.br
The IKEv2 daemon currently supports ESP only.
.TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | never | xauthpsk | xauthrsasig"
how the two security gateways should authenticate each other;
acceptable values are
.B psk
and
.B xauthrsasig
that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
+based on shared secrets or digital RSA signatures, respectively.
This parameter is deprecated for IKEv2 connections, as two peers do not need
to agree on an authentication method. Use the
.B leftauth
defines the timeout interval, after which a CHILD_SA is closed if it did
not send or receive any traffic. Currently supported in IKEv2 connections only.
.TP
-.BR eap " = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B radius
-for the EAP-RADIUS proxy and
-.B sim
-for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
-.TP
.BR eap_identity " = <id>"
defines the identity the client uses to reply to a EAP Identity request.
If defined on the EAP server, the defined identity will be used as peer
.B eap,
an optional EAP method can be appended. Currently defined methods are
.BR eap-aka ,
+.BR eap-sim ,
.BR eap-gtc ,
.BR eap-md5 ,
.BR eap-tls ,
.B eap-mschapv2
and
-.BR eap-sim .
+.BR eap-radius .
Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
EAP methods are defined in the form
.B eap-type-vendor
{ ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool },
{ ARG_MISC, 0, NULL /* KW_AUTH */ },
{ ARG_MISC, 0, NULL /* KW_AUTHBY */ },
- { ARG_MISC, 0, NULL /* KW_EAP */ },
{ ARG_STR, offsetof(starter_conn_t, eap_identity), NULL },
{ ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL },
{ ARG_MISC, 0, NULL /* KW_MOBIKE */ },
#include <freeswan.h>
-#include <eap/eap.h>
-
#include "../pluto/constants.h"
#include "../pluto/defs.h"
#include "../pluto/log.h"
{
conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
}
- else if (streq(value, "xauthpsk") || streq(value, "eap"))
+ else if (streq(value, "xauthpsk"))
{
conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
}
}
}
break;
- case KW_EAP:
- {
- char *sep;
-
- /* check for vendor-type format */
- sep = strchr(kw->value, '-');
- if (sep)
- {
- *(sep++) = '\0';
- conn->eap_type = atoi(kw->value);
- conn->eap_vendor = atoi(sep);
- if (conn->eap_type == 0 || conn->eap_vendor == 0)
- {
- plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
- }
- break;
- }
- conn->eap_type = eap_type_from_string(kw->value);
- if (conn->eap_type == 0)
- {
- conn->eap_type = atoi(kw->value);
- if (conn->eap_type == 0)
- {
- plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
- }
- }
- break;
- }
case KW_MARK:
if (!handle_mark(kw->value, &conn->mark_in))
{
starter_state_t state;
keyexchange_t keyexchange;
- u_int32_t eap_type;
- u_int32_t eap_vendor;
char *eap_identity;
char *aaa_identity;
char *xauth_identity;
KW_AGGRESSIVE,
KW_AUTH,
KW_AUTHBY,
- KW_EAP,
KW_EAP_IDENTITY,
KW_AAA_IDENTITY,
KW_MOBIKE,
keep_alive, KW_KEEP_ALIVE
force_keepalive, KW_FORCE_KEEPALIVE
virtual_private, KW_VIRTUAL_PRIVATE
-eap, KW_EAP
eap_identity, KW_EAP_IDENTITY
aaa_identity, KW_AAA_IDENTITY
mobike, KW_MOBIKE
msg.add_conn.name = push_string(&msg, name);
msg.add_conn.version = 2;
- msg.add_conn.auth_method = 2;
msg.add_conn.mode = 1;
msg.add_conn.mobike = 1;
msg.add_conn.dpd.action = 1;
struct {
char *name;
int version;
- /* next three are deprecated, use stroke_end_t.auth instead */
- int auth_method;
- u_int32_t eap_type;
- u_int32_t eap_vendor;
char *eap_identity;
char *aaa_identity;
char *xauth_identity;