<div dir="ltr"><div>Hello there,</div><div>i don't know about macos client. but surely windows native client will not work.</div><div>here is example configuration psk + eap-mschapv2 with radius</div><div>this works with ios native client.<br></div><div>---</div><div> vpn-pskeap {<br> local_addrs = $$locaip<br><br> local {<br> auth = psk<br> id = $$leftid<br> }<br> <br> remote {<br> auth = eap-radius<br> }<br> <br> children {<br> updown = /usr/lib/ipsec/_updown iptables<br> esp_proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024<br> dpd_action = clear<br> close_action = clear<br> ike_lifetime = 45m<br> ipcomp = yes<br> vpn-pskeap {<br> local_ts = <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> }<br> }<br> <br> version = 2<br> proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024<br> mobike = yes<br> fragmentation = yes<br> encap = yes<br> dpd_timeout = 60<br> dpd_delay = 25<br> unique = never<br> pools = radius<br> }<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 17 July 2018 at 19:05, Christian Salway <span dir="ltr"><<a href="mailto:christian.salway@naimuri.com" target="_blank">christian.salway@naimuri.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hello,<div><br></div><div>To quote your page [1] "<span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)">With IKEv2 it is possible to use multiple authentication rounds", could this be PSK and eap-mschapv2 and do you have a configuration that would match that method? My current configuration looks like the below.</span></div><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)"><br></span></div><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)">The clients are OSX and Windows native clients so I am curious if it will work.</span></div><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)"><br></span></div><div><pre style="background-color:rgb(255,255,255);font-family:Menlo;font-size:9pt"><span style="background-color:#e7ffb3">connections {<br></span><span style="background-color:#e7ffb3"> radius {<br></span><span style="background-color:#e7ffb3"> version = 2<br></span><span style="background-color:#e7ffb3"> send_cert = always<br></span><span style="background-color:#e7ffb3"> encap = yes<br></span><span style="background-color:#e7ffb3"> pools = pool1<br></span><span style="background-color:#e7ffb3"> unique = replace<br></span><span style="background-color:#e7ffb3"> proposals = aes256-sha256-prfsha256-<wbr>ecp256-modp2048<br></span><span style="background-color:#e7ffb3"> local {<br></span><span style="background-color:#e7ffb3"> # the id must be contained in the certificate, either as subject or as subjectAltName.<br></span><span style="background-color:#e7ffb3"> id = </span><span style="color:#000080;font-weight:bold">$</span>{FQDN}<span style="background-color:#e7ffb3"><br></span><span style="background-color:#e7ffb3"> certs = cert.pem<br></span><span style="background-color:#e7ffb3"> }<br></span><span style="background-color:#e7ffb3"> remote {<br></span><span style="background-color:#e7ffb3"> auth = eap-radius<br></span><span style="background-color:#e7ffb3"> eap_id = %any<br></span><span style="background-color:#e7ffb3"> }<br></span><span style="background-color:#e7ffb3"> children {<br></span><span style="background-color:#e7ffb3"> child_sa_1 {<br></span><span style="background-color:#e7ffb3"> #esp_proposals =<br></span><span style="background-color:#e7ffb3"> local_ts = </span><span style="color:#000080;font-weight:bold">$</span>{LOCALCIDR}<span style="background-color:#e7ffb3"><br></span><span style="background-color:#e7ffb3"> }<br></span><span style="background-color:#e7ffb3"> }<br></span><span style="background-color:#e7ffb3"> }<br></span><span style="background-color:#e7ffb3">}</span></pre><div><br></div></div><div><br></div><div><br></div><div>[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/IntroductiontostrongSwan#Authentication-Basics" target="_blank">https://wiki.strongswan.<wbr>org/projects/strongswan/wiki/<wbr>IntroductiontostrongSwan#<wbr>Authentication-Basics</a></div><div><br><div>
<div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="word-wrap:break-word;line-break:after-white-space"><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Kind regards,<br><br><b style="color:rgb(0,0,0)">Christian Salway</b><br>IT Consultant - <b><font color="#f05a28">Naimuri</font></b><br><br><font color="#919191">T: +44 7463 331432<br>E: <a href="mailto:christian.salway@naimuri.com" target="_blank">christian.salway@naimuri.com</a><br>A: Naimuri Ltd, Capstan House, Manchester M50 2UW</font></div></div></div></div></div></div>
</div>
<br></div></div></blockquote></div><br></div>