[strongSwan] strongswan and a windows7 client without cert

Andreas Steffen andreas.steffen at strongswan.org
Sat Jun 18 15:27:13 CEST 2011


Hello Nickola,

Windows 7 expects you to use EAP Identity:

  eap_identity=%any

see our example scenario:

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-id-radius/

IKEv2 requires that the VPN server must authenticate itself
using a server certificate. Hints how to create a server certificate
that will be accepted by a Windows 7 client can be found here:

  http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq

Regards

Andreas

On 06/18/2011 03:00 PM, Nickola Kolev wrote:
> Hello,
> 
> I would very much like to setup a strongswan VPN gateway, which
> authenticates Windows 7 clients with only a username and password via
> Radius server (freeradius), and with no certs whatsoever. Is that
> possible?
> 
> Currently I get to a point, where the Freeradius server receives an
> Access-Request via strongswan, but the username there is the IP
> address, which the client has - e.g. '=C0=A8=C9=0C' for 192.168.201.12.
> As a result, no successful authentication is done.
> 
> Here's part of the strongswan's config:
> 
> conn roadwarrior-nat-ikev2
>         keyexchange=ikev2
>         left=%defaultroute
>         right=%any
>         rightsourceip=192.168.100.0/24
>         rightauth=eap-radius
>         rightsendcert=never
>         auto=start
> 
> So, the last thing I see in the logs from strongswan, is this:
> 
> Jun 18 13:46:28 vpnserver charon: 01[CFG] sending RADIUS Access-Request to server 'primary'
> Jun 18 13:46:28 vpnserver charon: 01[CFG] received RADIUS Access-Challenge from server 'primary'
> Jun 18 13:46:28 vpnserver charon: 01[IKE] initiating EAP_RADIUS method (id 0x01)
> Jun 18 13:46:28 vpnserver charon: 01[IKE] peer supports MOBIKE
> Jun 18 13:46:28 vpnserver charon: 01[IKE] no private key found for 'XX.XX.XX.68'
> Jun 18 13:46:28 vpnserver charon: 01[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Jun 18 13:46:28 vpnserver charon: 01[NET] sending packet: from XX.XX.XX.68[4500] to YY.YY.YY.216[4500]
> 
>>From this I'm guessing, that in fact I need a certificate,
> nevertheless. Is it possible to have the strongswan daemon relay the
> username to the freeradius daemon intact?
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list