Hello! I'm trying to get the IPSec connection of the iPhone to work with StrongSwan.
Currently it runs with the old racoon (ipsec-tools) and IKEv1. In the old configuration the password is checked against the AD via the LDAP module. We want to change to StrongSwan and use IKEv2. I've got the connection running following the instructions on the web-site and many experiments. In my configuration I'm using the 'eap-mschapv2' module and specified the password in the /etc/ipsec.secret file. I have three questions: 1) Is it possible to check the EAP password without using a radius server? If so, which module must I use? 2) Can I use a IKEv2 iOS <-> StrongSwan connection verified by certificates only? 3) I experimented with the parameters and have the feeling if I use the EAP password check the certificate isn't check any longer? I replaced the CA certificate on the server with a wrong (none-matching) CA but I still can connect to the server. Do I have an error in reasoning here? I expected the connection to fail, because the server could not match the incoming certificate from the iPhone to the servers CA!? Some details: Linux strongSwan U5.5.1/K4.1.39 ipsec.conf: config setup uniqueids=no charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 3, knl 2 conn rw-base fragmentation=yes dpdtimeout=90s dpddelay=30s dpdaction=clear conn rw-config also=rw-base keyexchange=ikev2 reauth=no rekey=no ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072 esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072 leftsubnet=0.0.0.0/0,::/0 leftid="ipsec.domain.net" leftcert=server.crt leftsendcert=always rightdns=10.1.3.10 #rightca="C=DE, L=Somewhere, O=Firm, OU=IT, DC=local, DC=group, CN=Firm CA" rightsourceip=172.16.252.0/24 conn ikev2-pubkey also=rw-config auto=add conn ikev2-eap-mschapv2 also=rw-config auto=add rightauth=eap-mschapv2 eap_identity=%identity ipsec.secrets: : RSA server.key user : PSK "test" user %any% : EAP "test" Regards Sven Anders -- Sven Anders <and...@anduras.de> () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin
<<attachment: anders.vcf>>