[strongSwan] strongswan without client certifikate
Martin Willi
martin at strongswan.org
Thu Dec 4 10:40:22 CET 2014
Hi,
> Any idea whats the best authentication method for username/password only
> on client-side? EAP-MD5?
> The client should be able to connect via windows ikev2 native clients,
> the strongswan android-app,
If you want to use the native Windows IKEv2 Agile VPN client, there is
no way around EAP-MSCHAPv2 for username/password authentication. You
could wrap that in PEAP/TTLS, but that most likely makes no sense for
your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]
for configuration details.
> and the native clients from osx/ios.
OS X does not natively support IKEv2. You'd have to stick to IKEv1 with
XAuth, so you need a separate configuration profile. Please note that
there are rekeying issues with that client, which usually breaks the
tunnel after ~45 minutes if you rely on username/passwords. Refer to [2]
for configuration details.
iOS supports IKEv2 since version 8, older versions support IKEv1 only.
Refer to [3] for details about deploying configuration profiles.
Regards
Martin
[1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
[2]https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
[3]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
More information about the Users
mailing list