[strongSwan] MultiOS to strongSwan host to network VPN?

Turbo Fredriksson turbo at bayour.com
Tue Nov 22 11:17:43 CET 2016

I’ve been trying for a couple of days now to make my strongSwan setup
to connect to my LDAP/KerberosV servers.

From what I can tell there’s [at least] two ways to do this:

	1. PAM - this works fine in the os/sshd etc so that was my first try
		-> My OSX/Windows7 [native] clients can’t seem to be able to authenticate
		    though :(

	2. RADIUS - really didn’t want to do that, but I could if it works
		-> Apparently that won’t work either because Windows can only do MSCHAPv2,
		    which don’t send cleartext passwords, which Radius needs :(.

Is there any other way I’ve missed?

Previously, when I installed my NAT/GW/VPN server, I used OpenS/WAN but that’s
dead and buried now apparently. So several months ago when I upgraded to the
next Linux dist version, I choose strongSwan. That’s now working just fine with

With OpenS/WAN I used L2TP (which uses PPPd) that authenticated to my Samba
server, which in turned authenticated against the LDAP/KerberosV servers..

I can’t remember now, it was years since I set it up and I didn’t look in detail when
I killed it, but RADIUS was in there somehow as well (I think between PPPd and

But before I start setting up L2TP, PPPd, Samba and Radius just to authenticate my
VPN users, is there _ANYTHING_ I’ve missed?

I took a quick look at OpenVPN (which I’ve administrated, but not setup, at a previous
employer) and apparently that can do LDAP auths. But I don’t feel much confidence in
OpenVPN (it also require me to install a separate client - which I’d prefer not to do if
at all possible), so I rather not go that route either. Unless I have no choice :(.

More information about the Users mailing list