[strongSwan] Some IKEv2 questions
Fred
curious_freddy at gmsl.co.uk
Wed Mar 4 10:40:47 CET 2015
Hi all,
I've managed to get IKEv2 working with EAP-TLS but I've a couple of
questions.
Can I support different types of authentication method simultaneously
for IKEv2? i.e. can I support both PEAP-MSCHAPv2 and EAP-TLS at the same
time ?
Having two IKE conn sections which differ in only authentication means I
need to use eap-dynamic?
What other types of client certificate based auth is possible over IKEv2
(mainly to improve my understanding!)?
Finally, my tunnel doesn't seem to remain established (is this normal
behaviour and what further information could I provide here?):
Currently I need to bring the tunnel up on the device manually when it's
down. Sending traffic isn't enough.
Here is my config (only one conn section works at any one time hence
commented out):
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
#conn IPSec-IKEv2-EAP
# also="IPSec-IKEv2"
# rightauth=eap-mschapv2
# rightsendcert=never
# eap_identity=%any
conn IPSec-IKEv2-EAP-TLS
also="IPSec-IKEv2"
eap_identity=%identity
rightauth=eap-tls
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
rekey=no
auto=add
More information about the Users
mailing list