[strongSwan] Google Scure LDAP and User-Password

Tobias Brunner tobias at strongswan.org
Fri Feb 28 15:18:23 CET 2020

Hi Edward,

> - Can one set up Strongswan to forward password from user?
Only via EAP-GTC [1] are cleartext passwords from the client available.
 Practically no clients other than strongSwan support this.

If you find an IKEv2 client that supports EAP-TTLS/PAP (strongSwan
itself does not), it might work too if you configure FreeRADIUS

> - What stops any user connecting to IKEv2 and attempting brute force connections against a user account.

Nothing really but strong passwords.  Perhaps you could implement some
kind of delay on the RADIUS/LDAP server, or limit the number of login
attempts per username and minute to make such attacks more difficult.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/eap-gtc

More information about the Users mailing list