I'm trying to setup a host-host configuration using strongSwan. I did manage to set it up using certificates and now I wish to set it up using certificates + EAP authentication.
I mixed this configuration: http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-rsa/ with my previous certificate configuration and connected successfully. However, this configuration requires that the client will save the password locally. What I want is to use 2 factor authentication - clients without a valid certificate should not be able to authenticate even if they know the password, and clients with a valid certificate should be prompted for a password when trying to connect. If I understand correctly, my options are: 1. Use NetworkManager which can prompt for a password 2. Use md5-id-prompt I don't want to be bound to NetworkManager if I don't have to. The second option didn't work as ipsec stroke command on my machine doesn't have user-creds subcommand. This might be because I use strongSwan 4.x. Even if it did work, there are two major problems with this: 1. The password has to be entered in the command line instead of being interactivly prompted by ipsec, which is a bad security practice. 2. If I understand correctly, once the password was entered the ipsec daemon will remember it until it's restarted, instead of prompting for it in each connection. Is there any way to accomplish my goal without using NetworkManager?
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
