The eap-gtc plugin is an IKEv2 EAP backend, as specified in draft-sheffer-ipsecme-ikev2-gtc. It exchanges a plaintext password in the secure IKEv2 channel and only after verifying the server's identity. This password can be verified using any XAuth password backend.
The plugin is disabled by default and can be enabled by adding
--enable-eap-gtcto the ./configure options. You also need a XAuth backend to verify the password, such as
Beginning with 5.0.1 any XAuth backend may be used to verify the credentials provided by the client. Combined with the xauth-pam plugin the module's previous behavior is preserved. Using the xauth-generic plugin as backend instead allows one to verify the credentials against XAUTH and EAP secrets defined in ipsec.secrets or swanctl.conf (or provided by any other credential set).
The plugin is configured using the following strongswan.conf option:
|charon.plugins.eap-gtc.backend||pam||XAuth backend to use|
The client implementation of this module directly fetches shared secrets from the credential manager. Use eap or eap-gtc as authentication method and make sure the appropriate EAP or XAUTH secret is available through the credential manager (e.g. via ipsec.secrets or swanctl.conf).