[strongSwan] Multiple Authentication Rounds

Emanuil Hristov int986 at gmail.com
Tue Jul 17 20:29:58 CEST 2018 

Hello there,
i don't know about macos client. but surely windows native client will not
work.
here is example configuration psk + eap-mschapv2 with radius
this works with ios native client.
---
    vpn-pskeap {
        local_addrs  = $$locaip

        local {
            auth = psk
            id = $$leftid
        }

        remote {
            auth = eap-radius
        }

        children {
            updown = /usr/lib/ipsec/_updown iptables
            esp_proposals =
aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024
            dpd_action = clear
            close_action = clear
            ike_lifetime = 45m
            ipcomp = yes
            vpn-pskeap {
                local_ts = 0.0.0.0/0
            }
        }

        version = 2
        proposals =
aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024
        mobike = yes
        fragmentation = yes
        encap = yes
        dpd_timeout = 60
        dpd_delay = 25
        unique = never
        pools = radius
    }

On 17 July 2018 at 19:05, Christian Salway <christian.salway at naimuri.com>
wrote:

> Hello,
>
> To quote your page [1] "With IKEv2 it is possible to use multiple
> authentication rounds", could this be PSK and eap-mschapv2 and do you have
> a configuration that would match that method?  My current configuration
> looks like the below.
>
> The clients are OSX and Windows native clients so I am curious if it will
> work.
>
> connections {
>   radius {
>      version = 2
>      send_cert = always
>      encap = yes
>      pools = pool1
>      unique = replace
>      proposals = aes256-sha256-prfsha256-ecp256-modp2048
>      local {
>         # the id must be contained in the certificate, either as subject or as subjectAltName.
>         id = ${FQDN}
>         certs = cert.pem
>      }
>      remote {
>         auth = eap-radius
>         eap_id = %any
>      }
>      children {
>         child_sa_1 {
>            #esp_proposals =
>            local_ts = ${LOCALCIDR}
>         }
>      }
>   }
> }
>
>
>
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/
> IntroductiontostrongSwan#Authentication-Basics
>
> Kind regards,
>
> *Christian Salway*
> IT Consultant - *Naimuri*
>
> T: +44 7463 331432
> E: christian.salway at naimuri.com
> A: Naimuri Ltd, Capstan House, Manchester M50 2UW
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180717/3df05a24/attachment.html>

More information about the Users mailing list