[strongSwan] ikev1 + freeradius (accounting only)

Thu Sep 19 16:53:19 CEST 2013

Martin Willi <martin at ...> writes:

> 
> Hi,
> 
> > 1) certification only authentication without secondary authentication  
(ex: 
> > xauth) for ikev1
> > 2) need radius accounting (ie: freeradius)
> > 
> > If xauth-eap is used accounting will happen but that means I am forced 
to use 
> > xauth (remember authentication and accounting are decoupled in 
freeradius).
> 
> Why bother with xauth-eap if you don't need XAuth?
> 
> Accounting works independent of Authentication. You can use any
> non-RADIUS authentication method, but configure the eap-radius plugin to
> do Accounting only.
> 
> > I wonder why bother with EAP-TLS/radius for VPN if strongswan can 
already do 
> > mutual authentication (based on charon.log) with certificate?
> 
> It makes sense in a few situations:
> 
>       * Windows 7 can use EAP-TLS in IKEv2 for Smartcard user
>         authentication (IKEv2 certificate authentication can use machine
>         certificates only). 
>       * You can delegate certificate validation/authentication to an AAA
>         backend using RADIUS. This backend could enforce additional
>         policies that the IPsec gateway not might have access to, and
>         then forward policy decisions to the strongSwan.
>       * Because we can!
> 
> Regards
> Martin
> 
> 

If I use the following it doesn't work:

Does not work:

keyexchange=ikev1
authby=xauthrsasig
leftauth=pubkey
rightauth=pubkey
rightauth2=eap-radius

charon.log:
no peer config found - are you sure eap-radius works with ikev1?

Works:

keyexchange=ikev1
authby=xauthrsasig
leftauth=pubkey
rightauth=pubkey
rightauth2=xauth-eap

In the event eap-radius works with ikev2 in the way you describe it, can you 
tell me how to configure it to have accounting only (like we discussed 
earlier)?

Thanks,