0

I am trying to configure an ipsec (strongswan) vpn client to connect to my ISP-provided router's VPN.

I only have a username and password, no certificates.

In the documentation the provided (https://support-pro.free.fr/comment-se-connecter-au-vpn-depuis-mon-peripherique-android/) it says they use IKEv2 EAP protocol.

Could someone give me an example linux config for my /etc/ipsec.conf that would work with that ?

Here is my naive minimal config:

config setup
  charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, 0"

conn proxym
  keyexchange=ikev2
  authby=psk
  left=192.168.1.42
  right=<remote ip>
  eap_identity=<username i created in the vpn server>
  auto=add

And the error I get:

sudo ipsec up proxym

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.1.42[500] to [500] (1036 bytes) received packet: from [500] to 192.168.1.42[500] (280 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 local host is behind NAT, sending keep alives remote host is behind NAT sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1" authentication of '192.168.1.42' (myself) with pre-shared key no shared key found for '192.168.1.42' - '' establishing connection 'proxym' failed

And my /etc/ipsec.secrets

<user> : EAP "PASS"

192.168.1.42 <remote ip> : EAP "PASS"

thank you in advance

2
  • 1
    To use EAP authentication, you have to replace authby=psk with leftauth=eap and rightauth=pubkey (the latter is the default and works under the assumption that the router uses a certificate by Let's Encrypt).
    – ecdsa
    Commented Nov 27, 2023 at 8:22
  • Hello, yes it works now, I managed to glue-up some other examples with what you proposed and it is working ! Thnank you !
    – sashok_bg
    Commented Nov 28, 2023 at 8:17

0

You must log in to answer this question.

Browse other questions tagged .