[strongSwan] options for xauth authentication and ipsec.secrets

Andreas Steffen andreas.steffen at strongswan.org
Mon Feb 21 19:52:27 CET 2011


On 02/21/2011 05:41 PM, Paul Dekkers wrote:
> Hi,
>
> I'd like to verify xauth username/password authentication with a
> database (RADIUS or LDAP or so). So far it seems I can only add these
> credentials in /etc/ipsec.secrets - is that true? (Sounds a little
> inflexible to me ;-))
>
The XAUTH credential verification is implemented by the xauth plugin 
which by default looks up the username/password from ipsec.secrets.
You are free to modify the plugin so that it connects to a RADIUS
or LDAP server. We don't offer this option because our main
development effort is on the new IKEv2 protocol where the eap-md5,
eap-mschapv2 and eap-radius plugins can be readily used to achieve
the same objective.

> One more question related to ipsec.secrets; it's true I cannot have a
> different shared secret per user, right? It's clearly preferred to use
> certificates for this, but not all clients are capable of it (for
> instance the iPhone can only use a shared secret with L2TP, but is able
> to use a certificate in IPSEC mode (but that uses XAUTH and does again
> not allow my to relay authentication via RADIUS to use tokens or so...)).
>
Due to the properties of the IKEv2 Main Mode protocol it is not
possible to assign individual passwords to users if they initiate their
connection with dynamic IP addresses.

> Regards,
> Paul

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list