Hi Christian, > Nevertheless, by removing: `eap_identity` I got the same result.
You might need it, but that depends on the client. > On basis, I wanted to use StrongSwan as simple as possible without > certificates CA. That probably won't work as authenticating clients with EAP requires authenticating the server with a certificate to be standard-compliant (RFC 7296, section 2.16). strongSwan can be configured to combine EAP with PSK authentication. But that's not recommended, as anybody knowing it could impersonate the server, and most other implementations probably don't support this combination. Using EAP-only authentication is also possible, if supported by the peer, but that calls for a strong mutual EAP method like EAP-TLS (EAP-MSCHAPv2 is not one). > Does that mean that in any case, you have to set-up a CA in order to > use strongSwan ? > Even with a VPN IKEv2 with preshared Key ? No. If the client supports it you could, of course, use plain PSK authentication (i.e. without EAP). Even though it's not recommended for larger roadwarrior deployments (again, anybody knowing the PSK could impersonate the server). Setting up a simple PKI (one CA certificate, one server certificate) is quite easy (see previous link). You could also use a free certificate from Let's Encrypt or StartSSL, which your client might already trust, which would relieve you from having to install your own CA certificate on the clients. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
