[strongSwan] Antw: Re: xauth - ikev1 - ikev2 - radius - eDir

Tue Oct 1 17:14:40 CEST 2013

Hello Martin,

thanks for your reply.

Well, as i really would like to user the advantages of IKEv2, i would
prefer
that.

Win7 is one of the major ClientOS used in our environment, so we have to
support that at first. ( which would fit to IKEv2).

I know that 4.4 is quite old, but if i still want to do my updates with
SuSE
there is no other way but to use that.

So I would use eap-radius, and learned that I need
libstrongswan-eap-radius.so 
to use that one.

Unfortunately this is not included in StrongSwan coming with SLES11SP3,
so that 
is a thing I am actually working on. ( Maybe SDK can help me with that)

"0[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)
00[LIB] plugin 'eap-radius': failed to load
'/usr/lib64/ipsec/plugins/libstrongswan-eap-radius.so' -
/usr/lib64/ipsec/plugins/libstrongswan-eap-radius.so: cannot open shared
object file: No such file or directory"

Other way would be to use 5.x from the sources, which seems to get more
and
more useful to me (keeping in mind that this would brake our SuSE
updates).

So I am working on the difficulties and if nobody here has any other
ideas i`ll
continue with "including libstrongswan-eap-radius.so in StrongSwan 4.4.0
on
a SLES11SP3".

Thanks.

Björn

>>> Martin Willi <martin at strongswan.org> 01.10.13 13.40 Uhr >>>
Hi Björn,

> So I got to the point where we need a FreeRadius to be connected to
the
> eDir.

> But now i am not sure what way to take. I very much like the ikev2 but
> as described here [...] We need a IKEv1 Xauth to use it.

Do you want to connect IKEv1 or IKEv2 clients to your LAN? The whole
xauth-eap thing is just required for IKEv1 clients; IKEv2 can directly
use the eap-radius plugin for EAP-MSCHAPv2 authentication.

> As Sles11Sp3 comes with strongswan-4.4.0-6.17.5 and i would not really
> like to leave the patchmanagement SuSE

4.4.0 is quite old. It supports eap-radius, but the syntax was more
limited and a little different. The wiki page [1] does not apply to this
old release: specify the RADIUS options directly in the eap-radius
section; 4.4.0 did not have support for multiple servers.

> What would be the right way to let users authenticate at out VPN
Gateway
> using the credentials Freeradius get out of our eDir ? Xauth ? ikev1/2
?

If you have clients speaking IKEv2 (Windows 7), you should definitely go
with IKEv2. [2] has some information about basic configuration. Replace
eap-mschapv2 with eap-radius to delegate authentication. The eap-radius
plugin allows you to verify username/password over RADIUS, for example
against a FreeRADIUS AAA.

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius/7
[2]http://wiki.strongswan.org/projects/strongswan/wiki/Windows7#B-Authentication-using-EAP-MSCHAP-v2

----------------------------------------------------------------------------------------------------
Klinikverbund Westmünsterland gGmbH
 Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
 Registergericht Coesfeld, HRB Nr. 8983
 Ust.-Id.Nr.: DE 222740345
 Hauptgeschäftsführer: Hermann Nientiedt
 Geschäftsführer: Christoph Bröcker, Ludger Hellmann

 Diese E-Mail enthält vertrauliche oder rechtlich geschützte
Informationen. Wenn Sie nicht der beabsichtige Empfänger sind,
informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.

 Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.

 Dem Klinikverbund Westmünsterland sind fünf Krankenhäuser mit 1.332
Planbetten und mehrere Einrichtungen der Altenhilfe angeschlossen. Mehr
als 50 Fachbereiche orientieren sich an neusten medizinischen Standards
und erfüllen die hohen Anforderungen einer qualifizierten und
zertifizierten Versorgung. Rund 50.000 Patienten werden jährlich in den
Krankenhäusern stationär behandelt. Mit über 3.800 Mitarbeitern gehört
der Verbund zu den größten Arbeitgebern der Regio
n.