<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">I’m switching over from using IPsec.conf to charon-systemd. Everything is working for the first user, but I have run into a strange issue (or a dumb user error!) with the ‘secrets’ section when trying to implement multiple eap passwords.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If my secrets section has only one eap id/password in it, the client authenticates correctly. But, if the secrets section has more than one eap id/password in it, the MSCHAPv2 authentication fails.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here’s the failing configuration. If I remove the 2<sup>nd</sup> and 3<sup>rd</sup> entries, user1 works correctly. However, using the full secrets section below, user1 fails to authenticate.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">connections {</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> ikev2-eap-mschapv2 {</p>
<p class="MsoNormal"> version = 2</p>
<p class="MsoNormal"># proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default</p>
<p class="MsoNormal"> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default</p>
<p class="MsoNormal"> rekey_time = 0s</p>
<p class="MsoNormal"> pools = primary-pool-ipv4</p>
<p class="MsoNormal"> fragmentation = yes</p>
<p class="MsoNormal"> dpd_delay = 30s</p>
<p class="MsoNormal"> mobike = yes</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> local-1 {</p>
<p class="MsoNormal"> certs = strongswanCert.pem</p>
<p class="MsoNormal"> id = serverid1</p>
<p class="MsoNormal"> auth = psk</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> remote-1 {</p>
<p class="MsoNormal"> auth = eap-mschapv2</p>
<p class="MsoNormal"> id = clientid1</p>
<p class="MsoNormal"> eap_id = %any</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> children {</p>
<p class="MsoNormal"> ikev2-eap-mschapv2 {</p>
<p class="MsoNormal"> local_ts = 0.0.0.0/0</p>
<p class="MsoNormal"> rekey_time = 0s</p>
<p class="MsoNormal"> dpd_action = clear</p>
<p class="MsoNormal"># esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default</p>
<p class="MsoNormal"> esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default</p>
<p class="MsoNormal"># updown = /libexec/ipsec/_updown iptables</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"> ikev2-pubkey {</p>
<p class="MsoNormal"> version = 2</p>
<p class="MsoNormal"> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default</p>
<p class="MsoNormal"> rekey_time = 0s</p>
<p class="MsoNormal"> pools = primary-pool-ipv4</p>
<p class="MsoNormal"> fragmentation = yes</p>
<p class="MsoNormal"> dpd_delay = 30s</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> local-1 {</p>
<p class="MsoNormal"> certs = vpnHostCert.pem</p>
<p class="MsoNormal"> id = server1</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> remote-1 { # defaults are fine</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> children {</p>
<p class="MsoNormal"> ikev2-pubkey {</p>
<p class="MsoNormal"> local_ts = 0.0.0.0/0</p>
<p class="MsoNormal"> rekey_time = 0s</p>
<p class="MsoNormal"> dpd_action = clear</p>
<p class="MsoNormal"> esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal">}</p>
<p class="MsoNormal">pools {</p>
<p class="MsoNormal"> primary-pool-ipv4 {</p>
<p class="MsoNormal"> addrs = 10.92.10.0/24</p>
<p class="MsoNormal"> dns = 192.168.92.3, 8.8.8.8</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal">}</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">secrets {</p>
<p class="MsoNormal"> ike-psk {</p>
<p class="MsoNormal"> secret=somepsk</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"> <a href="mailto:eap-user1@mydomain.com">eap-user1@mydomain.com</a> {</p>
<p class="MsoNormal"> id = user1@mydomain.com</p>
<p class="MsoNormal"> secret=secret1</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"> <a href="mailto:eap-user2@mydomain.com">eap-user2@mydomain.com</a> {</p>
<p class="MsoNormal"> id = user2@mydomain.com</p>
<p class="MsoNormal"> secret=secret2</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"> <a href="mailto:eap-user3@mydomain.com">eap-user3@mydomain.com</a> {</p>
<p class="MsoNormal"> id = user3@mydomain.com</p>
<p class="MsoNormal"> secret=secret3</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>