[strongSwan] LDAP authentication with ikev2
Noel Kuntze
noel at familie-kuntze.de
Fri Dec 19 22:51:16 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Cindy,
Yes.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 19.12.2014 um 22:39 schrieb Cindy Moore:
> Current strongswan.conf
> --------------
> root at vpn:/etc# more /etc/strongswan.conf
> # strongswan.conf - strongSwan configuration file
> #
> # Refer to the strongswan.conf(5) manpage for details
> #
> # Configuration changes should be made in the included files
>
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> }
>
> include strongswan.d/*.conf
> --------
>
> I'd add in something like
>
> eap-gtc {
> pam_service = ipsec
> }
>
> within plugins above?
>
>
> On Fri, Dec 19, 2014 at 1:21 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
> Hello Cindy,
>
> Yes, that plugin is the apropriate one.
> You'd set rightauth2=eap-gtc and simply configure the eap-gtc plugin
> in strongswan.conf directly, if you can't find the configuration file for it.
>
> You need a seperate conn section for IKEv1 and IKEv2, if you use protocol specific
> features (XAUTH, EAP, ...).
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 19.12.2014 um 22:19 schrieb Cindy Moore:
> >>> Is there a way to use ldap authentication with ikev2? Obviously
> >>> xauth-pam will only work with ikev1, but in looking over the Android
> >>> Strongswan app, I notice that's ikev2 only.
> >>>
> >>> It looks to me, from looking at this page:
> >>> https://wiki.strongswan.org/projects/strongswan/wiki/EapGtc
> >>>
> >>> that this is the plugin to do that?
> >>>
> >>> I already have compiled strongswan with --enable-xauth-pam, I'd need
> >>> to recompile adding in --enable-eap-gtc
> >>>
> >>> I'm a little unclear as to what the conn would look like. Right now,
> >>> this works fine on ikev1 and xauth-pam
> >>>
> >>> conn roadwarrior-ldap
> >>> keyexchange=ikev1
> >>> leftid=vpn.sysnet.ucsd.edu
> >>> rightauth=pubkey
> >>> rightauth2=xauth-pam
> >>> auto=add
> >>>
> >>> Would it be sufficient to remove the forced ikev1 setting in there? Or
> >>> do I need to add in a new conn
> >>>
> >>> conn roadwarrior-ldap2
> >>> keyexchange=ikev2
> >>> leftid=vpn.sysnet.ucsd.edu
> >>> rightauth=pubkey
> >>> rightauth2=eap-gtc
> >>> auto=add
> >>>
> >>> I don't see a strongswan.d/charon/eap-gtc.conf file -- does it need one?
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUlJ3UAAoJEDg5KY9j7GZYacgP/A3Ct7xUlagCfMSPE6tXMz7C
4o5ZVsb9jHAHopNoUACmqT8rxn8r/u/xIaWOxvrZg+XQ6ERX0oUTPhTrLO9CsaSu
Wh8VkZ1PKeE3yLS2Vucq1+o+cXTdHvOuX6Ab2sECam0kf9vePLutFS+bf88xjlhz
8S1jQGGbFJTYGaokaOx8oBhZSSIw7DVQy1ZWbkGN0c3FFUdiUUu2b5PrHgJjaeBk
L2S7eIq9PnIJDtFmAbqHozizavNEcD7fb/PERlZOjsV9UQ0uWdZuLX8qHqBChfFp
3StJzoOksKEw6xo4FjvLyhrAB7M7Jcwgywp2wSkwoAX0vjc15zSPKEtK7Von/XJb
mgK6j9n1WOdC7p6Sg51Oco0c80aY0JWE6jkdCj3mwBkW4+uDwTj3M8eMV6XA1snf
oc+JFfv1r/YAZzHFjW2tN0ZOgKDXKNNqv8P0rkFRHuSNfy+3WnTYSS9ydmf9W0KX
rDjVkc14eN28G6tIQQ8S76BABRxLeE/3s4fpAMhL9baZY4d/bgAs37SfIKhWKflk
mBAdcQM7pDr2/ykfeKh64dNUkNvy/Ye23wF9lk7RrVIi5wvwSILxm2CoLABCCqYN
o170f4DxS6D9sShsGmy8WPk25cW7jXgQ5qCyJFSW0cbdFrU0+Bg85XcjCy1eX2jF
8f9Ib9DL39dW8SGCngBd
=m05x
-----END PGP SIGNATURE-----
More information about the Users
mailing list