On April 9, 2026 3:31:16 PM GMT+02:00, Alex Mihajlov <alex@alexmihajlov.ru> wrote: >On 09/04/2026, Tobias Heider wrote: >> On Thu, Apr 09, 2026 at 12:20:05AM +0300, Alex Mihajlov wrote: >> > On 08/04/2026, Tobias Heider wrote: >> > > >> You can simply put multiple ikev2 blocks into your server iked.conf. >> It could look sth like: >> >> user 'user' 'password' >> ikev2 'responder_eap' passive esp \ >> from any to dynamic \ >> local X.X.X.X peer any \ >> srcid server1-eap \ >> eap "mschap-v2" \ >> config address 10.0.5.0/24 \ >> config name-server 192.0.2.1 >> >> ikev2 'responder_psk' passive esp \ >> from any to dynamic \ >> local X.X.X.X peer any \ >> srcid server1-psk \ >> psk preshared123! \ >> config address 10.0.5.0/24 \ >> config name-server 192.0.2.1 > >Thanks for your attention! >I tried using a similar configuration: > >ikev2 'responder_eap' passive ipcomp esp \ > from 0.0.0.0/0 to dynamic \ > peer any \ > srcid myhostname.org \ > eap "mschap-v2" \ > config address 172.24.24.0/24 \ > config name-server 172.24.24.1 \ > tag "$name-$id" tap enc0 > >ikev2 'responder_rsa' passive esp \ > from 0.0.0.0/0 to dynamic \ > peer any \ > srcid myhostname.org \ > config address 172.24.24.0/24 \ > config name-server 172.24.24.1 \ > tag "ROADW" > >And when I added responder_rsa, all users, >including those who were supposed to log in via mschap-v2, >were caught by the responder_rsa policy and couldn't log in. > >They come from the internet, and I can't specify anything >in the "from" parameter other than 0.0.0.0/0. >What should I do to ensure that only users >using rsa are included in responder_rsa? >Should I specify a different srcid? > Yes, different IDs is what I would try.
No comments:
Post a Comment