Simultaneous IKEv1 and IKEv2 connection support in Strongswan

ipsecstrongswan

I'm using Strongswan to handle IPsec connections, and need a way to support both Windows (IKEv2) and OS X (IKEv1) clients. I would prefer to use pure IPsec (i.e. avoid having to setup L2TP) unless there's a compelling reason to use L2TP/IPsec.

I know you can configure Strongswan in ipsec.conf to have some connections use IKEv1 whereas some other connections use IKEv2. However, in my case I can't easily setup separate connection configurations for each user because the IP address that they'll connect from won't be known in advance. I just use a single connection configuration for all of our users.

Is it possible to have some users connect via an IKEv1 connection configuration and others via an IKEv2 connection configuration, or setup a single connection configuration that'll handle both IKEv1 and IKEv2 connections? If not, what would be the easiest way to support both Windows and OS X built-in IPsec clients (with Strongswan or some other IPsec package)?

Best Answer

Yes, you can do IKEv1 and IKEv2 simultaneously as long as you have both pluto and charon installed and the daemons running. Use this in your config setup:

charonstart=yes
plutostart=yes

And use the keyexchange parameters in your ipsec.conf's conn sections:

conn foo
  ...
  keyexchange=ikev2
  ...

conn bar
  ...
  keyexchange=ikev1
  ...

Related Solutions

Accounting IPSec connections with RSA authentication

RADIUS Accounting in the eap-radius plugin does not require XAuth authentication. It actually works with any kind of authentication, via RADIUS or not, as long as the client requests a virtual IP address (for IKEv2 even this requirement can be disabled). With some IKEv1 clients there are some issues in case of reauthentication, though (see issue #937 and related).

EAP-TLS makes it possible to delegate the certificate authentication for IKEv2 clients to the AAA server, but this is unrelated to RADIUS Accounting.

Xl2tp + strongswan ipsec — xl2tp timeout

I was able to get this working in my case (Ubuntu) by using the NetworkManager L2TP plugin and forcing only the specific encryption algorithm supported by the server.

To discover the algorithms supported by your server you can use ike-scan which may be in the package repository or you can find an equivalent script here.

sudo apt-get install ike-scan
sudo ike-scan <address.of.server>

Then once you know the supported protocols you can put them into the config files or use the GUI by installing the below.

sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp  
sudo apt-get update  
# leave off gnome if using Unity/KDE
sudo apt-get install network-manager-l2tp-gnome

http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/

http://disq.us/p/1jcput9

Best Answer

Related Solutions

Accounting IPSec connections with RSA authentication

Xl2tp + strongswan ipsec — xl2tp timeout

Related Topic