On April 9, 2026 3:31:16 PM GMT+02:00, Alex Mihajlov <[email protected]>
wrote:
>On 09/04/2026, Tobias Heider wrote:
>> On Thu, Apr 09, 2026 at 12:20:05AM +0300, Alex Mihajlov wrote:
>> > On 08/04/2026, Tobias Heider wrote:
>> > >
>> You can simply put multiple ikev2 blocks into your server iked.conf.
>> It could look sth like:
>>
>> user 'user' 'password'
>> ikev2 'responder_eap' passive esp \
>> from any to dynamic \
>> local X.X.X.X peer any \
>> srcid server1-eap \
>> eap "mschap-v2" \
>> config address 10.0.5.0/24 \
>> config name-server 192.0.2.1
>>
>> ikev2 'responder_psk' passive esp \
>> from any to dynamic \
>> local X.X.X.X peer any \
>> srcid server1-psk \
>> psk preshared123! \
>> config address 10.0.5.0/24 \
>> config name-server 192.0.2.1
>
>Thanks for your attention!
>I tried using a similar configuration:
>
>ikev2 'responder_eap' passive ipcomp esp \
> from 0.0.0.0/0 to dynamic \
> peer any \
> srcid myhostname.org \
> eap "mschap-v2" \
> config address 172.24.24.0/24 \
> config name-server 172.24.24.1 \
> tag "$name-$id" tap enc0
>
>ikev2 'responder_rsa' passive esp \
> from 0.0.0.0/0 to dynamic \
> peer any \
> srcid myhostname.org \
> config address 172.24.24.0/24 \
> config name-server 172.24.24.1 \
> tag "ROADW"
>
>And when I added responder_rsa, all users,
>including those who were supposed to log in via mschap-v2,
>were caught by the responder_rsa policy and couldn't log in.
>
>They come from the internet, and I can't specify anything
>in the "from" parameter other than 0.0.0.0/0.
>What should I do to ensure that only users
>using rsa are included in responder_rsa?
>Should I specify a different srcid?
>
Yes, different IDs is what I would try.
