It is currently not possible to connect VyOS as a client to a VPN server if the server uses EAP(mschapv2) password authentication. Site-to-site peer connections do not support EAP authentication.
Description
Description
Details
Details
- Version
- 1.5
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Feature (new functionality)
Event Timeline
Comment Actions
@daniil Any idea for CLI and what it should generate to strongswan.conf?
Which plugin should it use?
https://docs.strongswan.org/docs/5.9/plugins/plugins.html
eap-dynamic Plugin eap-gtc Plugin eap-radius Plugin eap-simaka-sql Plugin eap-tls Plugin
Add more details or any other reference to strongswan
Comment Actions
Example vyos config:
ipsec {
esp-group ESP-AES128-SHA1-TUNNEL {
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128gcm64
hash sha1
}
}
ike-group IKEV2-AES256-SHA1 {
close-action none
dead-peer-detection {
action restart
interval 15
timeout 30
}
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
site-to-site {
peer PEERNAME {
authentication mode eap-mschapv2
authentication {
eap {
eap-id <username>
secret <password>
}
}
connection-type initiate
default-esp-group ESP-AES128-SHA1-TUNNEL
ike-group IKEV2-AES256-SHA1
local-address any
remote-address vpn.example.com
}
}
}Example output of swanctl.conf:
connections {
PEERNAME {
proposals = aes256-sha1-modp1024
version = 2
remote_addrs = "vpn.example.com"
dpd_timeout = 120
dpd_delay = 15
rekey_time = 28800s
mobike = yes
keyingtries = 0
vips=0.0.0.0,::
local {
auth=eap-mschapv2
eap_id=<username>
}
remote {
auth=pubkey
id=%any
}
children {
PEERNAME {
esp_proposals = aes128gcm64-sha1-modp1024
life_time = 3600s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
ipcomp = no
mode = tunnel
start_action = start
dpd_action = restart
close_action = none
replay_window = 32
}
}
}
}
secrets {
eap {
id="<username>"
secret="<password>"
}
}