[strongSwan] Error with EAP-PEAP connection

Ygor Amadeo Sartori Regados ygor.regados at yahoo.com.br
Thu May 15 03:48:46 CEST 2014

I changed my setup to your suggestion and it worked at last, but I needed to copy the server certificate DN as rightid or the server refused connection due to not finding a matching setup.
Is it possible to do that automatically with a server-provided certificate?

If it helps, there is also a IKEv1 Mutual PSK/XAuth setup for compatibility with Windows clients (Shrew Soft VPN) in the server.

Best regards,

Em Wed, 14 May 2014 09:49:23 +0200
Martin Willi <martin at strongswan.org> escreveu:

> Ygor,
> > constraint requires EAP_PEAP, but EAP_NAK was used
> > selected peer config 'rw-ikev2-eap' inacceptable: constraint
> > checking failed
> > rightauth=eap-peap
> When using mutual EAP-only authentication in IKEv2, setting a EAP type
> constraint on the responder won't work. The (mutual) EAP method is
> given by the client side authentication method. On the initiator, you
> can set
>   leftauth=eap-peap
>   rightauth=eap
> What is your intention when using PEAP/MSCHAPv2 in IKEv2? Unless you
> need compatibility to an existing system, this is way more complicated
> than needed. Traditional IKEv2 certificate authentication together
> with an optional (inner) EAP method is usually much simpler.
> Regards
> Martin

More information about the Users mailing list