[strongSwan] eap auth with 5.8 - how?

Tobias Brunner tobias at strongswan.org
Mon May 11 13:43:07 CEST 2020


> Having only:
>     remote {
>       certs = "remote.fqdn.crt"
>       auth  =  "pubkey"
>     }
> does not help.

Again, not the same thing as configuring %any as remote identity (there
is a fallback to the certificate's subject identity if a certificate but
no identity is configured - and that identity is sent to the peer, which
might not like it, so you should perhaps later check what identity it
actually returns and configure that).

> Trying: 'mode=tunnel' also fails.

That will only have an effect after the authentication.

> Also, I'm not sure how to translate this (in case it's critical)
> leftfirewall=yes

Whether it's critical depends on your firewall config.  See [1] for
notes on migrating from ipsec.conf to swanctl.conf.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/fromipsecconf

More information about the Users mailing list