Hi Edward, > - Can one set up Strongswan to forward password from user? Only via EAP-GTC [1] are cleartext passwords from the client available. Practically no clients other than strongSwan support this.
If you find an IKEv2 client that supports EAP-TTLS/PAP (strongSwan itself does not), it might work too if you configure FreeRADIUS appropriately. > - What stops any user connecting to IKEv2 and attempting brute force > connections against a user account. Nothing really but strong passwords. Perhaps you could implement some kind of delay on the RADIUS/LDAP server, or limit the number of login attempts per username and minute to make such attacks more difficult. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/eap-gtc
