[strongSwan] Multiple Authentication Rounds

Christian Salway christian.salway at naimuri.com
Tue Jul 17 23:09:53 CEST 2018 

Mmm ok, thanks. I can’t see that being configured for OSX either.


> On 17 Jul 2018, at 19:29, Emanuil Hristov <int986 at gmail.com> wrote:
> 
> Hello there,
> i don't know about macos client. but surely windows native client will not work.
> here is example configuration psk + eap-mschapv2 with radius
> this works with ios native client.
> ---
>     vpn-pskeap {
>         local_addrs  = $$locaip
> 
>         local {
>             auth = psk
>             id = $$leftid
>         }
>         
>         remote {
>             auth = eap-radius
>         }
>         
>         children {
>             updown = /usr/lib/ipsec/_updown iptables
>             esp_proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024
>             dpd_action = clear
>             close_action = clear
>             ike_lifetime = 45m
>             ipcomp = yes
>             vpn-pskeap {
>                 local_ts = 0.0.0.0/0 <http://0.0.0.0/0>
>             }
>         }
>         
>         version = 2
>         proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024
>         mobike = yes
>         fragmentation = yes
>         encap = yes
>         dpd_timeout = 60
>         dpd_delay = 25
>         unique = never
>         pools = radius
>     }
> 
> On 17 July 2018 at 19:05, Christian Salway <christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>> wrote:
> Hello,
> 
> To quote your page [1] "With IKEv2 it is possible to use multiple authentication rounds", could this be PSK and eap-mschapv2 and do you have a configuration that would match that method?  My current configuration looks like the below.
> 
> The clients are OSX and Windows native clients so I am curious if it will work.
> 
> connections {
>   radius {
>      version = 2
>      send_cert = always
>      encap = yes
>      pools = pool1
>      unique = replace
>      proposals = aes256-sha256-prfsha256-ecp256-modp2048
>      local {
>         # the id must be contained in the certificate, either as subject or as subjectAltName.
>         id = ${FQDN}
>         certs = cert.pem
>      }
>      remote {
>         auth = eap-radius
>         eap_id = %any
>      }
>      children {
>         child_sa_1 {
>            #esp_proposals =
>            local_ts = ${LOCALCIDR}
>         }
>      }
>   }
> }
> 
> 
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/IntroductiontostrongSwan#Authentication-Basics <https://wiki.strongswan.org/projects/strongswan/wiki/IntroductiontostrongSwan#Authentication-Basics>
> 
> Kind regards,
> 
> Christian Salway
> IT Consultant - Naimuri
> 
> T: +44 7463 331432
> E: christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>
> A: Naimuri Ltd, Capstan House, Manchester M50 2UW
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180717/a69ffad3/attachment.html>

More information about the Users mailing list