[strongSwan] IKEv1 xauth-pam to IKEv2 eap-gtc?

Martin Willi martin at strongswan.org
Mon Nov 9 07:48:09 CET 2015

Hi John,

> The IKEv1 connections use pubkey & xauth-pam authentication:

> Is there a migration path for IKEv2 connections that makes sense? I see 
> there is an eap-gtc module that supports pam but it's not clear in the 
> documentation how to configure this to use a specific pam_service.

EAP is probably the way to go if you want password authentication with
IKEv2. For PAM verification the server needs the clear text password,
which can be achieved with EAP-GTC. Unfortunately, not many third party
clients support it.

Since 5.0.1 the eap-gtc plugin uses IKEv1 XAuth backends for password
verification, see [1]. It defaults to xauth-pam, so you can continue
using your IKEv1 configuration in IKEv2.



More information about the Users mailing list