[strongSwan] Different authentication methods

Fred curious_freddy at gmsl.co.uk
Wed Apr 13 13:39:56 CEST 2016

On 11/04/2016 11:32, Andreas Steffen wrote:
> authentication based on Windows Machine Certificates does not use
> IKEv2 EAP but directly employs IKEv2 public key authentication
> between VPN client and VPN gateway which very efficiently
> establishes an IPsec tunnel with a mere 4 IKEv2 messages.

HI Andreas,

Thanks for your informative response.

The exchange itself is obviously more efficient (4 vs 18 messages) but 
are there any negatives? EAP-TLS is often cited (on the web) as being a 
if not THE superior authentication method, without any reasoning as to why.

Presumably IKEv2 public key authentication is just as good from a
security point of view?

> The differentiation between Machine and User Certificates does apply
> to Windows clients only. On a strongSwan client you can use
> efficient IKEv2 public key authentication for any number of users.

Does this mean a Windows machine cannot have multiple installed Machine
certificates with different users using different ones?

More information about the Users mailing list