[strongSwan] ikev1 + freeradius (accounting only)
signup_mail2002 at yahoo.com
Thu Sep 19 17:57:57 CEST 2013
Martin Willi <martin at ...> writes:
> > are you sure eap-radius works with ikev1?
> No, you can't use eap-radius for IKEv1 authentication, that makes no
> sense. But you can use it for Accounting.
> For IKEv1, you may either use
> for certificate authentication without any XAuth at all, or additionally
> to use the dummy XAuth method. This might be useful if the client
> expects XAuth. But if you can disable XAuth on the client, you should
> just omit rightauth2.
Thanks for confirming my suspicion. I will summarize what happened for other
users. For iOS and Android native VPN client uses ikev1 (for Android
strongswan provides a ikev2 client; who know when the OS will natively make
the switch one day and hopefully not drop ikev1). For iOS you can't login
without user/password but that's an overhead for the user.
So if need:
1) mutual certificate authentication without password
3) accounting with RADIUS
Then you need to do the following:
rightauth2=xauth-eap #need to modify xauth_eap.c: verify_eap() to always
accounting = yes
address=<ip of server>
#other settings here
Setup your freeradius using DB accordingly (see online guide, create user,
database, import schema.sql, nas.sql, and part of admin.sql; uncomment "sql"
in alot of places; freeradius guide is outdated with deprecated file names
that don't exist), I would suggest to use mysql and daloradius for verifying
that accounting info is indeed stored; if need to be when everything is
working move to postgresql; although I am not sure for VPN accounting it
makes much difference)
I did notice a weird thing. With Android (4.3) each session when terminated
from the UI always result in the "Session-Timeout" in the DB but iOS you get
"User-Request". I am not sure if this is a strongswan issue or Android
issue. I am not using this information right now but if I did it would cause
For ikev2 (now only win7/8 supports in it's built-in VPN client) client I
can't manage to make it work yet. It will be another discussion if I can
figure it out.
More information about the Users