Discussion:
[strongSwan] IKEv1 xauth-pam to IKEv2 eap-gtc?
John Mah
2015-11-09 02:03:12 UTC
Permalink
We're in the process of migrating clients from IKEv1-based connections
to IKEv2-based connections.

The IKEv1 connections use pubkey & xauth-pam authentication:

conn iphone-ios8
keyexchange=ikev1
rightauth=pubkey
rightauth2=xauth-pam
[...]

Is there a migration path for IKEv2 connections that makes sense? I see
there is an eap-gtc module that supports pam but it's not clear in the
documentation how to configure this to use a specific pam_service.

Any hints would be appreciated.

- John
Martin Willi
2015-11-09 06:48:09 UTC
Permalink
Hi John,
Post by John Mah
Is there a migration path for IKEv2 connections that makes sense? I see
there is an eap-gtc module that supports pam but it's not clear in the
documentation how to configure this to use a specific pam_service.
EAP is probably the way to go if you want password authentication with
IKEv2. For PAM verification the server needs the clear text password,
which can be achieved with EAP-GTC. Unfortunately, not many third party
clients support it.

Since 5.0.1 the eap-gtc plugin uses IKEv1 XAuth backends for password
verification, see [1]. It defaults to xauth-pam, so you can continue
using your IKEv1 configuration in IKEv2.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/EapGtc
John Mah
2015-11-09 21:17:33 UTC
Permalink
Post by Martin Willi
EAP is probably the way to go if you want password authentication with
IKEv2. For PAM verification the server needs the clear text password,
which can be achieved with EAP-GTC. Unfortunately, not many third party
clients support it.
Thanks for the response, Martin.

Does anyone know if any of the iOS implementations (racoon or the newer
iOS 9 agent) supports EAP-GTC? (Or should it matter?)

I tried a quick re-working of our configs but with rightauth=pubkey &
rightauth2=eap-gtc sections but it fails without calling any PAM modules
when authenticating an iOS 9.1 client:

1447103395 Nov 9 21:09:55 27[CFG] <iphone-ios8-ike-v2|7> selected peer
config 'iphone-ios8-ike-v2'
1447103395 Nov 9 21:09:55 27[IKE] <iphone-ios8-ike-v2|7> peer requested
EAP, config inacceptable
1447103395 Nov 9 21:09:55 27[CFG] <iphone-ios8-ike-v2|7> no alternative
config found

thanks,
- John

Loading...