[strongSwan] W7 eap-mschapv2 with defined ip

Andreas Steffen andreas.steffen at strongswan.org
Wed Aug 22 10:22:59 CEST 2012

Hi Dirk,

did you have a look at the ipsec pool tool which allows to
pre-assign static IP addresses to users by storing them in
a small SQLite database:


Interesting for you is a feature which allows ipsec pool
to read file-based list and store the entries in the

ipsec pool --add <name> --addresses <file> [--timeout <timeout>]

Add a list of pool addresses to the database.

name: Name of the pool, as used in ipsec.conf rightsourceip=%name

file: File where newline-separated pool addresses for are read from

Optionally each address can be pre-assigned to a roadwarrior identity,
e.g. at strongswan.org.
If a '-' (hyphen) is given instead of a file name, the addresses are
read from STDIN.
Reading addresses stops at the end of file or an empty line.
Pools created with this command can not be resized.

timeout: Lease time in hours, 0 for static leases

Best regards


On 22.08.2012 10:09, Dirk Hartmann wrote:
> Hi,
> I played with a config to connect Win7 clients with EAP-MSCHAPv2 auth:
> <http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig>
> works so far, but has the drawback that you can't assign a static IPs 
> to a special user. I tried to simply use two connections with:
> conn win7eap
> 	right=%any
>         rightauth=eap-mschapv2
>         rightsourceip=
>         rightsendcert=never
>         eap_identity=dhaeap
> conn win7auth
> 	right=%any
>         rightauth=eap-mschapv2
>         rightsourceip=
>         rightsendcert=never
>         eap_identity=dhaw7
> But Strongswan always picks the first connection on every client 
> connecting via eap-mschapv2. So eap_identity doesn't work the way I 
> expected it to.
> Aug 22 09:37:36 purgatory01 charon: 09[CFG]   candidate "win7eap", 
> match: 1/1/5/2 (me/other/ike/version)
> Aug 22 09:37:36 purgatory01 charon: 09[CFG]   candidate "win7auth", 
> match: 1/1/5/2 (me/other/ike/version)
> Aug 22 09:37:36 purgatory01 charon: 09[CFG] selected peer config 
> 'win7eap'
> Is there an other way to assign static IPs to Win7 clients connecting 
> with eap-mschapv2 or is this only possible using client certificates?
> The thing is I would like to assign different networks to different 
> users depending on their department.
> Thanks and Regards
> Dirk
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4502 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120822/a651b817/attachment.bin>

More information about the Users mailing list