EAP-GTC for client authentication¶

EAP-GTC allows clients to authenticate securely using a username/password scheme. In GTC, the password is transmitted in cleartext to the Gateway after the gateway has been authenticated using certificates. While this sounds insecure, it has some real advantages: You won't need access to clear text credentials on the gateway and can use other authentication services to verify the password.
The EAP-GTC plugin uses any PAM service to verify the received credentials.

Compile with EAP-GTC¶

Add --enable-eap-gtc to the configure flags to build with the GTC module, e.g.:

./configure --disable-pluto --disable-tools --enable-eap-gtc \
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
make
make install

Configuration¶

By default, the GTC module uses the PAM service login which should be available on most systems. But you may create your own service, e.g in /etc/pam.d/ipsec:

#%PAM-1.0
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

To use that service, set the pam_service option in /etc/strongswan.org:

charon {
  plugins {
    eap_gtc {
      pam_service = ipsec
    }
  }
}

A gateway configuration in ipsecconf might look like this:

conn nm-clients
  # certificate handed out to client
  leftcert=cert.pem
  right=%any
  # subnet behind gateway to include in tunnel (optional)
  rightsubnet=10.1.0.0/16
  # IP address pool for clients requesting an virtual IP
  rightsourceip=10.1.250.0/24
  # handle all clients with this config
  rightid=%any
  # request GTC as EAP authentication method
  eap=gtc
  keyexchange=ikev2
  auto=add