Project

General

Profile

eap-gtc Plugin

Purpose

The eap-gtc plugin is an IKEv2 EAP backend, as specified in draft-sheffer-ipsecme-ikev2-gtc. It exchanges a plaintext password in the secure IKEv2 channel and only after verifying the server's identity. This password can be verified using any XAuth password backend.

Before 5.0.1, the plugin verified the credentials directly against PAM. Now it can use any XAuth backend. By default it uses xauth-pam, resembling the behavior of 4.x releases.

The plugin is disabled by default and can be enabled by adding

--enable-eap-gtc
to the ./configure options. You also need a XAuth backend to verify the password, such as
--enable-xauth-pam

Server Configuration

Beginning with 5.0.1 any XAuth backend may be used to verify the credentials provided by the client. Combined with the xauth-pam plugin the module's previous behavior is preserved. Using the xauth-generic plugin as backend instead allows one to verify the credentials against XAUTH and EAP secrets defined in ipsec.secrets or swanctl.conf (or provided by any other credential set).

The plugin is configured using the following strongswan.conf option:

Key Default Description
charon.plugins.eap-gtc.backend pam XAuth backend to use

Client Configuration

The client implementation of this module directly fetches shared secrets from the credential manager. Use eap or eap-gtc as authentication method and make sure the appropriate EAP or XAUTH secret is available through the credential manager (e.g. via ipsec.secrets or swanctl.conf).