[strongSwan] Windows ikev2 conn, eap_identity ignored

Giuseppe De Marco giuseppe.demarco at unical.it
Mon Oct 23 12:56:11 CEST 2017 

Hi,

I faced that there are no attr_sql support on standard Debian 9 packages.

ipsec statusall also prints all the available plugins, having already
installed all the available strongswan debian packages.
So, on Debian 9 we cannot have more then this:

loaded plugins:
charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac
ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp
stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam
tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity

This means, to me but every suggestion could be appreciated, that the only
way to get a persistent pool lease system is to compile strongswan with
--enable--attr-sql

Thank you, I'll bring more usefull informations after all this, such the
setup notes
A huge setup migration is gonna to begin!


2017-10-16 22:08 GMT+02:00 Giuseppe De Marco <giuseppe.demarco at unical.it>:

> Hi all,
>
> I'm using Debian GNU/Linux 9.2 (stretch) with standard strongswan package
> from stretch apt repository (5.5.1-4+deb9u1).
>
> The tunnel is a ikev2 with eap-radius authentication.
>
> I'm facing the problem that Windows 10 clients doesn't send their right
> identity.
> Linux and Android clients works great instead, they always request the
> connections with the correct eap_identity as we expect to be.
>
> The problem is that if the Windows client fails its identity it will take
> a dinamic virtual ip and not the static one, configured for it.
>
> I also read about attr_sql and the possibility to fix the ip assignment in
> a second time, via sql.
> I'd like also to play with it but, I installed all of the
> strongswan/charon packages, they are all here:
>
> libstrongswan
> libstrongswan-extra-plugins
> libstrongswan-standard-plugins
> network-manager-strongswan
> strongswan
> strongswan-charon
> strongswan-ike
> strongswan-ikev1
> strongswan-ikev2
> strongswan-libcharon
> strongswan-nm
> strongswan-pki
> strongswan-scepclient
> strongswan-starter
> strongswan-swanctl
> charon-cmd
> charon-systemd
> libcharon-extra-plugins
> strongswan-charon
> strongswan-libcharon
>
> But I cannot see the attr_plugin loaded and running, with the command:
>
> ipsec listplugins
>
> attr_sql could be a good solution, the goal is to configure a Windows 10
> that correctly presents itself with its proper identity, instead of its WAN
> IP as 192.168.3.44:
>
> 04[CFG] looking for peer configs matching 110.7.6.173[%any]...11.74.200.
> 151[192.168.3.44]
> 04[CFG] selected peer config 'ike2-eap-radius'
>
> The same account, using nm-strongswan or charon-cmd, works great with
> Linux,  the identity (Frank) is there:
>
> 15[CFG] looking for peer configs matching 110.7.6.173[%any]...11.74.200.
> 151[Frank]
> 15[CFG] selected peer config 'ike2-eap-Frank'
>
> I'm also sure that this problem should be well know in Windows 10 clients,
> it looks so standard!
> Any suggestions would be very appreciated
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171023/530ef9ee/attachment.html>

More information about the Users mailing list