IPsec not looking to alternate databases for authentication



  • I am hoping someone knows what is going on here.

    I have an IPsec mobile client configuration. I am using IKEv2 for the protocol and EAP-MSChapV2 as the authentication method.

    I wanted to use AD as my authentication backend so I setup a connection to my AD server and tested it with the diag tools. Everything came back as expected and I am able to use my AD credentials to login to the webGUI.

    I changed the mobile client authentication database over to AD and removed all existing EAP keys from the VPN config. No matter what I do my client (windows 10) come back saying that my password is no good. However if I add an EAP key to the local configuration with a different password for testing reasons the client connects using that password with no trouble.

    Based on that I am pretty sure the IPsec server is not even talking to AD and instead is just using the local database no matter what the option is set to.

    Has anyone else had this problem? I am currently running the 2.3-BETA but I have also seen this issue on the 2.2.6-RELEASE.

    It's not massively urgent or anything but I really need a clue on this if someone knows something.

    If it's a bug, is there anyway to override where StrongSwan authenticates from?



  • That's just the nature of how it works at the moment for EAP-MSChapV2.



  • I don't follow. Where is the problem? StrongSwan or pfSense?
    Is there anyway to patchwork something together? Assuming it will be resolved in the upcoming version.



  • AFAIK, strongswan doesn't support any alternatives for auth for that type at this time.
    https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

    EAP-RADIUS is probably a better choice with AD.


Log in to reply