[strongSwan] xauth - ikev1 - ikev2 - radius - eDir

bjoern wahl bjoern.wahl at hospital-borken.de
Tue Oct 1 10:58:27 CEST 2013


First I would like to thank the whole strongswan.org team for the nice
work they did the last years.

We are using ipsec for several years now and really like it.

But now we also hit the point where we need to get our RW`s to connected
to the local lan.

We uses p2p ipsec for some time now and now think about how to connect
our users to our lan easy an fast.

To do this we like to user our existing eDirectory and it would be the
most easy ( not secure ) way to let them access 
the lan via username/password.

So I got to the point where we need a FreeRadius to be connected to the
eDir. That is already working and has not been a big

But now i am not sure what way to take. I very much like the ikev2 but
as described here :


We need a IKEv1 Xauth to use it.

I understand that part, but we use SLES11sp3 for our gateway and the
side says "The plugin was introduced in 5.0.0 and is for charon only."
which leads we directly to this mail.

As Sles11Sp3 comes with strongswan-4.4.0-6.17.5 and i would not really
like to leave the patchmanagement SuSE does here now my question:

What would be the right way to let users authenticate at out VPN Gateway
using the credentials Freeradius get out of our eDir ? Xauth ? ikev1/2 ?

Yes, I RTFM and found these examples:


but they both don`t seem to fit 100% for me.

Any suggestions ? What would be the best/ most secure way, keep in mind
that the users should only auth via username/password stored in edir, as
everything else gets to complex.

Thanks for your time.


Klinikverbund Westmünsterland gGmbH
 Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
 Registergericht Coesfeld, HRB Nr. 8983
 Ust.-Id.Nr.: DE 222740345
 Hauptgeschäftsführer: Hermann Nientiedt
 Geschäftsführer: Christoph Bröcker, Ludger Hellmann
 Diese E-Mail enthält vertrauliche oder rechtlich geschützte
Informationen. Wenn Sie nicht der beabsichtige Empfänger sind,
informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.
 Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.
 Dem Klinikverbund Westmünsterland sind fünf Krankenhäuser mit 1.332
Planbetten und mehrere Einrichtungen der Altenhilfe angeschlossen. Mehr
als 50 Fachbereiche orientieren sich an neusten medizinischen Standards
und erfüllen die hohen Anforderungen einer qualifizierten und
zertifizierten Versorgung. Rund 50.000 Patienten werden jährlich in den
Krankenhäusern stationär behandelt. Mit über 3.800 Mitarbeitern gehört
der Verbund zu den größten Arbeitgebern der Region.

More information about the Users mailing list