[strongSwan] Accounting IPSec connections with RSA authentication

Illia Muzichuk i.muzichuk at gmail.com
Mon Jun 15 00:07:22 CEST 2015

Apple iOS has "VPN On Demand" function. With this function the VPN
connection is made whenever the device tries to connect to certain domains
or to the internet at all. iOS supports "VPN On Demand" only with
certificated-based authentication.

To provide "VPN On Demand" for iOS users of my office VPN server we are
using next IPSec solution:

   - Ubuntu 14.04 - the VPN server OS.
   - strongSwan 5.1.2 - IKE daemon.
   - For each peer I am generating an individual private key and issue a
   matching certificate. Client (iOS IKEv1) authenticates using RSA and Xauth.
   - iPhone and iPad can't use IPSec without Xauth (so-called Cisco IPSec).
   And "VPN On Demand" can't use VPN profile which requires password entering,
   but username/password usually are required by Xauth. To handle this problem
   we are using xauth-noauth - fake Xauth authenticator which allows any
   username and password. In this case we are using only client certificate to
   authenticate it.

This solution is working fine for us. But we got new requirement - setup
several VPN servers with one users database and make accounting of the VPN

This is a common practice for this task to use RADIUS and strongSwan has
plugin for it. But strongSwan with IKEv1/Xauth uses username/password for
authenticating user on the backend RADIUS server. username/password is not
using in my solution.

My questions:

   1. How to use Radius accounting if Xauth is not using username/password?
   2. Is it possible to delegate RSA authentication check to RADIUS server?

P.S. Most of my iOS clients use iOS 8 which supports IKEv2. There is
EAP-TLS in IKEv2. Can I use EAP-TLS to delegate RSA authentication check to
RADIUS server? Or I am digging in the wrong direction with EAP-TLS?

P.S. P.S. My second thing was about VICI interface of strongSwan. I
supposed to get notifications about each new IPSec connection, but looks
like VICI works different way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150615/dd1921e4/attachment.html>

More information about the Users mailing list