[strongSwan] matching by eap_id with eap_radius

Volodymyr Litovka doka.ua at gmx.com
Fri Sep 18 01:20:32 CEST 2020 

Hi colleagues,

is there way to use different configs for different EAP ids when using
eap_radius?

In order to assign different if_id_in/out, I'm trying to do the following:

connections {
    ikev2-eap {
       remote {
          auth = eap_radius
          id = %any
          eap_id = %any
       }
       children {
          child {
            if_id_in/out = 1
          }
       }
    }

    ikev2-eap-xfrm2 {
       remote {
          auth = eap_radius
          id = %any
          eap_id = doka.ua at gmx.com
       }
       children {
          child {
            if_id_in/out = 2
            updown = /etc/swanctl/bin/updown
          }
       }
}

but Strongswan matches by 'remote_id' (which is 'ID_IPV4_ADDR' and makes
no sense for roadwarriors) and chooses not more specific:

charon-systemd[7903]: looking for peer configs matching server_ip[%any]...remote_ip[192.0.2.225]
strongswan: 15[CFG] <3> peer config "ikev2-eap", ike match: 1052 (server_ip...%any IKEv2)
strongswan: 15[CFG] <3>   local id match: 1 (ID_ANY: )
strongswan: 15[CFG] <3>   remote id match: 1 (ID_IPV4_ADDR: c0:00:02:e1)
strongswan: 15[CFG] <3>   candidate "ikev2-eap", match: 1/1/1052 (me/other/ike)
strongswan: 15[CFG] <3> peer config "ikev2-eap-xfrm2", ike match: 1052 (server_ip...%any IKEv2)
strongswan: 15[CFG] <3>   local id match: 1 (ID_ANY: )
strongswan: 15[CFG] <3>   remote id match: 0 (ID_IPV4_ADDR: c0:00:02:e1)
strongswan: 15[CFG] <ikev2-eap|3> selected peer config 'ikev2-eap'
charon-systemd[7903]: selected peer config 'ikev2-eap'
charon-systemd[7903]: initiating EAP_IDENTITY method (id 0x00)
charon-systemd[7903]: generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
charon-systemd[7903]: parsed IKE_AUTH request 2 [ EAP/RES/ID ]
charon-systemd[7903]: received EAP identity 'doka.ua at gmx.com'

completely ignoring eap_id statement in 'remote' section.

So, the question - is there way to match connection by different EAP ids
when using eap_radius?

Thank you.

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200918/de9d1613/attachment.html>

More information about the Users mailing list