[strongSwan] Integrating radius with strongswan.

Azfar Hashmi azfar.hashmi at cloudways.com
Tue Feb 19 13:59:28 CET 2013 

Hi Martin,

I am on 5.0.2 how how can I convert my ipsec.conf for multiple auth i-e
xauth+rsasig with radius. I don't see any option in rightauth to define
rsasig as first auth. How can check that with which option strongswan 5
default complied with. Do I need to recompile it with
--enable-eap-radius, --enable-xauth-eap ect etc? I want to use
xauthrassig due to iOS Vpn on Demand. I also noticed that left|rightauth
and left|rightauth2 are only available in IKEv2 (Prior to 5.0.0
<http://wiki.strongswan.org/projects/strongswan/wiki/500> this parameter
is only supported for IKEv2) but I am using IKEv1.

http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

Below is my current config

config setup
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        nat_traversal=yes
        charonstart=yes
        plutostart=yes
        crlcheckinterval=600
        uniqueids=no

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.0/24
        auto=add

include /var/lib/strongswan/ipsec.conf.inc


On 2/18/2013 8:00 PM, Azfar Hashmi wrote:
> Hi Martin,
>
> Thanks for the clearing up things. I will first move to v5.x then come
> back.
>
> On 2/18/2013 7:44 PM, Martin Willi wrote:
>> Hi Azfar,
>>
>>> I am using Strongswan 4.5.2 (Debian Squeeze) with xauthrsasig auth type.
>>> Now I want to replace ipsec.secrets and put a radius server.
>> In 4.5.2, IKEv1 is handled in the "pluto" daemon. Pluto does not have
>> support for RADIUS authentication.
>>
>> With strongSwan 5.x, we reimplemented IKEv1 in the newer "charon" daemon
>> which also supports IKEv2. With its eap-radius backend and the xauth-eap
>> bridge, you can authenticate XAuth clients against RADIUS. It requires a
>> RADIUS server that speaks EAP, though. See [1] for details.
>>
>>> 1) Can I still use xauth+rsa as a auth mechanism with eap-radius plugin.
>> With the xauth-eap helper plugin, yes.
>>
>>> 2) Do I need to recompile strongswan for eap-radius plugin or Debian 6
>>> comes with it.
>> You need at least 5.0.0, better 5.0.2, which doesn't come with Debian
>> yet. Also, you need the eap-radius and the xauth-eap plugins, along with
>> a suitable EAP method.
>>
>>> 3) I want to use single server for both radius and strongswan, what is
>>> the role of strongswan.conf in *"alice"*?
>> Alice is the RADIUS server in this example, so you won't need it. You
>> can install your RADIUS server on moon, and configure eap-radius to use
>> the local RADIUS server.
>>
>> Regards
>> Martin
>>
>> [1]http://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP
>>
>
>
> -- 
>
> AzfarHashmi
>
> Cloudways
>
> Your Managed Cloud
>
>  
>
> e: azfar.hashmi at cloudways.com
>
> w: www.cloudways.com <http://www.cloudways.com>
>
>  
>
> PGP keyid: 0xF42034B0F915D729
>
> http://keyserver.pgp.com
>
>  
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.hashmi at cloudways.com

w: www.cloudways.com <http://www.cloudways.com>

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130219/243d36fe/attachment.html>

More information about the Users mailing list