[strongSwan] IKev1 + eap-tls possible?

Martin Willi martin at strongswan.org
Tue Sep 17 10:13:13 CEST 2013


Hi,

> Is it possible to make ikev1 client (ex: ios) work with eap-radius and eap-
> tls?

No. IKEv1 does not use EAP, so you definitely can't run any EAP method
between the client and the IPsec gateway.

> Only xauth-eap seems to make ikev1 work with FreeRadius

xauth-eap just takes XAuth credentials and verifies them over EAP. But
this works only for passwords (or tokens), XAuth is not involved in
IKEv1 certificate authentication.

> I was thinking xauth-eap works fine except for the password part. Also I would 
> like the client certificate to be authenticated by RADIUS (so things are 
> centralized in one place for authentication).

IKEv1 certificate authentication is part of the core IKEv1 protocol and
not XAuth. There are currently no hooks in strongSwan to delegate
signature verification to a third party, because this hardly makes
sense.

If you really need something like that, you could replace the IKEv1
public key authenticator [1] by something that delegates verification to
a third party.

Instead of doing such a non-trivial extension, I'd recommend to do
signature verification on the IPsec gateway, and use eap-radius just for
accounting on your AAA server.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c





More information about the Users mailing list