[strongSwan] strongswan without client certifikate

Martin Willi martin at strongswan.org
Thu Dec 4 10:40:22 CET 2014


> Any idea whats the best authentication method for username/password only
> on client-side? EAP-MD5?

> The client should be able to connect via windows ikev2 native clients,
> the strongswan android-app,

If you want to use the native Windows IKEv2 Agile VPN client, there is
no way around EAP-MSCHAPv2 for username/password authentication. You
could wrap that in PEAP/TTLS, but that most likely makes no sense for
your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]
for configuration details.

> and the native clients from osx/ios.

OS X does not natively support IKEv2. You'd have to stick to IKEv1 with
XAuth, so you need a separate configuration profile. Please note that
there are rekeying issues with that client, which usually breaks the
tunnel after ~45 minutes if you rely on username/passwords. Refer to [2]
for configuration details.

iOS supports IKEv2 since version 8, older versions support IKEv1 only.
Refer to [3] for details about deploying configuration profiles.



More information about the Users mailing list