[strongSwan] EAP-MSCHAPv2 via NetworkManager Strongswan plugin

Discussion:

Alexander Kurakin

2018-10-28 22:43:16 UTC

Permalink

Good day!

How do I set

leftauth=eap-mschapv2

via NetworkManager Strongswan plugin?

Thanks!

--
Alexander

Tobias Brunner

2018-11-05 13:41:31 UTC

Permalink

Hi Alexander,

Post by Alexander Kurakin
How do I set
leftauth=eap-mschapv2
via NetworkManager Strongswan plugin?

Just select "EAP" in the GUI and make sure the eap-mschapv2 plugin is
loaded by charon-nm (plus probably the eap-identity plugin). The actual
EAP method is requested by the server (the client responds with an
EAP-Nak if it doesn't support the requested method).

Regards,
Tobias

Alexander Kurakin

2018-11-05 16:49:59 UTC

Permalink

Tobias,

big thanks about your reply. I'd be very pleased if you have a look why it doesn't work for me.

Via NetworkManager-Strongswan (doesn't work): https://gist.github.com/kuraga/18bb0b6746acc958de343cfa9ba8ce4f

Without NetworkManager (works): https://gist.github.com/kuraga/535c803855a4b159796840c0736d2e02

(I follow strictly https://nordvpn.com/ru/tutorials/linux/ikev2ipsec/ but the only place they differ I think is "leftauth=eap-mschapv2".)

Th

Tobias Brunner

2018-11-06 08:14:42 UTC

Permalink

Hi Alexander,

Post by Alexander Kurakin
(I follow strictly https://nordvpn.com/ru/tutorials/linux/ikev2ipsec/ but the only place they differ I think is "leftauth=eap-mschapv2".)

No, that's not it, the authentication works fine (albeit with EAP-MD5).

Post by Alexander Kurakin
Nov 5 18:59:40 node-calculate2 charon-nm[16720]: 13[IKE] received FAILED_CP_REQUIRED notify, no CHILD_SA built

Which makes the difference in the config `leftsourceip=%config`, that
is, you forgot to check the "Request an inner IP address" option in the
NetworkManager plugin.

Regards,
Tobias

Alexander Kurakin

2018-11-06 08:34:29 UTC

Permalink

Really!

Thanks very much!

--
Alexander Kurakin