[strongSwan] Windows ikev2 conn, eap_identity ignored

Giuseppe De Marco giuseppe.demarco at unical.it
Mon Oct 23 12:56:11 CEST 2017


I faced that there are no attr_sql support on standard Debian 9 packages.

ipsec statusall also prints all the available plugins, having already
installed all the available strongswan debian packages.
So, on Debian 9 we cannot have more then this:

loaded plugins:
charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac
ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp
stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam
tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity

This means, to me but every suggestion could be appreciated, that the only
way to get a persistent pool lease system is to compile strongswan with

Thank you, I'll bring more usefull informations after all this, such the
setup notes
A huge setup migration is gonna to begin!

2017-10-16 22:08 GMT+02:00 Giuseppe De Marco <giuseppe.demarco at unical.it>:

> Hi all,
> I'm using Debian GNU/Linux 9.2 (stretch) with standard strongswan package
> from stretch apt repository (5.5.1-4+deb9u1).
> The tunnel is a ikev2 with eap-radius authentication.
> I'm facing the problem that Windows 10 clients doesn't send their right
> identity.
> Linux and Android clients works great instead, they always request the
> connections with the correct eap_identity as we expect to be.
> The problem is that if the Windows client fails its identity it will take
> a dinamic virtual ip and not the static one, configured for it.
> I also read about attr_sql and the possibility to fix the ip assignment in
> a second time, via sql.
> I'd like also to play with it but, I installed all of the
> strongswan/charon packages, they are all here:
> libstrongswan
> libstrongswan-extra-plugins
> libstrongswan-standard-plugins
> network-manager-strongswan
> strongswan
> strongswan-charon
> strongswan-ike
> strongswan-ikev1
> strongswan-ikev2
> strongswan-libcharon
> strongswan-nm
> strongswan-pki
> strongswan-scepclient
> strongswan-starter
> strongswan-swanctl
> charon-cmd
> charon-systemd
> libcharon-extra-plugins
> strongswan-charon
> strongswan-libcharon
> But I cannot see the attr_plugin loaded and running, with the command:
> ipsec listplugins
> attr_sql could be a good solution, the goal is to configure a Windows 10
> that correctly presents itself with its proper identity, instead of its WAN
> IP as
> 04[CFG] looking for peer configs matching[%any]...11.74.200.
> 151[]
> 04[CFG] selected peer config 'ike2-eap-radius'
> The same account, using nm-strongswan or charon-cmd, works great with
> Linux,  the identity (Frank) is there:
> 15[CFG] looking for peer configs matching[%any]...11.74.200.
> 151[Frank]
> 15[CFG] selected peer config 'ike2-eap-Frank'
> I'm also sure that this problem should be well know in Windows 10 clients,
> it looks so standard!
> Any suggestions would be very appreciated
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171023/530ef9ee/attachment.html>

More information about the Users mailing list