[strongSwan] Integrating radius with strongswan.

Azfar Hashmi azfar.hashmi at cloudways.com
Tue Feb 19 14:12:33 CET 2013 

Okay I converted both authby=xauthrsasig and xauth=server with
rightauth=pubkey and rightauth2=xauth as per v5 documents and its
working fine.

On 2/19/2013 5:59 PM, Azfar Hashmi wrote:
> Hi Martin,
>
> I am on 5.0.2 how how can I convert my ipsec.conf for multiple auth
> i-e xauth+rsasig with radius. I don't see any option in rightauth to
> define rsasig as first auth. How can check that with which option
> strongswan 5 default complied with. Do I need to recompile it with
> --enable-eap-radius, --enable-xauth-eap ect etc? I want to use
> xauthrassig due to iOS Vpn on Demand. I also noticed that
> left|rightauth and left|rightauth2 are only available in IKEv2 (Prior
> to 5.0.0 <http://wiki.strongswan.org/projects/strongswan/wiki/500>
> this parameter is only supported for IKEv2) but I am using IKEv1.
>
> http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
>
> Below is my current config
>
> config setup
>        
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>         nat_traversal=yes
>         charonstart=yes
>         plutostart=yes
>         crlcheckinterval=600
>         uniqueids=no
>
> conn ios
>         keyexchange=ikev1
>         authby=xauthrsasig
>         xauth=server
>         left=%defaultroute
>         leftsubnet=0.0.0.0/0
>         leftfirewall=yes
>         leftcert=serverCert.pem
>         right=%any
>         rightsubnet=10.0.0.0/24
>         rightsourceip=10.0.0.0/24
>         auto=add
>
> include /var/lib/strongswan/ipsec.conf.inc
>
>
> On 2/18/2013 8:00 PM, Azfar Hashmi wrote:
>> Hi Martin,
>>
>> Thanks for the clearing up things. I will first move to v5.x then
>> come back.
>>
>> On 2/18/2013 7:44 PM, Martin Willi wrote:
>>> Hi Azfar,
>>>
>>>> I am using Strongswan 4.5.2 (Debian Squeeze) with xauthrsasig auth type.
>>>> Now I want to replace ipsec.secrets and put a radius server.
>>> In 4.5.2, IKEv1 is handled in the "pluto" daemon. Pluto does not have
>>> support for RADIUS authentication.
>>>
>>> With strongSwan 5.x, we reimplemented IKEv1 in the newer "charon" daemon
>>> which also supports IKEv2. With its eap-radius backend and the xauth-eap
>>> bridge, you can authenticate XAuth clients against RADIUS. It requires a
>>> RADIUS server that speaks EAP, though. See [1] for details.
>>>
>>>> 1) Can I still use xauth+rsa as a auth mechanism with eap-radius plugin.
>>> With the xauth-eap helper plugin, yes.
>>>
>>>> 2) Do I need to recompile strongswan for eap-radius plugin or Debian 6
>>>> comes with it.
>>> You need at least 5.0.0, better 5.0.2, which doesn't come with Debian
>>> yet. Also, you need the eap-radius and the xauth-eap plugins, along with
>>> a suitable EAP method.
>>>
>>>> 3) I want to use single server for both radius and strongswan, what is
>>>> the role of strongswan.conf in *"alice"*?
>>> Alice is the RADIUS server in this example, so you won't need it. You
>>> can install your RADIUS server on moon, and configure eap-radius to use
>>> the local RADIUS server.
>>>
>>> Regards
>>> Martin
>>>
>>> [1]http://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP
>>>
>>
>>
>> -- 
>>
>> AzfarHashmi
>>
>> Cloudways
>>
>> Your Managed Cloud
>>
>>  
>>
>> e: azfar.hashmi at cloudways.com
>>
>> w: www.cloudways.com <http://www.cloudways.com>
>>
>>  
>>
>> PGP keyid: 0xF42034B0F915D729
>>
>> http://keyserver.pgp.com
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> -- 
>
> AzfarHashmi
>
> Cloudways
>
> Your Managed Cloud
>
>  
>
> e: azfar.hashmi at cloudways.com
>
> w: www.cloudways.com <http://www.cloudways.com>
>
>  
>
> PGP keyid: 0xF42034B0F915D729
>
> http://keyserver.pgp.com
>
>  
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.hashmi at cloudways.com

w: www.cloudways.com <http://www.cloudways.com>

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130219/0d99de22/attachment.html>

More information about the Users mailing list