Hello I have been using the Android-Strongswan-IKEv2-Client (on a Android-v5.1 run Motorola-E series 3G phone)...
- with FreeRadius-serverr-v3.x for AAA authentication of the vpn clients. - The Strongswan-v5.5.1 is running on a Ubuntu-14x-LTS host - i also have some hosts in the lan-side of the VPN-server to which the clients connect after tunnel is up. The usage topology-setup is as below (freeradius-server)----(lan)[Strongswan-server](wan)-----internet------[Android-Phone] - Iam using "rightauth=eap-radius" and "eap_identity=%any" always - Iam also using "leftsendcert=always" and "rightsendcert=never" for all EAP-based server connection entries I have some queries on using the supported EAP methods on this client The data/support-info says, this client supports EAP-MD5/EAP-MSCHAPv2/EAP-GTC/EAP-TLS (and also there is a EAP-TNC method which seems to be EAP-TTLS as per the observations on the Radius-server log-traces) Now in the Strongswan-IKEv2 client-menu the following is available for selection and which i tried each of them (and my observations and queries are listed under each menu-item) 1. IKEv2-EAP (username/password) - Here there is NO client-cert used - only point to the imported CA-cert (that signed the Server-cert) - Username-Password authenticated by FreeRadius-server - Tunnel is successfully established & UP. - Observed that the client responds with EAP-MD5 as the method when queried by server - My query for this menu-item is a) How to enable/configure the this client to send or use ONLY EAP-MSCHAPv2 as the method for user-authentication b) The same server connection entry is used for Windows-IKEv2 client and here MSCHAPv2 is used and successfully authenticated by the same radius-server c) So iam assuming here that we need to do something at the client-end only d) - iam assuming as per what i have read..EAP-GTC requires a PEAP tunnel (to radius-server)...so is this the menu where i can use PEAP WITH EAP-GTC? 3. IKEv2 Certificate + EAP (username/password) - What exactly this menu for? I mean what type of IKEv2-authentication does this support? - When i configure this menu selection...what should be the config on server side? - The requirement to mandatorily configure/select a client-cert on this client + username-passwd makes it looked like a multiauthentication and i therefore configured with the below options on the Strongswan server ----------------- leftauth=pubkey, rightauth=pubkey rightauth2=eap-radius leftid=<vpnsrvgw1.test.net> rightid=*@test.net eap_identity=%any ------------------------ - And it worked very nicely....The Tunnel is established successfully after the EAP-MD5 username-auth was also validated by the radius server Observation and query is that this menu-item can only be supported by only Strongswan-server configured speicifically with rightauth2...This method is NOT so prevalent or used in any other Interoperable VPN-servers as far as i know... 4. IKEv2 EAP-TNC (username/passwd) when i tried this with standard server config for EAP-TLS...radius was actually trying EAP-TTLS...or something like that - effectively this seems to work with EAP-TTLS...so what is the required configuration on server to use this menu selection? In summary, my main query (among other queries above) is how to configure strongswan server and this client to use EAP-GTC...using Radius-server for AAA thanks & regards Rajiv
