Hi, Please provide a log file created with the logger configuration from the HelpRequests[1] page and the output of `swanctl --stats`.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 29.11.2017 19:27, bls s wrote: > > Curiously, if eap-user1 is at the end of the list, it authenticates > correctly, but not if first or second in the list. > > > > *From: *bls s <mailto:[email protected]> > *Sent: *Tuesday, November 28, 2017 4:43 PM > *To: *[email protected] <mailto:[email protected]> > *Subject: *[strongSwan] swanctl.conf EAP credential information > > > > I’m switching over from using IPsec.conf to charon-systemd. Everything is > working for the first user, but I have run into a strange issue (or a dumb > user error!) with the ‘secrets’ section when trying to implement multiple eap > passwords. > > > > If my secrets section has only one eap id/password in it, the client > authenticates correctly. But, if the secrets section has more than one eap > id/password in it, the MSCHAPv2 authentication fails. > > > > Here’s the failing configuration. If I remove the 2^nd and 3^rd entries, > user1 works correctly. However, using the full secrets section below, user1 > fails to authenticate. > > > > connections { > > > > ikev2-eap-mschapv2 { > > version = 2 > > # proposals = > aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default > > proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default > > rekey_time = 0s > > pools = primary-pool-ipv4 > > fragmentation = yes > > dpd_delay = 30s > > mobike = yes > > > > local-1 { > > certs = strongswanCert.pem > > id = serverid1 > > auth = psk > > } > > > > remote-1 { > > auth = eap-mschapv2 > > id = clientid1 > > eap_id = %any > > } > > > > children { > > ikev2-eap-mschapv2 { > > local_ts = 0.0.0.0/0 > > rekey_time = 0s > > dpd_action = clear > > # esp_proposals = > aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default > > esp_proposals = > aes256-sha1-modp1024,aes192-sha256-modp3072,default > > # updown = /libexec/ipsec/_updown iptables > > } > > } > > } > > ikev2-pubkey { > > version = 2 > > proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default > > rekey_time = 0s > > pools = primary-pool-ipv4 > > fragmentation = yes > > dpd_delay = 30s > > > > local-1 { > > certs = vpnHostCert.pem > > id = server1 > > } > > > > remote-1 { # defaults are fine > > } > > > > children { > > ikev2-pubkey { > > local_ts = 0.0.0.0/0 > > rekey_time = 0s > > dpd_action = clear > > esp_proposals = > aes256-sha1-modp1024,aes192-sha256-modp3072,default > > } > > } > > } > > } > > pools { > > primary-pool-ipv4 { > > addrs = 10.92.10.0/24 > > dns = 192.168.92.3, 8.8.8.8 > > } > > } > > > > secrets { > > ike-psk { > > secret=somepsk > > } > > [email protected] <mailto:[email protected]> { > > id = [email protected] > > secret=secret1 > > } > > [email protected] <mailto:[email protected]> { > > id = [email protected] > > secret=secret2 > > } > > [email protected] <mailto:[email protected]> { > > id = [email protected] > > secret=secret3 > > } > > > > >
signature.asc
Description: OpenPGP digital signature
