[strongSwan] LDAP authentication with ikev2

Noel Kuntze noel at familie-kuntze.de
Fri Dec 19 22:21:51 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Cindy,

Yes, that plugin is the apropriate one.
You'd set rightauth2=eap-gtc and simply configure the eap-gtc plugin
in strongswan.conf directly, if you can't find the configuration file for it.

You need a seperate conn section for IKEv1 and IKEv2, if you use protocol specific
features (XAUTH, EAP, ...).

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 19.12.2014 um 22:19 schrieb Cindy Moore:
> Is there a way to use ldap authentication with ikev2?  Obviously
> xauth-pam will only work with ikev1, but in looking over the Android
> Strongswan app, I notice that's ikev2 only.
>
> It looks to me, from looking at this page:
> https://wiki.strongswan.org/projects/strongswan/wiki/EapGtc
>
> that this is the plugin to do that?
>
> I already have compiled strongswan with --enable-xauth-pam, I'd need
> to recompile adding in --enable-eap-gtc
>
> I'm a little unclear as to what the conn would look like.  Right now,
> this works fine on ikev1 and xauth-pam
>
> conn roadwarrior-ldap
>         keyexchange=ikev1
>         leftid=vpn.sysnet.ucsd.edu
>         rightauth=pubkey
>         rightauth2=xauth-pam
>         auto=add
>
> Would it be sufficient to remove the forced ikev1 setting in there? Or
> do I need to add in a new conn
>
> conn roadwarrior-ldap2
>         keyexchange=ikev2
>         leftid=vpn.sysnet.ucsd.edu
>         rightauth=pubkey
>         rightauth2=eap-gtc
>         auto=add
>
> I don't see a strongswan.d/charon/eap-gtc.conf file -- does it need one?
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUlJbsAAoJEDg5KY9j7GZY9UkQAIJZZi+rVUVDndAWCfnkm5A+
Ia3aE0I4brUupdArRzjiTU4vgj8brTbseQq1hhwE1ftguaEhTAcQsb+DkI+3clC9
akn8YJCmSihO6bYlqNUm/lc2544wJFusfsy7Yg9Jihpt6Ah/0rA3fuHZQpaAza3q
mQwQ0cWMk1V4VUdUAxTHffMuqoB1zImA+2/v0kw26Z5KywEWCxh5+gSgqlOCJySp
3zOfUr+0nfAWCQRZqQz8v1tosoElEkp5x6zXOFLyUb0ZVWF92OYDsL6rQF18oJy0
PPYJz3ewumCu5WYQwiLV1jgP4KRRVqiWDYl0+8HsnPyO62DNyx21FjZI6tS3dpcv
i4Iswe1Mrz/r6t8IjHk5fs5kz/v4xhPjWa6vpG7DER2JkhlN6hueh6ra8etM2YSI
fIiLAG8KQuBZOFhaDeJWFGr0I7Guhtau9kwBfEdTCzqfEfvUw5cW4Q26n6PpgNRx
IfVNixHi5FdDnZPng/tlcShWppsm3zC2YjAL0r3bzYKE41FI85s4fAa/uRKXpE5j
gRYtnn105zBON/AgjahGEamrqqWSFlaiShpHl3LT/OC0COHz8A2dpjr+6Ak2kU8a
WXOTa7XQcZ5SUqb/JPw2tDO17wCURkz3s5bNnTCzD3T3XzeboB6kvb5UOQ9cELoM
HdK32Fk2PJYbfBlmH7HJ
=7vIL
-----END PGP SIGNATURE-----

More information about the Users mailing list