[strongSwan] Combined auth methods for IKEv2?

Tobias Brunner tobias at strongswan.org
Wed Jul 14 09:39:20 CEST 2021


Hi Brent,

> 	remote {
> 		auth = pubkey
> 		id = O=FooBar (https://foobar.tld/), OU=nodes, CN=*
> 		cacerts = /etc/pki/ca-trust/source/anchors/FooBar_CA.pem,/etc/pki/ca-trust/source/anchors/FooBar_Intermediate.pem
> 		round = 0
> 	}
> 	remote {
> 		auth = eap-radius
> 		eap_id = %any
> 		round = 1
> 	}

This won't work.  The two "remote" sections get merged together, while 
the latter overrides existing key/value pairs, so you end up with:

> 	remote {
> 		auth = eap-radius
> 		id = O=FooBar (https://foobar.tld/), OU=nodes, CN=*
> 		cacerts = /etc/pki/ca-trust/source/anchors/FooBar_CA.pem,/etc/pki/ca-trust/source/anchors/FooBar_Intermediate.pem
 >		eap_id = %any
> 		round = 1
> 	}

Make sure to name these sections differently (the actual name doesn't 
matter as long they start with "remote", so "remote-1/2" works as well 
as "remote-pubkey/eap").

Regards,
Tobias


More information about the Users mailing list