Hello there, i don't know about macos client. but surely windows native client will not work. here is example configuration psk + eap-mschapv2 with radius this works with ios native client. --- vpn-pskeap { local_addrs = $$locaip
local { auth = psk id = $$leftid } remote { auth = eap-radius } children { updown = /usr/lib/ipsec/_updown iptables esp_proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024 dpd_action = clear close_action = clear ike_lifetime = 45m ipcomp = yes vpn-pskeap { local_ts = 0.0.0.0/0 } } version = 2 proposals = aes128-aes192-aes256-sha1-sha256-sha384-sha512-ecp256-ecp384-ecp521-modp2048-modp3072-modp4096-modp1024 mobike = yes fragmentation = yes encap = yes dpd_timeout = 60 dpd_delay = 25 unique = never pools = radius } On 17 July 2018 at 19:05, Christian Salway <christian.sal...@naimuri.com> wrote: > Hello, > > To quote your page [1] "With IKEv2 it is possible to use multiple > authentication rounds", could this be PSK and eap-mschapv2 and do you have > a configuration that would match that method? My current configuration > looks like the below. > > The clients are OSX and Windows native clients so I am curious if it will > work. > > connections { > radius { > version = 2 > send_cert = always > encap = yes > pools = pool1 > unique = replace > proposals = aes256-sha256-prfsha256-ecp256-modp2048 > local { > # the id must be contained in the certificate, either as subject or > as subjectAltName. > id = ${FQDN} > certs = cert.pem > } > remote { > auth = eap-radius > eap_id = %any > } > children { > child_sa_1 { > #esp_proposals = > local_ts = ${LOCALCIDR} > } > } > } > } > > > > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ > IntroductiontostrongSwan#Authentication-Basics > > Kind regards, > > *Christian Salway* > IT Consultant - *Naimuri* > > T: +44 7463 331432 > E: christian.sal...@naimuri.com > A: Naimuri Ltd, Capstan House, Manchester M50 2UW > >