Friday, April 10, 2026

Re: iked as a client

On 09/04/2026, Tobias Heider wrote: > On Thu, Apr 09, 2026 at 12:20:05AM +0300, Alex Mihajlov wrote: > > On 08/04/2026, Tobias Heider wrote: > > > > You can simply put multiple ikev2 blocks into your server iked.conf. > It could look sth like: > > user 'user' 'password' > ikev2 'responder_eap' passive esp \ > from any to dynamic \ > local X.X.X.X peer any \ > srcid server1-eap \ > eap "mschap-v2" \ > config address 10.0.5.0/24 \ > config name-server 192.0.2.1 > > ikev2 'responder_psk' passive esp \ > from any to dynamic \ > local X.X.X.X peer any \ > srcid server1-psk \ > psk preshared123! \ > config address 10.0.5.0/24 \ > config name-server 192.0.2.1 Thanks for your attention! I tried using a similar configuration: ikev2 'responder_eap' passive ipcomp esp \ from 0.0.0.0/0 to dynamic \ peer any \ srcid myhostname.org \ eap "mschap-v2" \ config address 172.24.24.0/24 \ config name-server 172.24.24.1 \ tag "$name-$id" tap enc0 ikev2 'responder_rsa' passive esp \ from 0.0.0.0/0 to dynamic \ peer any \ srcid myhostname.org \ config address 172.24.24.0/24 \ config name-server 172.24.24.1 \ tag "ROADW" And when I added responder_rsa, all users, including those who were supposed to log in via mschap-v2, were caught by the responder_rsa policy and couldn't log in. They come from the internet, and I can't specify anything in the "from" parameter other than 0.0.0.0/0. What should I do to ensure that only users using rsa are included in responder_rsa? Should I specify a different srcid?

No comments:

Post a Comment