strongSwan

h1. eap-gtc Plugin

h2. Purpose

The _eap-gtc_ plugin is an IKEv2 EAP backend, as specified in "draft-sheffer-ipsecme-ikev2-gtc":http://tools.ietf.org/html/draft-sheffer-ipsecme-ikev2-gtc. It exchanges a plaintext password in the secure IKEv2 channel and only after verifying the server's identity. This password can be verified using any XAuth password backend.

Before version:5.0.1, the plugin verified the credentials directly against PAM. Now it can use any XAuth backend. By default it uses [[XAuthPAM|xauth-pam]], resembling the behavior of 4.x releases.

The plugin is disabled by default and can be enabled by adding

<pre>--enable-eap-gtc</pre> to the ./configure options. You also need a XAuth backend to verify the password, such as

<pre>--enable-xauth-pam</pre>

h2. Server Configuration

Beginning with version:5.0.1 any XAuth backend may be used to verify the credentials provided by the client. Combined with the [[XAuthPAM|xauth-pam]] plugin the module's previous behavior is preserved. Using the _xauth-generic_ plugin as backend instead allows one to verify the credentials against XAUTH and EAP secrets defined in [[ipsec.secrets]] or [[swanctl.conf#secrets-section]] (or provided by any other credential set).

The plugin is configured using the following [[strongswan.conf]] option:

|Key|Default|Description|

|charon.plugins.eap-gtc.backend|pam|XAuth backend to use|

h2. Client Configuration

The client implementation of this module directly fetches shared secrets from the credential manager. Use _eap_ or _eap-gtc_ as authentication method and make sure the appropriate EAP or XAUTH secret is available through the credential manager (e.g. via [[ipsec.secrets]] or [[swanctl.conf#secrets-section]]).