[strongSwan] strongswan without client certifikate

Thomas jk at c.vu
Thu Dec 4 12:21:38 CET 2014


ok, so I have to change my EAP-MSCHAPv2 configuration.
I've tested a lot, but don't find any ipsec-configuration where the
client don't need the certificate installed local.

Do you have any ideas based on my posted ipsec.conf ?

Best regards

Am 04.12.2014 10:40, schrieb Martin Willi:
> Hi,
>> Any idea whats the best authentication method for username/password only
>> on client-side? EAP-MD5?
>> The client should be able to connect via windows ikev2 native clients,
>> the strongswan android-app,
> If you want to use the native Windows IKEv2 Agile VPN client, there is
> no way around EAP-MSCHAPv2 for username/password authentication. You
> could wrap that in PEAP/TTLS, but that most likely makes no sense for
> your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]
> for configuration details.
>> and the native clients from osx/ios.
> OS X does not natively support IKEv2. You'd have to stick to IKEv1 with
> XAuth, so you need a separate configuration profile. Please note that
> there are rekeying issues with that client, which usually breaks the
> tunnel after ~45 minutes if you rely on username/passwords. Refer to [2]
> for configuration details.
> iOS supports IKEv2 since version 8, older versions support IKEv1 only.
> Refer to [3] for details about deploying configuration profiles.
> Regards
> Martin
> [1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
> [2]https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> [3]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile

More information about the Users mailing list