Re: [strongSwan] IKEv1 xauth-pam to IKEv2 eap-gtc?
On 2015-11-09 1:48 AM, Martin Willi wrote: EAP is probably the way to go if you want password authentication with IKEv2. For PAM verification the server needs the clear text password, which can be achieved with EAP-GTC. Unfortunately, not many third party clients support it. Thanks for the response, Martin. Does anyone know if any of the iOS implementations (racoon or the newer iOS 9 agent) supports EAP-GTC? (Or should it matter?) I tried a quick re-working of our configs but with rightauth=pubkey & rightauth2=eap-gtc sections but it fails without calling any PAM modules when authenticating an iOS 9.1 client: 1447103395 Nov 9 21:09:55 27[CFG] selected peer config 'iphone-ios8-ike-v2' 1447103395 Nov 9 21:09:55 27[IKE] peer requested EAP, config inacceptable 1447103395 Nov 9 21:09:55 27[CFG] no alternative config found thanks, - John ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IKEv1 xauth-pam to IKEv2 eap-gtc?
Hi John, > The IKEv1 connections use pubkey & xauth-pam authentication: > Is there a migration path for IKEv2 connections that makes sense? I see > there is an eap-gtc module that supports pam but it's not clear in the > documentation how to configure this to use a specific pam_service. EAP is probably the way to go if you want password authentication with IKEv2. For PAM verification the server needs the clear text password, which can be achieved with EAP-GTC. Unfortunately, not many third party clients support it. Since 5.0.1 the eap-gtc plugin uses IKEv1 XAuth backends for password verification, see [1]. It defaults to xauth-pam, so you can continue using your IKEv1 configuration in IKEv2. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/EapGtc ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IKEv1 xauth-pam to IKEv2 eap-gtc?
We're in the process of migrating clients from IKEv1-based connections to IKEv2-based connections. The IKEv1 connections use pubkey & xauth-pam authentication: conn iphone-ios8 keyexchange=ikev1 rightauth=pubkey rightauth2=xauth-pam [...] Is there a migration path for IKEv2 connections that makes sense? I see there is an eap-gtc module that supports pam but it's not clear in the documentation how to configure this to use a specific pam_service. Any hints would be appreciated. - John ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users