ -22,4 +23,4 @@
> # from 10.5.0.0/24 to 10.1.0.0/24 \
> # from 10.5.0.0/24 to 172.16.1.0/24 \
> # local 192.168.1.1 peer 192.168.2.1 \
> -# psk "you-should-not-use-psk-authentication!"
> +# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA"
>
