[strongSwan] strongswan with radius

Steve K. headcrash89 at googlemail.com
Wed Aug 15 11:35:25 CEST 2012 

Hi,

I trying since 2 weeks to get an strongswan 5.0.0 working. The Connection
with Windows 7 works fine. Currently the Internet Connection is not working
but i think thats a NAT-Forwarding Problem ;).

I use an RADIUS-Backend for Authentication and its working fine for Windows
7. But I can´t get it working for other Clients like iPhone, Android, Mac
OS X or any other Windows Version than Windows 7.
Specily with the iPhone he is "looking for XAuthInitPSK config" but then he
shows "no peer config found" in the syslog entries.

I found the iPhone Tutorial on the strongswan wiki but this is not working
for me because we have some hundreds of clients which need to work with a
VPN-Connection and its not very
convenient to place an cert & keyfile on every device.

So now my question:
1. Is there a way to get Android, iPhone, Mac OS X and older Windows
Versions than Windows 7 working with an RADIUS without an cert&keyfile on
every device ?.

Here´s my current configuration:

## 1.2.3.4 --> Public IP
## 10.0.1.100 --> private IP on eth1

conn %default
        #ikelifetime=60m
        #keylife=20m
        #rekeymargin=3m
        #keyingtries=1
        #keyexchange=ike
        mobike = yes

conn Windows7
        keyexchange=ike
        left=1.2.3.4                ## Place for eth0 Public IP
        leftcert=/etc/ipsec.d/certs/cert.pem
        leftsubnet=0.0.0.0/24
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightauth=eap-radius
        rightsendcert=never
        eap_identity=%identity
        rightsourceip=10.0.1.101/30
        rightfirewall=yes
        auto=add

conn iPhone
        keyexchange=ike
        left=1.2.3.4                ## Place for eth0 Public IP
        leftcert=/etc/ipsec.d/certs/cert.pem
        leftauth=pubkey
        right=%any
        rightsourceip=10.0.1.201/24
        auto=add
        rightauth=eap-xauth
        eap_identity=%identity


I compiled strongswan 5 with this ./configure Options:
./configure --prefix=/usr --sysconfdir=/etc --enable-xauth-eap
--enable-eap-tls --enable-eap-radius --enable-eap-mschapv2
--enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-tls
--enable-eap-ttls --enable-md4 --enable-dhcp
--enable-farp --enable-kernel-klips --enable-kernel-pfkey

I hope you have some new ideas for me to get strongswan working.

Kind Regards
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120815/3eeb9e0c/attachment.html>

More information about the Users mailing list