[strongSwan] options for xauth authentication and ipsec.secrets

Andreas Steffen andreas.steffen at strongswan.org
Mon Feb 21 19:52:27 CET 2011

On 02/21/2011 05:41 PM, Paul Dekkers wrote:
> Hi,
> I'd like to verify xauth username/password authentication with a
> database (RADIUS or LDAP or so). So far it seems I can only add these
> credentials in /etc/ipsec.secrets - is that true? (Sounds a little
> inflexible to me ;-))
The XAUTH credential verification is implemented by the xauth plugin 
which by default looks up the username/password from ipsec.secrets.
You are free to modify the plugin so that it connects to a RADIUS
or LDAP server. We don't offer this option because our main
development effort is on the new IKEv2 protocol where the eap-md5,
eap-mschapv2 and eap-radius plugins can be readily used to achieve
the same objective.

> One more question related to ipsec.secrets; it's true I cannot have a
> different shared secret per user, right? It's clearly preferred to use
> certificates for this, but not all clients are capable of it (for
> instance the iPhone can only use a shared secret with L2TP, but is able
> to use a certificate in IPSEC mode (but that uses XAUTH and does again
> not allow my to relay authentication via RADIUS to use tokens or so...)).
Due to the properties of the IKEv2 Main Mode protocol it is not
possible to assign individual passwords to users if they initiate their
connection with dynamic IP addresses.

> Regards,
> Paul



Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list