[strongSwan] Use Radius for gateway configuration
Volodymyr Litovka
doka.ua at gmx.com
Fri Jul 17 11:56:33 CEST 2020
Hi,
I use route-based VPNs for lot of different clients and, unfortunately, met with Cisco ASA. Can’t say I’m delighted - unlike others, it does not support neither EAP-MSCHAPv2 nor VIP negotiation for route-based VPNs, which makes it impossible to use Radius as authentication/authorization backend and introduces necessity to describe remote_ts and secret per connection, like this:
ikev2-psk {
[ ... ]
remote {
auth = psk
id = ciscoasa
}
children {
psk-child {
local_ts = 0.0.0.0/0
remote_ts = 172.29.24.100/32
}
}
}
secrets {
ike-1 {
id = ciscoasa
secret = q1w2e3
}
}
I’m just wondering, is it, nevertheless, possible to use Radius for configuring at least Strongswan side in such cases? What I mean: use id/psk to authenticate connection in Radius and get VIP from Radius to provision ‘remote_ts’ parameter and configure xfrm policies (ignoring "expected a virtual IP request, sending FAILED_CP_REQUIRED” and leaving IP configuration on remote side to be configured statically).
This approach do not break protocols itself (because applicable to gateway side only), but reduce configuration, keeping PSK config common for all connections, like this:
ikev2-psk {
[ ... ]
pools = radius
vip_rq = (yes|no)
remote {
auth = psk-radius(?)
id = %any
}
children {
psk-child {
local_ts = 0.0.0.0/0
remote_ts = dynamic
}
}
}
Any thoughts on whether can be implemented either internally or using external scripts/hooks upon connection establishing?
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200717/2c4d6fe9/attachment.html>
More information about the Users
mailing list