[strongSwan] IKev1 + eap-tls possible?
signup_mail2002 at yahoo.com
Tue Sep 17 13:59:55 CEST 2013
Thanks for the reply.
> Instead of doing such a non-trivial extension, I'd recommend to do
> signature verification on the IPsec gateway, and use eap-radius just for
> accounting on your AAA server.
What's the configuration in ipsec.conf for the above logic? I tried many
combination and only xauth-eap works with ios. Your method is of course
preferred if it works.
So I need to support ikev1/ikev2. I tried xauth-eap with "DEFAULT Auth :=
Accept" all in FreeRadius side but it was failing I think because I had EAP
enabled (and somehow it tried to use EAP-MD5 since they try all available
configuration). So is possible to have your proposed logic work with ikev1 and
I did some test another way, I was wondering, is to have a modified plugin of
xauth-eap that behaves similar to xauth-noauth (would call it xauth-eap-
noauth). I made verify_eap always return true. RADIUS can still see VPN client
information (start/stop). Would this method still honour all accounting logic
(I was afraid if RADIUS rejects the connection but strongswan accepts the
client that accounting and other RADIUS capability would be broken: can you
comment on this)?
More information about the Users