Hi,
> conn rw-cert
> left=172.16.254.200
> leftsubnet=0.0.0.0/0
> leftcert=pi-peer.der
> leftid=my-fqdn.example.com
> rightsourceip=172.16.254.0/24
> right=%any
> rightsendcert=always
> auto=add
>
> conn rw-eap
> left=172.16.254.200
> leftsubnet=0.0.0.0/0
> leftcert=pi-peer.der
> leftid=my-fqdn.example.com
> rightsourceip=172.16.254.0/24
> right=%any
> rightid=*
> rightauth=eap-md5
> rightsendcert=never
> auto=add
A conn section for combined certificate/EAP authentication should look
something like this (using the above as template):
conn rw-cert-eap
left=172.16.254.200
leftsubnet=0.0.0.0/0
leftcert=pi-peer.der
leftid=my-fqdn.example.com
rightsourceip=172.16.254.0/24
right=%any
rightauth=pubkey
rightauth2=eap-md5
auto=add
The important bit is rightauth2 which configures a second authentication
round using EAP after doing a first round with certificate authentication.
You can simplify the whole config by putting the shared options in a
single section and using the also keyword:
conn rw-base
left=172.16.254.200
leftsubnet=0.0.0.0/0
leftcert=pi-peer.der
leftid=my-fqdn.example.com
rightsourceip=172.16.254.0/24
right=%any
conn rw-cert
also=rw-base
auto=add
conn rw-eap
also=rw-base
rightauth=eap-md5
rightsendcert=never
auto=add
conn rw-cert-eap
also=rw-base
rightauth2=eap-md5
auto=add
'pubkey' is the default so rightauth does not have to be specified
explicitly.
Regards,
Tobias
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
