[strongSwan] Strongswan 5, IKEv1, Xauth and Radius?

Martin Willi martin at strongswan.org
Thu Jun 21 10:32:11 CEST 2012

Hi Kimmo

> Does this mean:
> http://www.strongswan.org/uml/testresults5rc/ikev1/xauth-rsa-eap-md5-radius/index.html
> that Radius is now supported when using ikev1-xauth?

Yes, but probably not as you would expect. We support different XAuth
backends, but currently don't have a direct XAuth RADIUS backend.

Instead we have a magic xauth-eap backend. This plugin takes plain XAuth
credentials and verifies them with any EAP method available. This client
EAP method runs on the gateway against another EAP server method. The
server method in this case can be our eap-radius, known from IKEv2:

[ client: Xauth ] <--IKEv1--> [ server: Xauth -> EAP-MD5 -> EAP-RADIUS ] <--RADIUS--> [ AAA ]

This is all a little more complicated than required, but has one
advantage: It allows you to use the same RADIUS server configuration as
with IKEv2, as we we speak RADIUS-EAP with your preferred method to the
AAA. The only difference is that the EAP client method runs on the
responder (IKEv1), not on the client (as with IKEv2). Please be aware
that you'll need the EAP client method requested by AAA available on the

We might provide a plain XAuth RADIUS backend some day for IKEv1-only
setups, but that's not done yet.

> There is radius configuration in moon's strongswan.conf, but I cannot
> see anything in moon's ipsec.conf.
> How is the radius configured to be used in specified connection?

The RADIUS configuration goes to strongswan.conf. In moon's ipsec.conf,
rightauth2=xauth will use the first XAuth backend found. If you have
multiple backends, you can use rightauth2=xauth-eap to enforce that EAP
verifier discussed above. In the example it is the only plugin


More information about the Users mailing list