> A conn section for combined certificate/EAP authentication should look > something like this (using the above as template): > > conn rw-cert-eap > left=172.16.254.200 > leftsubnet=0.0.0.0/0 > leftcert=pi-peer.der > leftid=my-fqdn.example.com > rightsourceip=172.16.254.0/24 > right=%any > rightauth=pubkey > rightauth2=eap-md5 > auto=add > > The important bit is rightauth2 which configures a second authentication > round using EAP after doing a first round with certificate authentication. > > You can simplify the whole config by putting the shared options in a > single section and using the also keyword: > > conn rw-base > left=172.16.254.200 > leftsubnet=0.0.0.0/0 > leftcert=pi-peer.der > leftid=my-fqdn.example.com > rightsourceip=172.16.254.0/24 > right=%any > > conn rw-cert > also=rw-base > auto=add > > conn rw-eap > also=rw-base > rightauth=eap-md5 > rightsendcert=never > auto=add > > conn rw-cert-eap > also=rw-base > rightauth2=eap-md5 > auto=add > > 'pubkey' is the default so rightauth does not have to be specified > explicitly.
Tobias, Thanks lot for clearing that up for me. It was the implicit "rightauth" setting that I didn't realize I was using. Once I added rightauth2, it's of course working well. I appreciate the help and the quick reply! _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
