[strongSwan] rightgroups is not working with IKEv1

Martin Willi martin at strongswan.org
Thu Jul 26 13:05:33 CEST 2012

Hi Jordan,

> I am having difficulty getting strongSwan select the right IKEv1
> configuration based on group attributes returned from radius server.

Providing group membership through XAuth backends, but also the
enforcement of the same in XAuth is actually not supported yet in 5.0.

>    rightgroups="group1"
>    rightauth=pubkey
>    rightauth2=xauth-eap

Setting rightgroups is not correct, because it applies to the first
authentication round. That "pubkey" round does not provide the group
information you require, hence the connection fails.

To enforce group membership in (non Hybrid mode) XAuth, you'd have to
set rightgroups2="group1". Such a parameter does not exist, but I've
pushed a patch [1] that adds this option to ipsec.conf.

I've pushed a few [2] other [3] patches [4] that apply the group
information from XAuth backends and check compliance against the
configuration. Currently missing is the connection fallback, though. So
if your first connection does not comply, the setup fails without
switching to a potentially matching connection. I'll try to get this
implemented ASAP, but this requires some work.



More information about the Users mailing list