[strongSwan] IKev1 + eap-tls possible?

WrokingMan signup_mail2002 at yahoo.com
Tue Sep 17 13:59:55 CEST 2013


Thanks for the reply. 

> Instead of doing such a non-trivial extension, I'd recommend to do
> signature verification on the IPsec gateway, and use eap-radius just for
> accounting on your AAA server.

What's the configuration in ipsec.conf for the above logic? I tried many 
combination and only xauth-eap works with ios. Your method is of course 
preferred if it works.

So I need to support ikev1/ikev2. I tried xauth-eap with "DEFAULT Auth := 
Accept" all in FreeRadius side but it was failing I think because I had EAP 
enabled (and somehow it tried to use EAP-MD5 since they try all available 
configuration). So is possible to have your proposed logic work with ikev1 and 
ikev2?

I did some test another way, I was wondering, is to have a modified plugin of 
xauth-eap that behaves similar to xauth-noauth (would call it xauth-eap-
noauth). I made verify_eap always return true. RADIUS can still see VPN client 
information (start/stop). Would this method still honour all accounting logic 
(I was afraid if RADIUS rejects the connection but strongswan accepts the 
client that accounting and other RADIUS capability would be broken: can you 
comment on this)?

Thanks





More information about the Users mailing list