I have several connection setups for IKEv2 in ipsec.conf:
===============================
conn %default
[...SKIPPED...]
# right - remote (client) side
right=%any
rightsendcert=never
rightsourceip=192.168.27.0/24,2001:19f0:5001:229c:dead::/96
rightdns=8.8.8.8,8.8.4.4
conn ikev2-pubkey
keyexchange=ikev2
auto=add
conn ikev2-eap-tls
also="ikev2-pubkey"
rightauth=eap-tls
eap_identity=%identity
conn ikev2-mschap
also="ikev2-pubkey"
rightauth=eap-mschapv2
eap_identity=%identity
conn ikev1-xauth
keyexchange=ikev1
rightauth=xauth
auto=add
===============================
Such config is shown in many tutorials. Different auth schemes are
needed for different clients.
But with this config I have problem with Windows 10 clients: I wan to
use EAP-MSCHAPv2 for Windows clients (username/password auth, without
client certs), but StrongSwan offers FIRST (EAP-TLS) scheme to windows
client ad authentication fails, as windows report that it could not find
compatible auth scheme.
Is it possible to limit different schemes to different client types?
--
// Black Lion AKA Lev Serebryakov
signature.asc
Description: OpenPGP digital signature
