[strongSwan] Combining authentication types

Noel Kuntze noel at familie-kuntze.de
Fri Jun 26 14:51:58 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Fred,

Use eap-dynamic[1][2] then.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Eap-dynamic
[2] https://www.strongswan.org/uml/testresults/ikev2/rw-eap-dynamic/index.html

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 26.06.2015 um 14:33 schrieb Fred:
> On 26/06/2015 13:08, Noel Kuntze wrote:
>> Hello Fred,
>>
>> Just create several conn sections.
>
> Thanks for your reply Noel.
>
> I tried this.. but then the wrong connection was being selected by the responder (and therefore failing). Commenting out individual connections made the other one work in isolation. It would appear I need to do something to assist strongSwan in selecting the correct connection profile, but I'm not sure what? I have tried playing with eap_identity and rightid but am unsure what it is precisely I need to do to differentiate between an incoming connection that could be using either auth method.
>
> So I have for e.g. the below two connection profiles. A win7 Agile client strongSwan tries to use IPSec-IKEv2-EAP-TLS when I'm using only mschapv2. So why's it not picking up the IPSec-IKEv2-EAP-MSCHAPv2 connection? If I use client certs the win7 agile connection works (using IPSec-IKEv2-EAP-TLS) but I was hoping to allow client certs OR mschapv2 auth types if possible. I was also hoping the Mac OS X applet you provide will work with the IPSec-IKEv2-EAP-MSCHAPv2 connection profile and this does appear to work. So it's just mschapv2 that fails due to it picking up the wrong connection profile.
>
>
> conn IPSec-IKEv2-EAP-TLS
>         keyexchange=ikev2
>         ike=aes256-sha1-modp1024!
>         esp=aes256-sha1!
>         leftauth=pubkey
>         rightauth=eap-tls
>         rightsendcert=never
>         leftcert=myvpnHostCert.pem
>         eap_identity=xxx
>         #rightid="C=CH, O=strongSwan, CN=xx"
>         auto=add
>
> conn IPSec-IKEv2-EAP-MSCHAPv2
>         keyexchange=ikev2
>         rightauth=eap-mschapv2
>         leftcert=myvpnHostCert.pem
>         rightsendcert=never
>         eap_identity=xx
>         rightid=xx
>         auto=add
>
> Fred
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVjUrpAAoJEDg5KY9j7GZY5OwQAJav/GSpSM7mCmzNBQ8+WGG9
bZOBu+uGG/zbskKcyM6wsp6aV98CEHqQb7zv95PQp3/EBlz2lUkzjmoe7lAI1XIu
QNTAo11qJd3d/pL2zl1YXHjmqnn+ajFoKWSU056HDIDWcNUWEkwNDYMJZuoxwBog
3NY9rIwSPAZVs9y134ioxeLS2I0sf+idkVt+qZayAq6xcTAEpb8RKskwaUseqgg2
uH10AMbav5cZs15ZeYAc6NXxOrMXiNOfrk8uAXEHMge/x8Yc9a43fvAi41qFw0dc
agQM3kgoa0vJL4qzun0HSi/1RlF62JGJcLpBHpr8rqop22jhBb059X561WhmeX3o
xQR0/ZZ9HJCpYCI/RlBtlqlYfkFxcdzwVShwV1izmRjUjhPmFj9BH+JdXsl6i3sg
A2rPjLwhjAxMSsFyDVvaatxSF3l9MzSz6fklYj5UBT4ygwbQ9R6WYepFNZVEdMbQ
8p3pInqX0t3HpACJVDBUspHKH6UMUbzDasYo/vPfPmsASTuv8EkVtZk7ANPAfyBB
FnJfihfPtI8xU660uVbEKefLkdotj7D1tfx1v6wSN5Fy7zhlBt4MlYb+q1o91qz/
bg+Iieaky7GqMbAv3KGwb0QV/l/QHYfpPcbs02f6GQ0b22Xa/lKMKuZZdKUbijTb
+sfTCsRM4jQTkcQdX13b
=yqyL
-----END PGP SIGNATURE-----



More information about the Users mailing list