[strongSwan] Combining authentication types

[Fred]

On 26/06/2015 13:08, Noel Kuntze wrote:
> Hello Fred,
>
> Just create several conn sections.

Thanks for your reply Noel.

I tried this.. but then the wrong connection was being selected by the 
responder (and therefore failing). Commenting out individual connections 
made the other one work in isolation. It would appear I need to do 
something to assist strongSwan in selecting the correct connection 
profile, but I'm not sure what? I have tried playing with eap_identity 
and rightid but am unsure what it is precisely I need to do to 
differentiate between an incoming connection that could be using either 
auth method.

So I have for e.g. the below two connection profiles. A win7 Agile 
client strongSwan tries to use IPSec-IKEv2-EAP-TLS when I'm using only 
mschapv2. So why's it not picking up the IPSec-IKEv2-EAP-MSCHAPv2 
connection? If I use client certs the win7 agile connection works (using 
IPSec-IKEv2-EAP-TLS) but I was hoping to allow client certs OR mschapv2 
auth types if possible. I was also hoping the Mac OS X applet you 
provide will work with the IPSec-IKEv2-EAP-MSCHAPv2 connection profile 
and this does appear to work. So it's just mschapv2 that fails due to it 
picking up the wrong connection profile.


conn IPSec-IKEv2-EAP-TLS
         keyexchange=ikev2
         ike=aes256-sha1-modp1024!
         esp=aes256-sha1!
         leftauth=pubkey
         rightauth=eap-tls
         rightsendcert=never
         leftcert=myvpnHostCert.pem
         eap_identity=xxx
         #rightid="C=CH, O=strongSwan, CN=xx"
         auto=add

conn IPSec-IKEv2-EAP-MSCHAPv2
         keyexchange=ikev2
         rightauth=eap-mschapv2
         leftcert=myvpnHostCert.pem
         rightsendcert=never
         eap_identity=xx
         rightid=xx
         auto=add

Fred