[strongSwan] Some IKEv2 questions
Martin Willi
martin at strongswan.org
Wed Mar 4 10:54:40 CET 2015
Hi,
> Can I support different types of authentication method simultaneously
> for IKEv2? i.e. can I support both PEAP-MSCHAPv2 and EAP-TLS at the same
> time ?
As initiator/client, you can configure leftauth=eap without a method to
authenticate with whatever the responder offers.
On the responder, you may define multiple connections, but need a
selector (for example the client or server IKE identity) to choose the
configuration with the appropriate EAP method.
> Having two IKE conn sections which differ in only authentication means I
> need to use eap-dynamic?
With eap-dynamic you can propose a "preferred" method as responder, but
fall back to a different method if the client sends EAP-NAK.
> What other types of client certificate based auth is possible over IKEv2
> (mainly to improve my understanding!)?
IKEv2 supports certificate authentication without EAP, which is much
simpler and faster. Actually, certificate based EAP authentication is
preferable for very special use cases only, for example if you delegate
authentication to an AAA backend, or have clients that require that
(Windows with Smartcard/User certificates).
> Finally, my tunnel doesn't seem to remain established (is this normal
> behaviour and what further information could I provide here?):
No, the log file probably has more information why the tunnel gets
closed.
> Currently I need to bring the tunnel up on the device manually when it's
> down. Sending traffic isn't enough.
This is intended by auto=start. Use auto=route to install a trap policy
that triggers the tunnel, refer to the ipsec.conf manpage for details.
Regards
Martin
More information about the Users
mailing list