[Swan] IKEv2 PAM auth failure - how it's done properly?

[Paul Wouters]

On Jan 21, 2022, at 08:52, Manfred <mx2927 at gmail.com> wrote:
> 
> On 1/20/2022 10:08 AM, Mirsad Goran Todorovac wrote:
>> 
>> Hello,
>> I have installed the IKEv2 VPN connection at my colleague's laptop and he disappointingly noticed that there is no password authentication in addition to certificate.
>> This is also akward because we would have to change all certificates if i.e. one laptop configured for the Faculty VPN was lost or stolen. :-(
> 
> I don't think this is right. The certificate system (in general, not libreswan's specifically) is explicitly designed so that you don't have to do that.
> Ref CRL (Certificate Revocation List).

Exactly. You only need to revoke the laptop certificate. The CA certificate is on the laptop too but not the CA certificate’s private key, only the public key.

An additional password adds little security assuming there is already a login password, an automatic screen lock after a few minutes and whole disk encryption with a password.


The libreswan pam option for IKEv2 is only meant for the server to check authorization of the client ID (usually a cert), not authentication. This is so you can temporary lock out a user without (irrevocably) revoking their certificate. This is often used when a customer hasn’t paid their bill for instance, or could be used if a laptop is missing but most likely will be found again.


The next version of libreswan will add EAPTLS authentication, so windows won’t require administrative rights to add the IKEv2 connection. Once that it is, perhaps another EAP method - mschapv2 - will be added that does add a user / password method that can be used without certificates.

Paul