<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Mmm ok, thanks. I can’t see that being configured for OSX either.<div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 17 Jul 2018, at 19:29, Emanuil Hristov <<a href="mailto:int986@gmail.com" class="">int986@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="">Hello there,</div><div class="">i don't know about macos client. but surely windows native client will not work.</div><div class="">here is example configuration psk + eap-mschapv2 with radius</div><div class="">this works with ios native client.<br class=""></div><div class="">---</div><div class="">    vpn-pskeap {<br class="">        local_addrs  = $$locaip<br class=""><br class="">        local {<br class="">            auth = psk<br class="">            id = $$leftid<br class="">        }<br class="">        <br class="">        remote {<br class="">            auth = eap-radius<br class="">        }<br class="">        <br class="">        children {<br class="">            updown = /usr/lib/ipsec/_updown iptables<br class="">            esp_proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024<br class="">            dpd_action = clear<br class="">            close_action = clear<br class="">            ike_lifetime = 45m<br class="">            ipcomp = yes<br class="">            vpn-pskeap {<br class="">                local_ts = <a href="http://0.0.0.0/0" class="">0.0.0.0/0</a><br class="">            }<br class="">        }<br class="">        <br class="">        version = 2<br class="">        proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024<br class="">        mobike = yes<br class="">        fragmentation = yes<br class="">        encap = yes<br class="">        dpd_timeout = 60<br class="">        dpd_delay = 25<br class="">        unique = never<br class="">        pools = radius<br class="">    }<br class=""></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On 17 July 2018 at 19:05, Christian Salway <span dir="ltr" class=""><<a href="mailto:christian.salway@naimuri.com" target="_blank" class="">christian.salway@naimuri.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class="">Hello,<div class=""><br class=""></div><div class="">To quote your page [1] "<span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)" class="">With IKEv2 it is possible to use multiple authentication rounds", could this be PSK and eap-mschapv2 and do you have a configuration that would match that method?  My current configuration looks like the below.</span></div><div class=""><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)" class=""><br class=""></span></div><div class=""><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)" class="">The clients are OSX and Windows native clients so I am curious if it will work.</span></div><div class=""><span style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:10.8px;background-color:rgb(255,255,255)" class=""><br class=""></span></div><div class=""><pre style="background-color:rgb(255,255,255);font-family:Menlo;font-size:9pt" class=""><span style="background-color:#e7ffb3" class="">connections {<br class=""></span><span style="background-color:#e7ffb3" class="">  radius {<br class=""></span><span style="background-color:#e7ffb3" class="">     version = 2<br class=""></span><span style="background-color:#e7ffb3" class="">     send_cert = always<br class=""></span><span style="background-color:#e7ffb3" class="">     encap = yes<br class=""></span><span style="background-color:#e7ffb3" class="">     pools = pool1<br class=""></span><span style="background-color:#e7ffb3" class="">     unique = replace<br class=""></span><span style="background-color:#e7ffb3" class="">     proposals = aes256-sha256-prfsha256-<wbr class="">ecp256-modp2048<br class=""></span><span style="background-color:#e7ffb3" class="">     local {<br class=""></span><span style="background-color:#e7ffb3" class="">        # the id must be contained in the certificate, either as subject or as subjectAltName.<br class=""></span><span style="background-color:#e7ffb3" class="">        id = </span><span style="color:#000080;font-weight:bold" class="">$</span>{FQDN}<span style="background-color:#e7ffb3" class=""><br class=""></span><span style="background-color:#e7ffb3" class="">        certs = cert.pem<br class=""></span><span style="background-color:#e7ffb3" class="">     }<br class=""></span><span style="background-color:#e7ffb3" class="">     remote {<br class=""></span><span style="background-color:#e7ffb3" class="">        auth = eap-radius<br class=""></span><span style="background-color:#e7ffb3" class="">        eap_id = %any<br class=""></span><span style="background-color:#e7ffb3" class="">     }<br class=""></span><span style="background-color:#e7ffb3" class="">     children {<br class=""></span><span style="background-color:#e7ffb3" class="">        child_sa_1 {<br class=""></span><span style="background-color:#e7ffb3" class="">           #esp_proposals =<br class=""></span><span style="background-color:#e7ffb3" class="">           local_ts = </span><span style="color:#000080;font-weight:bold" class="">$</span>{LOCALCIDR}<span style="background-color:#e7ffb3" class=""><br class=""></span><span style="background-color:#e7ffb3" class="">        }<br class=""></span><span style="background-color:#e7ffb3" class="">     }<br class=""></span><span style="background-color:#e7ffb3" class="">  }<br class=""></span><span style="background-color:#e7ffb3" class="">}</span></pre><div class=""><br class=""></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/IntroductiontostrongSwan#Authentication-Basics" target="_blank" class="">https://wiki.strongswan.<wbr class="">org/projects/strongswan/wiki/<wbr class="">IntroductiontostrongSwan#<wbr class="">Authentication-Basics</a></div><div class=""><br class=""><div class="">
<div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space" class=""><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space" class=""><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space" class=""><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space" class=""><div dir="auto" style="word-wrap:break-word;line-break:after-white-space" class=""><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none" class="">Kind regards,<br class=""><br class=""><b style="" class="">Christian Salway</b><br class="">IT Consultant - <b class=""><font color="#f05a28" class="">Naimuri</font></b><br class=""><br class=""><font color="#919191" class="">T: +44 7463 331432<br class="">E: <a href="mailto:christian.salway@naimuri.com" target="_blank" class="">christian.salway@naimuri.com</a><br class="">A: Naimuri Ltd, Capstan House, Manchester M50 2UW</font></div></div></div></div></div></div>
</div>

<br class=""></div></div></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div></body></html>