Curiously, if eap-user1 is at the end of the list, it authenticates correctly, but not if first or second in the list.
From: bls s<mailto:[email protected]> Sent: Tuesday, November 28, 2017 4:43 PM To: [email protected]<mailto:[email protected]> Subject: [strongSwan] swanctl.conf EAP credential information I’m switching over from using IPsec.conf to charon-systemd. Everything is working for the first user, but I have run into a strange issue (or a dumb user error!) with the ‘secrets’ section when trying to implement multiple eap passwords. If my secrets section has only one eap id/password in it, the client authenticates correctly. But, if the secrets section has more than one eap id/password in it, the MSCHAPv2 authentication fails. Here’s the failing configuration. If I remove the 2nd and 3rd entries, user1 works correctly. However, using the full secrets section below, user1 fails to authenticate. connections { ikev2-eap-mschapv2 { version = 2 # proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default rekey_time = 0s pools = primary-pool-ipv4 fragmentation = yes dpd_delay = 30s mobike = yes local-1 { certs = strongswanCert.pem id = serverid1 auth = psk } remote-1 { auth = eap-mschapv2 id = clientid1 eap_id = %any } children { ikev2-eap-mschapv2 { local_ts = 0.0.0.0/0 rekey_time = 0s dpd_action = clear # esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default # updown = /libexec/ipsec/_updown iptables } } } ikev2-pubkey { version = 2 proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default rekey_time = 0s pools = primary-pool-ipv4 fragmentation = yes dpd_delay = 30s local-1 { certs = vpnHostCert.pem id = server1 } remote-1 { # defaults are fine } children { ikev2-pubkey { local_ts = 0.0.0.0/0 rekey_time = 0s dpd_action = clear esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default } } } } pools { primary-pool-ipv4 { addrs = 10.92.10.0/24 dns = 192.168.92.3, 8.8.8.8 } } secrets { ike-psk { secret=somepsk } [email protected]<mailto:[email protected]> { id = [email protected] secret=secret1 } [email protected]<mailto:[email protected]> { id = [email protected] secret=secret2 } [email protected]<mailto:[email protected]> { id = [email protected] secret=secret3 }
