Hi Graham, > Is there any way to configure the client so that it will either not bother > verifying the server, or if it does try to verify and fails, will not care > ?
No, there is currently no such option. > For our application, the server MUST be able to verify the identity of the > clients, but the verification of the server by the clients is not so > important. Not verifying the server credentials at all is not an option, as it allows an active attacker to act as your gateway, play the Man-In-The-Middle game. > The server will verify the identity of the clients using EAP-SIM or > EAP-AKA. If you are running a mutual EAP method (SIM and AKA actually are), the client authenticates the server within EAP. There is a resurrected internet draft [1] which omits public key authentication in such cases. However, we currently do not implement this extension. Regards Martin [1]http://tools.ietf.org/html/draft-eronen-ipsec-ikev2-eap-auth-06 _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users