[strongSwan] Strongswan Android client could not log in (VPN otherwise working for Win7)

Lawrence Chiu Lawrence_Chiu_TX3 at yahoo.com
Tue Sep 24 03:37:59 CEST 2013

Hi Tobias.  With these changes, it finally works with the Android 
Strongswan app with "IKEv2 Certificate + EAP" , but the VPN doesn't
work with Windows 7 anymore.  Do you know if Windows 7's VPN client 
actually supports multi-factor IKEv2 authentication?  In this case, 
Certificate + EAP, which I believe is not a standard but proposed by RFC 
4739.  I spent a while looking for evidence that Windows 7's VPN client 
supports RFC 4739 and didn't find anything.

Thank you.


On 9/23/2013 4:37 AM, Tobias Brunner wrote:
> Hi Lawrence,
>> barney etc # grep eap /etc/ipsec.conf
>>       rightauth=eap-mschapv2
>>       eap_identity=%any
> When you select "IKEv2 Certificate + EAP" on the client what you
> actually want on the server is:
> 	leftauth=pubkey
> 	rightauth=pubkey
> 	rightauth2=eap-mschapv2
> 	eap_identity=%any
> That is, there are two authentication rounds, the first authenticates
> the client (and server) with certificates the second authenticates the
> client with EAP.  The example config on the wiki corresponds to the
> "IKEv2 EAP" setting in the app, which still authenticates the server
> with certificates but the client only with EAP.
> Regards,
> Tobias

More information about the Users mailing list