OpenIKED missing EAP-MSCHAPv2 for client setup

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenIKED missing EAP-MSCHAPv2 for client setup

Master One
To whom it may concern,

Please excuse me sending such a questionable bug or feature request
this way, I'm not subscribed to any OpenBSD mailing list and I'm not an
OpenBSD user yet but currently evaluating the move from GNU/Linux to
OpenBSD.

I have looked into the possibility to use the tools from the OpenBSD
base system to connect to a commercial VPN provider, which offers
access by IKEv2 IPsec with EAP-MSCHAPv2.

The problem now is that this does not seem to be possible with the
OpenIKED implementation in the OpenBSD base system, because EAP
MSCHAPv2 is supported on the "responder" (server) side only.

Was there any specific reason why this has not been implemented (yet)
or has this possibly been overlooked?

It would be a shame if everything needed is already present in the base
system and can not be used for that purpose, requiring strongSwan or
OpenVPN to be installed additionally.

Best wishes,

--
Michael

Reply | Threaded
Open this post in threaded view
|

Re: OpenIKED missing EAP-MSCHAPv2 for client setup

Stuart Henderson
On 2020/02/06 18:03, Master One wrote:

> To whom it may concern,
>
> Please excuse me sending such a questionable bug or feature request
> this way, I'm not subscribed to any OpenBSD mailing list and I'm not an
> OpenBSD user yet but currently evaluating the move from GNU/Linux to
> OpenBSD.
>
> I have looked into the possibility to use the tools from the OpenBSD
> base system to connect to a commercial VPN provider, which offers
> access by IKEv2 IPsec with EAP-MSCHAPv2.
>
> The problem now is that this does not seem to be possible with the
> OpenIKED implementation in the OpenBSD base system, because EAP
> MSCHAPv2 is supported on the "responder" (server) side only.
>
> Was there any specific reason why this has not been implemented (yet)
> or has this possibly been overlooked?
>
> It would be a shame if everything needed is already present in the base
> system and can not be used for that purpose, requiring strongSwan or
> OpenVPN to be installed additionally.
>
> Best wishes,
>
> --
> Michael
>

No specific reason AFAIK, it's just one of a few things which haven't
been implemented on the client side (also support for configuration
payloads - for automatically configuring address/nameserver/etc -
only the responder side is implemented).