[strongSwan] Strongswan with freeradius on Debian server

Andreas Steffen andreas.steffen at strongswan.org
Thu Apr 25 10:07:32 CEST 2013 

Hello Sabrina,

you mix strongSwan with Openswan notation and IKEv1 Xauth with
IKEv2 EAP. Why not have a look at our ikev2/rw-eap-peap-radius
example scenario where you get all the configuration details:

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-peap-radius/

You might add

  eap_identity=%any

on moon and omit the wildcard filter

  rightid=*.strongswan.org

Best regards

Andreas

On 04/25/2013 08:48 AM, Sabrina Louison-francois wrote:
> Hello,
> 
> 
> I installed a strongswan server (5.0.3) on Debian and want it to work 
> with radius authentication (eap-peap) for my users. My server 
> authenticates with a certificate.
> 
> Here is server's ipsec.conf:
> # basic configuration
> 
> config setup
>          # strictcrlpolicy=yes
>          # uniqueids = no
> 
> # Add connections here.
> 
> conn road
>          left=192.168.10.8       # Gateway's information
>          leftid=%fromcert
>          leftsubnet=10.1.0.0/24
>          leftrsasigkey=%cert
>          leftcert=/etc/ipsec.d/certs/myserver.pem
>          eap_identity=%any
>          right=%any
>          rightauth=eap-radius
>          rightsendcert=never
>          auto=add
> 
> I tested it with a client on Debian. In ipsec.secrets, I tried to put 
> password for my login like this  '  login : EAP "passwd"  '. But it does 
> not work. No password is sent to the radius server and the 
> authentication failed.
> 
> Here is user's ipsec.conf:
> # basic configuration
> 
> config setup
>          # strictcrlpolicy=yes
>          # uniqueids = no
> 
> # Add connections here.
> 
> conn home
>          left=%any       # Localhost's information
>          leftauth=eap-radius
>          leftauth2=xauth-eap
>          #leftrsasigkey=%cert
>          eap_identity="login"
>          right=192.168.10.8
>          rightsubnet=10.1.0.0/24
>          rightid=%fromcert
>          rightrsasigkey=%cert
>          auto=add
> 
> Could anyone tell me where the password must be set ? Or is there a way 
> to force my server asking for user's credentials each time ?
> 
> Thanks for you help.
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130425/c05b9d93/attachment.bin>

More information about the Users mailing list