[strongSwan] Strongswan Android client could not log in (VPN otherwise working for Win7)
Lawrence Chiu
Lawrence_Chiu_TX3 at yahoo.com
Tue Sep 24 03:37:59 CEST 2013
Hi Tobias. With these changes, it finally works with the Android
Strongswan app with "IKEv2 Certificate + EAP" , but the VPN doesn't
work with Windows 7 anymore. Do you know if Windows 7's VPN client
actually supports multi-factor IKEv2 authentication? In this case,
Certificate + EAP, which I believe is not a standard but proposed by RFC
4739. I spent a while looking for evidence that Windows 7's VPN client
supports RFC 4739 and didn't find anything.
Thank you.
Regards,
Lawrence
On 9/23/2013 4:37 AM, Tobias Brunner wrote:
> Hi Lawrence,
>
>> barney etc # grep eap /etc/ipsec.conf
>> rightauth=eap-mschapv2
>> eap_identity=%any
> When you select "IKEv2 Certificate + EAP" on the client what you
> actually want on the server is:
>
> leftauth=pubkey
> rightauth=pubkey
> rightauth2=eap-mschapv2
> eap_identity=%any
>
> That is, there are two authentication rounds, the first authenticates
> the client (and server) with certificates the second authenticates the
> client with EAP. The example config on the wiki corresponds to the
> "IKEv2 EAP" setting in the app, which still authenticates the server
> with certificates but the client only with EAP.
>
> Regards,
> Tobias
>
More information about the Users
mailing list