[strongSwan] Windows ikev2 conn, eap_identity ignored

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Oct 16 22:55:29 CEST 2017


What you want can't be done. Charon can not switch conns based on the eap identity. Configure your RADIUS server to issue the static lease.
Implementing that feature is non trivial.

Kind regards


On 16.10.2017 22:08, Giuseppe De Marco wrote:
> Hi all,
> I'm using Debian GNU/Linux 9.2 (stretch) with standard strongswan package from stretch apt repository (5.5.1-4+deb9u1).
> The tunnel is a ikev2 with eap-radius authentication.
> I'm facing the problem that Windows 10 clients doesn't send their right identity.
> Linux and Android clients works great instead, they always request the connections with the correct eap_identity as we expect to be.
> The problem is that if the Windows client fails its identity it will take a dinamic virtual ip and not the static one, configured for it.
> I also read about attr_sql and the possibility to fix the ip assignment in a second time, via sql.
> I'd like also to play with it but, I installed all of the strongswan/charon packages, they are all here:
> libstrongswan                                      
> libstrongswan-extra-plugins
> libstrongswan-standard-plugins
> network-manager-strongswan
> strongswan
> strongswan-charon
> strongswan-ike
> strongswan-ikev1
> strongswan-ikev2
> strongswan-libcharon
> strongswan-nm
> strongswan-pki
> strongswan-scepclient
> strongswan-starter
> strongswan-swanctl
> charon-cmd                                         
> charon-systemd
> libcharon-extra-plugins
> strongswan-charon
> strongswan-libcharon
> But I cannot see the attr_plugin loaded and running, with the command:
> ipsec listplugins
> attr_sql could be a good solution, the goal is to configure a Windows 10 that correctly presents itself with its proper identity, instead of its WAN IP as <>:
> 04[CFG] looking for peer configs matching[%any]...[]
> 04[CFG] selected peer config 'ike2-eap-radius'    
> The same account, using nm-strongswan or charon-cmd, works great with Linux,  the identity (Frank) is there:
> 15[CFG] looking for peer configs matching[%any]...[Frank]
> 15[CFG] selected peer config 'ike2-eap-Frank'
> I'm also sure that this problem should be well know in Windows 10 clients, it looks so standard!
> Any suggestions would be very appreciated

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171016/11d48c71/attachment.sig>

More information about the Users mailing list