Hi Steve,
> Specily with the iPhone he is "looking for XAuthInitPSK config" but then
> he shows "no peer config found" in the syslog entries.
The configuration you added with
> leftauth=pubkey
> rightauth=eap-xauth
is not correct. What you want to do (if you want to use XAuth/PSK) is this:
leftauth=psk
rightauth=psk
rightauth2=xauth-eap
Some clients (e.g. Mac OS X Mountain Lion) can also use hybrid
authentication where the client is only authenticated with XAuth and the
gateway uses pubkey authentication:
leftauth=pubkey
rightauth=xauth-eap
The iPhone can do that too, but it does not verify the identity of the
gateway against the certificate which makes it vulnerable to
man-in-the-middle attacks.
An alternative is to generate a single key/cert pair and use that for
all clients. Then use XAuth/RSA in which case the RSA authentication is
only used to verify the gateway's identity (since all clients use the
same key/cert pair) while the clients then use XAuth to actually
identify themselves:
leftauth=pubkey
rightauth=pubkey
rightauth2=xauth-eap
Regards,
Tobias
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
