Hi, > is there any possibility to authenticate IPSec pre-shared keys (PSK) > not from ipsec.secrets.
As IKE PSK authentication has security implications and is not recommended for larger deployments, we don't provide any backend for preshared keys beyond ipsec.secrets or swanctl.conf. However, you may implement your own plugin that returns preshared keys from a custom source for authentication. Usually you'd use EAP that allows you to forward user authentication to your AAA backend using the eap-radius plugin [1]. > It would be great for me to build some logic on radius server with > traditional start/stop/alive events.. Such events can be realized using the accounting functionality in the eap-radius plugin. Even if you do authentication by other means, strongSwan can send such information to your AAA backend over RADIUS. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
