[strongSwan] swanctl.conf EAP credential information
bls s
bls3427 at outlook.com
Wed Nov 29 01:43:41 CET 2017
I’m switching over from using IPsec.conf to charon-systemd. Everything is working for the first user, but I have run into a strange issue (or a dumb user error!) with the ‘secrets’ section when trying to implement multiple eap passwords.
If my secrets section has only one eap id/password in it, the client authenticates correctly. But, if the secrets section has more than one eap id/password in it, the MSCHAPv2 authentication fails.
Here’s the failing configuration. If I remove the 2nd and 3rd entries, user1 works correctly. However, using the full secrets section below, user1 fails to authenticate.
connections {
ikev2-eap-mschapv2 {
version = 2
# proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
mobike = yes
local-1 {
certs = strongswanCert.pem
id = serverid1
auth = psk
}
remote-1 {
auth = eap-mschapv2
id = clientid1
eap_id = %any
}
children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
# esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
# updown = /libexec/ipsec/_updown iptables
}
}
}
ikev2-pubkey {
version = 2
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
local-1 {
certs = vpnHostCert.pem
id = server1
}
remote-1 { # defaults are fine
}
children {
ikev2-pubkey {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
}
}
}
}
pools {
primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3, 8.8.8.8
}
}
secrets {
ike-psk {
secret=somepsk
}
eap-user1 at mydomain.com<mailto:eap-user1 at mydomain.com> {
id = user1 at mydomain.com
secret=secret1
}
eap-user2 at mydomain.com<mailto:eap-user2 at mydomain.com> {
id = user2 at mydomain.com
secret=secret2
}
eap-user3 at mydomain.com<mailto:eap-user3 at mydomain.com> {
id = user3 at mydomain.com
secret=secret3
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/59b9c387/attachment.html>
More information about the Users
mailing list