<div dir="ltr"><div>Hello there,</div><div>i don't know about macos client. but surely windows native client will not work.</div><div>here is example configuration psk + eap-mschapv2 with radius</div><div>this works with ios native client.<br></div><div>---</div><div>    vpn-pskeap {<br>        local_addrs  = $$locaip<br><br>        local {<br>            auth = psk<br>            id = $$leftid<br>        }<br>        <br>        remote {<br>            auth = eap-radius<br>        }<br>        <br>        children {<br>            updown = /usr/lib/ipsec/_updown iptables<br>            esp_proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024<br>            dpd_action = clear<br>            close_action = clear<br>            ike_lifetime = 45m<br>            ipcomp = yes<br>            vpn-pskeap {<br>                local_ts = <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>            }<br>        }<br>        <br>        version = 2<br>        proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024<br>        mobike = yes<br>        fragmentation = yes<br>        encap = yes<br>        dpd_timeout = 60<br>        dpd_delay = 25<br>        unique = never<br>        pools = radius<br>    }<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 17 July 2018 at 19:05, Christian Salway <span dir="ltr"><<a href="mailto:christian.salway@naimuri.com" target="_blank">christian.salway@naimuri.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hello,<div><br></div><div>To quote your page [1] "<span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)">With IKEv2 it is possible to use multiple authentication rounds", could this be PSK and eap-mschapv2 and do you have a configuration that would match that method?  My current configuration looks like the below.</span></div><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)"><br></span></div><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)">The clients are OSX and Windows native clients so I am curious if it will work.</span></div><div><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)"><br></span></div><div><pre style="background-color:rgb(255,255,255);font-family:Menlo;font-size:9pt"><span style="background-color:#e7ffb3">connections {<br></span><span style="background-color:#e7ffb3">  radius {<br></span><span style="background-color:#e7ffb3">     version = 2<br></span><span style="background-color:#e7ffb3">     send_cert = always<br></span><span style="background-color:#e7ffb3">     encap = yes<br></span><span style="background-color:#e7ffb3">     pools = pool1<br></span><span style="background-color:#e7ffb3">     unique = replace<br></span><span style="background-color:#e7ffb3">     proposals = aes256-sha256-prfsha256-<wbr>ecp256-modp2048<br></span><span style="background-color:#e7ffb3">     local {<br></span><span style="background-color:#e7ffb3">        # the id must be contained in the certificate, either as subject or as subjectAltName.<br></span><span style="background-color:#e7ffb3">        id = </span><span style="color:#000080;font-weight:bold">$</span>{FQDN}<span style="background-color:#e7ffb3"><br></span><span style="background-color:#e7ffb3">        certs = cert.pem<br></span><span style="background-color:#e7ffb3">     }<br></span><span style="background-color:#e7ffb3">     remote {<br></span><span style="background-color:#e7ffb3">        auth = eap-radius<br></span><span style="background-color:#e7ffb3">        eap_id = %any<br></span><span style="background-color:#e7ffb3">     }<br></span><span style="background-color:#e7ffb3">     children {<br></span><span style="background-color:#e7ffb3">        child_sa_1 {<br></span><span style="background-color:#e7ffb3">           #esp_proposals =<br></span><span style="background-color:#e7ffb3">           local_ts = </span><span style="color:#000080;font-weight:bold">$</span>{LOCALCIDR}<span style="background-color:#e7ffb3"><br></span><span style="background-color:#e7ffb3">        }<br></span><span style="background-color:#e7ffb3">     }<br></span><span style="background-color:#e7ffb3">  }<br></span><span style="background-color:#e7ffb3">}</span></pre><div><br></div></div><div><br></div><div><br></div><div>[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/IntroductiontostrongSwan#Authentication-Basics" target="_blank">https://wiki.strongswan.<wbr>org/projects/strongswan/wiki/<wbr>IntroductiontostrongSwan#<wbr>Authentication-Basics</a></div><div><br><div>
<div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="word-wrap:break-word;line-break:after-white-space"><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Kind regards,<br><br><b style="color:rgb(0,0,0)">Christian Salway</b><br>IT Consultant - <b><font color="#f05a28">Naimuri</font></b><br><br><font color="#919191">T: +44 7463 331432<br>E: <a href="mailto:christian.salway@naimuri.com" target="_blank">christian.salway@naimuri.com</a><br>A: Naimuri Ltd, Capstan House, Manchester M50 2UW</font></div></div></div></div></div></div>
</div>

<br></div></div></blockquote></div><br></div>