Re: [strongSwan] swanctl.conf EAP credential information

Wed, 29 Nov 2017 10:27:37 -0800 

Curiously, if eap-user1 is at the end of the list, it authenticates correctly, 
but not if first or second in the list.

From: bls s<mailto:bls3...@outlook.com>
Sent: Tuesday, November 28, 2017 4:43 PM
To: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: [strongSwan] swanctl.conf EAP credential information

I’m switching over from using IPsec.conf to charon-systemd. Everything is 
working for the first user, but I have run into a strange issue (or a dumb user 
error!) with the ‘secrets’ section when trying to implement multiple eap 
passwords.

If my secrets section has only one eap id/password in it, the client 
authenticates correctly. But, if the secrets section has more than one eap 
id/password in it, the MSCHAPv2 authentication fails.

Here’s the failing configuration. If I remove the 2nd and 3rd entries, user1 
works correctly. However, using the full secrets section below, user1 fails to 
authenticate.

connections {

    ikev2-eap-mschapv2 {
            version = 2
#            proposals = 
aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
            proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
            rekey_time = 0s
            pools = primary-pool-ipv4
            fragmentation = yes
            dpd_delay = 30s
            mobike = yes

         local-1 {
             certs = strongswanCert.pem
             id = serverid1
             auth = psk
         }

         remote-1 {
             auth = eap-mschapv2
             id = clientid1
             eap_id = %any
        }

        children {
            ikev2-eap-mschapv2 {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
#                esp_proposals = 
aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
                esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
#               updown = /libexec/ipsec/_updown iptables
                }
            }
    }
    ikev2-pubkey {
             version = 2
             proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
             rekey_time = 0s
             pools = primary-pool-ipv4
             fragmentation = yes
             dpd_delay = 30s

             local-1 {
                 certs = vpnHostCert.pem
                 id = server1
             }

             remote-1 {   # defaults are fine
             }

             children {
                 ikev2-pubkey {
                     local_ts = 0.0.0.0/0
                     rekey_time = 0s
                     dpd_action = clear
                     esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
                 }
            }
    }
}
pools {
    primary-pool-ipv4 {
        addrs = 10.92.10.0/24
        dns = 192.168.92.3, 8.8.8.8
    }
}

secrets {
    ike-psk {
        secret=somepsk
    }
    eap-us...@mydomain.com<mailto:eap-us...@mydomain.com> {
        id = us...@mydomain.com
        secret=secret1
    }
    eap-us...@mydomain.com<mailto:eap-us...@mydomain.com> {
        id = us...@mydomain.com
        secret=secret2
    }
    eap-us...@mydomain.com<mailto:eap-us...@mydomain.com> {
        id = us...@mydomain.com
        secret=secret3
    }

Reply via email to