[strongSwan] IKEv1 xauth-pam to IKEv2 eap-gtc?

John Mah john at surfeasy.com
Mon Nov 9 22:17:33 CET 2015

On 2015-11-09 1:48 AM, Martin Willi wrote:
> EAP is probably the way to go if you want password authentication with
> IKEv2. For PAM verification the server needs the clear text password,
> which can be achieved with EAP-GTC. Unfortunately, not many third party
> clients support it.

Thanks for the response, Martin.

Does anyone know if any of the iOS implementations (racoon or the newer 
iOS 9 agent) supports EAP-GTC? (Or should it matter?)

I tried a quick re-working of our configs but with rightauth=pubkey & 
rightauth2=eap-gtc sections but it fails without calling any PAM modules 
when authenticating an iOS 9.1 client:

1447103395 Nov  9 21:09:55 27[CFG] <iphone-ios8-ike-v2|7> selected peer 
config 'iphone-ios8-ike-v2'
1447103395 Nov  9 21:09:55 27[IKE] <iphone-ios8-ike-v2|7> peer requested 
EAP, config inacceptable
1447103395 Nov  9 21:09:55 27[CFG] <iphone-ios8-ike-v2|7> no alternative 
config found

- John

More information about the Users mailing list