[strongSwan] S2S PSK and IKEv2 EAP-MSCHAPv2 from same public IP

Dusan Ilic dusan at comhem.se
Wed Jan 25 07:27:45 CET 2017


I have a site to site PSK setup up and running, but when a Windows 
client from the same remote IP tries to connect to the same gateway the 
logfile says encryption mismatch. If i shut down the tunnel and comment 
the S2S connection in ipsec.conf the client can connect just fine.
It looks to me that the issue is that Strongswan chooses the S2S PSK 
connection profile with the remote access client instead of the 
EAP-MSCHAPv2 profile, how can I configure so that the right VPN type is 
handled by the right connection profile in ipsec.conf? Is Strongswan 
only identifying and matching connecting nodes with remote IP address?

I know I could just let the connectin Windows clients use the existing 
S2S tunnel instead, but the clients are residing in a separate subnet 
behind the same gateway connecting with S2S, and the gateway is somehow 
locked down and the TS-selectors can't be reconfigured to contain these 
clients subnet too.

More information about the Users mailing list