I've set up an IKEv2 VPN connection as an alternative to an HTTP proxy (since HTTP proxies' credentials fly in plaintext and iOS still can't correctly remember proxy credentials) and I'd like to know how hard it would be to capture the PSK for an MITM.
The person using the client device isn't much tech-savvy and I'd rather not give them extra headaches by requiring certificates for this particular connection (security is taken care of by HTTPS anyway, I'm only worried about some idiot cracking the PSK and them committing illegal activities through the VPN).
Here are the relevant parts of my Strongswan configuration :
connections {
phone {
version = 2
local {
auth = psk
id = server
}
remote {
auth = psk
id = client
}
children {
child {
# is there a better option ?
esp_proposals = aes256-sha256-modp4096
}
}
}
}
secrets {
ike {
id = server
id = client
# the real PSK would have a similar length
psk = c687a6b44304942b5a19257e50da5b45941f3756
}
}