[strongSwan] Windows ikev2 conn, eap_identity ignored
Giuseppe De Marco
giuseppe.demarco at unical.it
Mon Oct 23 12:56:11 CEST 2017
I faced that there are no attr_sql support on standard Debian 9 packages.
ipsec statusall also prints all the available plugins, having already
installed all the available strongswan debian packages.
So, on Debian 9 we cannot have more then this:
charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac
ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp
stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam
tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
This means, to me but every suggestion could be appreciated, that the only
way to get a persistent pool lease system is to compile strongswan with
Thank you, I'll bring more usefull informations after all this, such the
A huge setup migration is gonna to begin!
2017-10-16 22:08 GMT+02:00 Giuseppe De Marco <giuseppe.demarco at unical.it>:
> Hi all,
> I'm using Debian GNU/Linux 9.2 (stretch) with standard strongswan package
> from stretch apt repository (5.5.1-4+deb9u1).
> The tunnel is a ikev2 with eap-radius authentication.
> I'm facing the problem that Windows 10 clients doesn't send their right
> Linux and Android clients works great instead, they always request the
> connections with the correct eap_identity as we expect to be.
> The problem is that if the Windows client fails its identity it will take
> a dinamic virtual ip and not the static one, configured for it.
> I also read about attr_sql and the possibility to fix the ip assignment in
> a second time, via sql.
> I'd like also to play with it but, I installed all of the
> strongswan/charon packages, they are all here:
> But I cannot see the attr_plugin loaded and running, with the command:
> ipsec listplugins
> attr_sql could be a good solution, the goal is to configure a Windows 10
> that correctly presents itself with its proper identity, instead of its WAN
> IP as 192.168.3.44:
> 04[CFG] looking for peer configs matching 220.127.116.11[%any]...11.74.200.
> 04[CFG] selected peer config 'ike2-eap-radius'
> The same account, using nm-strongswan or charon-cmd, works great with
> Linux, the identity (Frank) is there:
> 15[CFG] looking for peer configs matching 18.104.22.168[%any]...11.74.200.
> 15[CFG] selected peer config 'ike2-eap-Frank'
> I'm also sure that this problem should be well know in Windows 10 clients,
> it looks so standard!
> Any suggestions would be very appreciated
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users