[strongSwan] How to have different IKEv2 auth schemes on one server?

Wed Oct 3 14:03:31 CEST 2018

 I have several connection setups for IKEv2 in ipsec.conf:

===============================
conn %default
        [...SKIPPED...]
        # right - remote (client) side
        right=%any
        rightsendcert=never
        rightsourceip=192.168.27.0/24,2001:19f0:5001:229c:dead::/96
        rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
        keyexchange=ikev2
        auto=add

conn ikev2-eap-tls
       also="ikev2-pubkey"
       rightauth=eap-tls
       eap_identity=%identity

conn ikev2-mschap
        also="ikev2-pubkey"
        rightauth=eap-mschapv2
        eap_identity=%identity

conn ikev1-xauth
        keyexchange=ikev1
        rightauth=xauth
        auto=add
===============================

  Such config is shown in many tutorials. Different auth schemes are
needed for different clients.

 But with this config I have problem with Windows 10 clients: I wan to
use EAP-MSCHAPv2 for Windows clients (username/password auth, without
client certs), but StrongSwan offers FIRST (EAP-TLS) scheme to windows
client ad authentication fails, as windows report that it could not find
compatible auth scheme.

 Is it possible to limit different schemes to different client types?

-- 
// Black Lion AKA Lev Serebryakov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181003/cb27d57d/attachment.sig>