[strongSwan] swanctl.conf EAP credential information

bls s bls3427 at outlook.com
Wed Nov 29 01:43:41 CET 2017


I’m switching over from using IPsec.conf to charon-systemd. Everything is working for the first user, but I have run into a strange issue (or a dumb user error!) with the ‘secrets’ section when trying to implement multiple eap passwords.

If my secrets section has only one eap id/password in it, the client authenticates correctly. But, if the secrets section has more than one eap id/password in it, the MSCHAPv2 authentication fails.

Here’s the failing configuration. If I remove the 2nd and 3rd entries, user1 works correctly. However, using the full secrets section below, user1 fails to authenticate.

connections {

    ikev2-eap-mschapv2 {
            version = 2
#            proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
            proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
            rekey_time = 0s
            pools = primary-pool-ipv4
            fragmentation = yes
            dpd_delay = 30s
            mobike = yes

         local-1 {
             certs = strongswanCert.pem
             id = serverid1
             auth = psk
         }

         remote-1 {
             auth = eap-mschapv2
             id = clientid1
             eap_id = %any
        }

        children {
            ikev2-eap-mschapv2 {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
#                esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
                esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
#               updown = /libexec/ipsec/_updown iptables
                }
            }
    }
    ikev2-pubkey {
             version = 2
             proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
             rekey_time = 0s
             pools = primary-pool-ipv4
             fragmentation = yes
             dpd_delay = 30s

             local-1 {
                 certs = vpnHostCert.pem
                 id = server1
             }

             remote-1 {   # defaults are fine
             }

             children {
                 ikev2-pubkey {
                     local_ts = 0.0.0.0/0
                     rekey_time = 0s
                     dpd_action = clear
                     esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
                 }
            }
    }
}
pools {
    primary-pool-ipv4 {
        addrs = 10.92.10.0/24
        dns = 192.168.92.3, 8.8.8.8
    }
}

secrets {
    ike-psk {
        secret=somepsk
    }
    eap-user1 at mydomain.com<mailto:eap-user1 at mydomain.com> {
        id = user1 at mydomain.com
        secret=secret1
    }
    eap-user2 at mydomain.com<mailto:eap-user2 at mydomain.com> {
        id = user2 at mydomain.com
        secret=secret2
    }
    eap-user3 at mydomain.com<mailto:eap-user3 at mydomain.com> {
        id = user3 at mydomain.com
        secret=secret3
    }


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/59b9c387/attachment.html>


More information about the Users mailing list