Hi colleagues,
is there way to use different configs for different EAP ids when using
eap_radius?
In order to assign different if_id_in/out, I'm trying to do the following:
connections {
ikev2-eap {
remote {
auth = eap_radius
id = %any
eap_id = %any
}
children {
child {
if_id_in/out = 1
}
}
}
ikev2-eap-xfrm2 {
remote {
auth = eap_radius
id = %any
eap_id = [email protected]
}
children {
child {
if_id_in/out = 2
updown = /etc/swanctl/bin/updown
}
}
}
but Strongswan matches by 'remote_id' (which is 'ID_IPV4_ADDR' and makes
no sense for roadwarriors) and chooses not more specific:
charon-systemd[7903]: looking for peer configs matching
server_ip[%any]...remote_ip[192.0.2.225]
strongswan: 15[CFG] <3> peer config "ikev2-eap", ike match: 1052
(server_ip...%any IKEv2)
strongswan: 15[CFG] <3> local id match: 1 (ID_ANY: )
strongswan: 15[CFG] <3> remote id match: 1 (ID_IPV4_ADDR: c0:00:02:e1)
strongswan: 15[CFG] <3> candidate "ikev2-eap", match: 1/1/1052 (me/other/ike)
strongswan: 15[CFG] <3> peer config "ikev2-eap-xfrm2", ike match: 1052
(server_ip...%any IKEv2)
strongswan: 15[CFG] <3> local id match: 1 (ID_ANY: )
strongswan: 15[CFG] <3> remote id match: 0 (ID_IPV4_ADDR: c0:00:02:e1)
strongswan: 15[CFG] <ikev2-eap|3> selected peer config 'ikev2-eap'
charon-systemd[7903]: selected peer config 'ikev2-eap'
charon-systemd[7903]: initiating EAP_IDENTITY method (id 0x00)
charon-systemd[7903]: generating IKE_AUTH response 1 [ IDr CERT CERT AUTH
EAP/REQ/ID ]
charon-systemd[7903]: parsed IKE_AUTH request 2 [ EAP/RES/ID ]
charon-systemd[7903]: received EAP identity '[email protected]'
completely ignoring eap_id statement in 'remote' section.
So, the question - is there way to match connection by different EAP ids
when using eap_radius?
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
