1.使用windows server的網路原則伺服器進行IKEv2認證
2.IKEv1只有xauth-radius無法相容windows的網路原則伺服器,所以設定rightauth2=xauth-generic,折衷使用內部的ipsec.secrets
vi /etc/strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
#josh start ******
eap-radius {
servers {
server-1 {
address = 10.3.1.6
secret = 12341234
}
}
}
#josh end ******
}
}
include strongswan.d/*.confvi /etc/ipsec.conf
config setup
uniqueids=never
charondebug=ike 1, knl 1, cfg 1
conn %default
auto=add
rightdns=168.95.1.1
conn IKEv1-PSK
keyexchange=ikev1
leftauth=psk
left=%any
leftsubnet=0.0.0.0/0
rightauth=psk
rightauth2=xauth-generic
rightsourceip=10.3.9.0/24
conn IKEv2-EAP
keyexchange=ikev2
eap_identity=%identity
rekey=no
fragmentation=yes
dpdaction=restart
left=%any
leftid=mail.tscgg.com
leftsubnet=0.0.0.0/0
leftcert=server.crt
rightsourceip=10.3.9.0/24
rightauth=eap-radius
vi /etc/ipsec.secrets
%any : PSK "pskPass"
josh %any : XAUTH "password"
: RSA server.key
