On 09/04/2026, Tobias Heider wrote:
> On Thu, Apr 09, 2026 at 12:20:05AM +0300, Alex Mihajlov wrote:
> > On 08/04/2026, Tobias Heider wrote:
> > >
> You can simply put multiple ikev2 blocks into your server iked.conf.
> It could look sth like:
>
> user 'user' 'password'
> ikev2 'responder_eap' passive esp \
> from any to dynamic \
> local X.X.X.X peer any \
> srcid server1-eap \
> eap "mschap-v2" \
> config address 10.0.5.0/24 \
> config name-server 192.0.2.1
>
> ikev2 'responder_psk' passive esp \
> from any to dynamic \
> local X.X.X.X peer any \
> srcid server1-psk \
> psk preshared123! \
> config address 10.0.5.0/24 \
> config name-server 192.0.2.1
Thanks for your attention!
I tried using a similar configuration:
ikev2 'responder_eap' passive ipcomp esp \
from 0.0.0.0/0 to dynamic \
peer any \
srcid myhostname.org \
eap "mschap-v2" \
config address 172.24.24.0/24 \
config name-server 172.24.24.1 \
tag "$name-$id" tap enc0
ikev2 'responder_rsa' passive esp \
from 0.0.0.0/0 to dynamic \
peer any \
srcid myhostname.org \
config address 172.24.24.0/24 \
config name-server 172.24.24.1 \
tag "ROADW"
And when I added responder_rsa, all users,
including those who were supposed to log in via mschap-v2,
were caught by the responder_rsa policy and couldn't log in.
They come from the internet, and I can't specify anything
in the "from" parameter other than 0.0.0.0/0.
What should I do to ensure that only users
using rsa are included in responder_rsa?
Should I specify a different srcid?
