Bug #140
Configuring IPSEC with preshared key is in some other machine
| Status: | Closed | Start date: | 13.09.2011 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Affected version: | 4.5.3 | Resolution: | No feedback |
Description
I want to configure ipsec between 2 linux machine with following scenario.M1 will start the IKE procedure.Once M2 receive the 1st IKE message its should send message to server for getting the pre-shared key once he got the pre shared key it will continue the rest of the IKE procedure.
How can i implement this scenario using strongswan.
Regrads
Ranjith
History
Updated by Tobias Brunner 8 months ago
- Status changed from New to Feedback
- Priority changed from Urgent to Low
Hi Ranjith,
is this specific to IKEv1 (pluto) or IKEv2 (charon)? If the latter, is there a reason you want to do this with pre-shared keys and not with EAP where you could easily offload the authentication to any Radius server using EAP-Radius?
If this concerns IKEv1 then you could probably hack get_preshared_secret, get_secret etc. in source:src/pluto/keys.c to fetch the secret from some other host.
For charon, and if you really want to do this with pre-shared keys, you could write your own plugin and provide a custom credential set (i.e. implement the credential_set_t interface, source:src/libstrongswan/credentials/credential_set.h) which would fetch shared secrets from remote hosts.
Regards,
Tobias
Updated by Ranjith Koova 8 months ago
we are using IKEv2 and the requirement is whenever M2 recieve 1st IKE message its should send the message to AAA for getting the pre shared key.(even we wont get the actual key ,will get some dumy key using that we will calculate pre shared key).
Regards
Ranjith
Updated by Tobias Brunner 8 months ago
Ranjith Koova wrote:
we are using IKEv2 and the requirement is whenever M2 recieve 1st IKE message its should send the message to AAA for getting the pre shared key.(even we wont get the actual key ,will get some dumy key using that we will calculate pre shared key).
Hm, in IKEv2 the pre-shared key is usually looked up after receiving the peer's identity with the first IKE_AUTH message. As I wrote before, you could implement a custom credential set that would send those IDs to your AAA server to fetch a pre-shared key. If you really want to do that earlier (i.e. after the IKE_SA_INIT request, where you basically have only the IP addresses to find the right key) you could do that in a plugin too, just implement the listener_t interface and fetch the PSK when an IKE_SA is first created, then provide those in a custom credential set later on. The problem here is that the lookup in the credential set is based on IDs, so you will have to map those IDs to the PSK received earlier when only the IPs were available.
If you need assistance with the implementation, please contact Andreas to negotiate the terms.
Updated by Tobias Brunner about 1 month ago
- Status changed from Feedback to Closed
- Resolution set to No feedback