> What I want is to configure the local to demand that the remote issue > an eap challenge to the local.
This is automatically done if you configure "leftauth=eap", see below. But this does not require that a mutual EAP method is used where the responder gets authenticated, too. > What I think you have implemented is that both sides issue eap > challenges to each other ? No. There is no way that a responder can request the initiator to do EAP. This is always triggered by the initiator (by omitting the AUTH payload). The responder then must start EAP authentication using EAP payloads. EAP in IKEv2 is asymmetric. If you configure "rightauth=eap-whatever" on the responder, the initiator MUST trigger EAP (again, by omitting the AUTH payload). However, for "rightauth=eap" on the initiator, there is no way the responder can do its own EAP exchange. Instead, this means that the responder must have been authenticated in the initiators EAP exchange using a mutual EAP method, such as EAP-AKA or EAP-TLS. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
