[strongSwan] How to configure swan server not to use leftauth -- Is this doable?

Martin Willi martin at strongswan.org
Thu Jul 11 08:53:06 CEST 2013


Hi,

> situation is that client authenticates itself using EAP, and server
> does not use authentication. 

You can't use "no authentication"; some form of server authentication is
required to make the protocol secure. Otherwise one could impersonate
your server, and for example could easily collect the password a client
sends within EAP.

However, there is an IKEv2 extension to use mutual EAP authentication
for both the client and the server, RFC 5998. This only works for EAP
methods that have the required properties, such as EAP-TLS and EAP-AKA,
but is well supported in strongSwan.

To configure a responder connection to use this extension, define
leftauth to the specific EAP method you use. An example with EAP-TLS is
available at [1].

Regards
Martin

[1]http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tls-only/index.html






More information about the Users mailing list