Hi Adrian > The bug report referenced relates that the decision to not support > PSK (or IKEv1) in the StrongSwan NM plugin is a "political decision". > In 2010. > > It's still a dumb one.
You are mixing up different things. My "political" decision was to not bring up any time to implement PSK authentication for IKEv2, as PSK authentication with passwords is a bad idea. It is discouraged by the standard, and EAP with server certificates is a perfect replacement. Almost no one uses IKEv2 PSK with user password in practice. Since version 1.3.1, the plugin supports PSK for IKEv2 nonetheless with some restrictions, even if we think that is just a bad idea to use that. Not supporting IKEv1 is another story; the plugin was implemented when IKEv1 was not part of the new strongSwan architecture. And until now just nobody implemented IKEv1 in the NM plugin... > Even today in 2017 my IT dept has set up their VPN with IKEv1 and an > 18-char PSK. We are aware that XAuth/PSK is still a common setup, and unfortunately it is best (stupid) practice. If you share that whatever-strong PSK among users, any user can impersonate the server, and easily intercept your user password used in XAuth. If you use distinct PSKs for each user, you most likely need Aggressive Mode. Beside the not often supported XAuth Hybrid Mode, IKEv1 is just not well suited for remote access. None of the authentication schemes is practical and secure. IKEv2 is in many ways superior, and that is why your IT dept should consider supporting it. > By all means make it impossible for your SERVER to have a stupid > config, but clients rarely have a choice over the setup they're > connecting to. This is why we support the Aggressive Mode/PSK as a client in our daemon. But just nobody stepped up to extend the NM GUI to configure it. Kind regards Martin -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578193 Title: cannot load legacy-only plugin To manage notifications about this bug go to: https://bugs.launchpad.net/linuxmint/+bug/1578193/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
