[strongSwan] ikev1 + freeradius (accounting only)

WorkingMan signup_mail2002 at yahoo.com
Thu Sep 19 17:57:57 CEST 2013 

Martin Willi <martin at ...> writes:

> 
> 
> > are you sure eap-radius works with ikev1?
> 
> No, you can't use eap-radius for IKEv1 authentication, that makes no
> sense. But you can use it for Accounting.
> 
> For IKEv1, you may either use
> 
>   keyexchange=ikev1
>   leftauth=pubkey
>   rightauth=pubkey
> 
> for certificate authentication without any XAuth at all, or additionally
> add
> 
>   rightauth2=xauth-noauth
> 
> to use the dummy XAuth method. This might be useful if the client
> expects XAuth. But if you can disable XAuth on the client, you should
> just omit rightauth2.
> 
> Regards
> Martin
> 
> 

Thanks for confirming my suspicion. I will summarize what happened for other 
users. For iOS and Android native VPN client uses ikev1 (for Android 
strongswan provides a ikev2 client; who know when the OS will natively make 
the switch one day and hopefully not drop ikev1). For iOS you can't login 
without user/password but that's an overhead for the user.

So if need:
1) mutual certificate authentication without password
2) ikev1
3) accounting with RADIUS

Then you need to do the following:

1)ipsec.conf
   keyexchange=ikev1
   authby=xauthrsasig
   leftauth=pubkey
   rightauth=pubkey
   rightauth2=xauth-eap #need to modify xauth_eap.c: verify_eap() to always 
return TRUE

2) strongswan.conf

eap-radius
{
   accounting = yes
   servers{
      server-a{
         address=<ip of server>
         secret=<shared pass>
         #other settings here
      }
}

Setup your freeradius using DB accordingly (see online guide, create user, 
database, import schema.sql, nas.sql, and part of admin.sql; uncomment "sql" 
in alot of places; freeradius guide is outdated with deprecated file names 
that don't exist), I would suggest to use mysql and daloradius for verifying 
that accounting info is indeed stored; if need to be when everything is 
working move to postgresql; although I am not sure for VPN accounting it 
makes much difference)

I did notice a weird thing. With Android (4.3) each session when terminated 
from the UI always result in the "Session-Timeout" in the DB but iOS you get 
"User-Request". I am not sure if this is a strongswan issue or Android 
issue. I am not using this information right now but if I did it would cause 
a problem.

For ikev2 (now only win7/8 supports in it's built-in VPN client) client I 
can't manage to make it work yet. It will be another discussion if I can 
figure it out.

More information about the Users mailing list