[Swan] additional authentication, like LDAP, Kerberos, RADIUS on tunnels

Michael Schwartzkopff ms at sys4.de
Thu Sep 15 22:31:47 EEST 2022

On 15.09.22 21:28, Paul Wouters wrote:
> For IKEv2 that would go via EAP.
> Currently, only EAPTLS is implemented. You are looking at EAP-mschapv2. We don’t support that yet. I know strongswan does support it.

strongswan supports all kind of EAP. Basically the VPN server only 
passes the EAP packets on to the RADIUS server. And FreeRADIUS supports 
all (!) EAP types.

For strongswan examples with EAP and RADIUS see: 

> Paul
> ps. Patches or other support always welcomed 😀
> Sent using a virtual keyboard on a phone
>> On Sep 15, 2022, at 13:44, Brendan Kearney <bpk678 at gmail.com> wrote:
>> list members,
>> IKEv1 could employ L2TP and PPP to authenticate a user on one end of a tunnel against RADIUS, for additional security.  i am not seeing any info about IKEv2 being able to do so, and i may have come across write ups saying not to use L2TP at all with IKEv2.
>> is there a way to tie other authentication and authorization (AuthN/Z) mechanisms and policies to a IKEv2 tunnel for road warriors?  i see PSK and certificates as "host" based AuthN, and not specifically identifying a user.   i would want a tunnel to require (PSK || Certificate) + (User/Pass && Group Membership) in order to successfully connect.  is there any way of accomplishing this with IKEv2?
>> thank you,
>> brendan
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

Mit freundlichen Grüßen,


[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Swan mailing list