[strongSwan] How to have different IKEv2 auth schemes on one server?

[Noel Kuntze]

Hello Lev,

Yes, configure the eap-dynamic plugin and use that as authentication method for the remote peer in the first (top most) conn. It negotiates the EAP method.
Check the configurations available on the UsableExamples[1] page.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

Am 03.10.18 um 14:03 schrieb Lev Serebryakov:
>  I have several connection setups for IKEv2 in ipsec.conf:
>
> ===============================
> conn %default
>         [...SKIPPED...]
>         # right - remote (client) side
>         right=%any
>         rightsendcert=never
>         rightsourceip=192.168.27.0/24,2001:19f0:5001:229c:dead::/96
>         rightdns=8.8.8.8,8.8.4.4
>
> conn ikev2-pubkey
>         keyexchange=ikev2
>         auto=add
>
> conn ikev2-eap-tls
>        also="ikev2-pubkey"
>        rightauth=eap-tls
>        eap_identity=%identity
>
> conn ikev2-mschap
>         also="ikev2-pubkey"
>         rightauth=eap-mschapv2
>         eap_identity=%identity
>
> conn ikev1-xauth
>         keyexchange=ikev1
>         rightauth=xauth
>         auto=add
> ===============================
>
>   Such config is shown in many tutorials. Different auth schemes are
> needed for different clients.
>
>  But with this config I have problem with Windows 10 clients: I wan to
> use EAP-MSCHAPv2 for Windows clients (username/password auth, without
> client certs), but StrongSwan offers FIRST (EAP-TLS) scheme to windows
> client ad authentication fails, as windows report that it could not find
> compatible auth scheme.
>
>  Is it possible to limit different schemes to different client types?
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181003/52f8ae7e/attachment-0001.sig>