Hi, > What I want is to use 2 factor authentication - clients without a > valid certificate should not be able to authenticate even if they know the > password, and clients with a valid certificate should be prompted for a > password when trying to connect.
With IKEv2, you then need multiple authentication exchanges, as defined by RFC 4739. Take a look at the mult-auth-rsa-eap-sim-id scenario; you'd use public key authentication in the first round, and eap-md5 in the second round. > 1. Use NetworkManager which can prompt for a password With the NetworkManager frontend you can do EAP authentication, but not RSA+EAP client authentication. > The second option didn't work as ipsec stroke command on my machine > doesn't have user-creds subcommand. This might be because I use > strongSwan 4.x. You can also try to set %prompt on ipsec.secrets for your EAP password, and then use "ipsec secrets" to prompt for the password. Not sure if that works for your scenario, and it caches the password in the daemon as well. Alternatively, you might take a look at charon-cmd. It works independently of any ipsec.conf/ipsec.secrets, supports public key + EAP authentication since 5.1.0 and always prompts for the EAP password on console. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/Charon-cmd _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
