[strongSwan] xauth - ikev1 - ikev2 - radius - eDir

Martin Willi martin at strongswan.org
Tue Oct 1 13:40:23 CEST 2013

Hi Björn,

> So I got to the point where we need a FreeRadius to be connected to the
> eDir.

> But now i am not sure what way to take. I very much like the ikev2 but
> as described here [...] We need a IKEv1 Xauth to use it.

Do you want to connect IKEv1 or IKEv2 clients to your LAN? The whole
xauth-eap thing is just required for IKEv1 clients; IKEv2 can directly
use the eap-radius plugin for EAP-MSCHAPv2 authentication.

> As Sles11Sp3 comes with strongswan-4.4.0-6.17.5 and i would not really
> like to leave the patchmanagement SuSE

4.4.0 is quite old. It supports eap-radius, but the syntax was more
limited and a little different. The wiki page [1] does not apply to this
old release: specify the RADIUS options directly in the eap-radius
section; 4.4.0 did not have support for multiple servers.

> What would be the right way to let users authenticate at out VPN Gateway
> using the credentials Freeradius get out of our eDir ? Xauth ? ikev1/2 ?

If you have clients speaking IKEv2 (Windows 7), you should definitely go
with IKEv2. [2] has some information about basic configuration. Replace
eap-mschapv2 with eap-radius to delegate authentication. The eap-radius
plugin allows you to verify username/password over RADIUS, for example
against a FreeRADIUS AAA.



More information about the Users mailing list