We have been running L2TP/IPSec for a quite some time already (SSG550 / 6.3.0r23.0).
Decided to switch to IKEv2 as it suppose to be simpler solution.
We did some testing, run into something I don’t understand...
Could somebody comment what I’m doing wrong exactly?
Setup:
strongSwan as client / strongSwan as server / SSG550 as server
strongSwan has really good logging, so it’s easy to see what’s going on under the hood.
I’m not able to get any useful logging from Win7+ client at all...
I’ll describe test configs from ScreenOS view:
I have 2 ikev2 gateways with corresponding vpns
1.
set ike gateway ikev2 "Gateway - IKEv2 RSA" auth-method self rsa-sig peer rsa-sig
set vpn "VPN - IKEv2 RSA" gateway "Gateway - IKEv2 RSA" no-replay tunnel idletime 0 proposal "test2"
2.
set ike gateway ikev2 "Gateway - IKEv2 EAP" auth-method self rsa-sig peer eap
set vpn "VPN - IKEv2 EAP" gateway "Gateway - IKEv2 EAP" no-replay tunnel idletime 0 proposal "test2"
#1 (self rsa-sig peer rsa-sig) works fine from both strongSwan and Win7 clients.
However, the goal is to get EAP working.
#2 (self rsa-sig peer eap) works from strongSwan if it is the only gateway+vpn defined on ScreenOS.
As soon as rsa-sig/rsa-sig gateway+vpn are created, they "shadow" rsa-sig/eap pair completely...
Problems with #2:
1.
It looks like when ScreenOS looks for matching ikev2 gateway, it doesn’t take into account received IKE ID and always uses rsa-sig/rsa-sig gateway if it exists?
2.
It doesn’t work from Win7 client.
When it's configured as IKEv2 + EAP-MSCHAP v2, it always sends IP4 as IKE ID.
I’ve no idea how to configure what IKE ID is sent by Win7 client in such case...
From another hand, ScreenOS Dialup User/ Group setup require having IKE ID, but there is no way to Dialup User with something like IKE ID IPADDR 255.255.255.255 (to match any IP for Win7 client).
Is there any workaround?
Other servers with #2 setup:
Both strongSwan and Win7 clients can connect to strongSwan server without problem.
The latter can accept both rsa-sig/rsa-sig and rsa-sig/eap at the same time unlike ScreenOS.
According to Cisco docs, #2 works Win7 client just fine too. It’s not exactly relevant to this discussion, but worse to mention still.