[strongSwan] options for xauth authentication and ipsec.secrets

Paul Dekkers ipsec at pade.nl
Mon Feb 21 20:11:37 CET 2011


On 21-02-11 19:52, Andreas Steffen wrote:
> On 02/21/2011 05:41 PM, Paul Dekkers wrote:
>> Hi,
>>
>> I'd like to verify xauth username/password authentication with a
>> database (RADIUS or LDAP or so). So far it seems I can only add these
>> credentials in /etc/ipsec.secrets - is that true? (Sounds a little
>> inflexible to me ;-))
>>
> The XAUTH credential verification is implemented by the xauth plugin
> which by default looks up the username/password from ipsec.secrets.
> You are free to modify the plugin so that it connects to a RADIUS
> or LDAP server. We don't offer this option because our main
> development effort is on the new IKEv2 protocol where the eap-md5,
> eap-mschapv2 and eap-radius plugins can be readily used to achieve
> the same objective.

Hmm, I'm a strong EAP believer, I did notice EAP-support, but I'm afraid
the clients I'm after (iPhone, Mac OS X) do neither support IKEv2 nor
EAP :-(

(I noticed openswan does xauth with PAM, maybe that works for me along
with pam_radius, I'd have to take a look.)

>> One more question related to ipsec.secrets; it's true I cannot have a
>> different shared secret per user, right? It's clearly preferred to use
>> certificates for this, but not all clients are capable of it (for
>> instance the iPhone can only use a shared secret with L2TP, but is able
>> to use a certificate in IPSEC mode (but that uses XAUTH and does again
>> not allow my to relay authentication via RADIUS to use tokens or so...)).
>>
> Due to the properties of the IKEv2 Main Mode protocol it is not
> possible to assign individual passwords to users if they initiate their
> connection with dynamic IP addresses.

Ok, that's what I assumed. Not so bad, but then it means on the iPhone
I'm indeed thinking towards (Cisco) IPSEC instead of L2TP (because a
shared secret in a large environment wouldn't work well). Unfortunately
L2TP worked with RADIUS, and IPSEC/XAUTH doesn't ;-)

Anyway, thanks for your replies,

Regards,
Paul




More information about the Users mailing list