IPsec Remote Access VPN Example Using IKEv2 with EAP-RADIUS

To setup IKEv2 with EAP-RADIUS, follow the directions for IKEv2 with EAP-MSCHAPv2 with a slight variation:

  • Define a RADIUS server under System > User Manager, Servers tab before starting

  • Select the RADIUS server on VPN > IPsec, Mobile Clients tab

  • Check Group Authentication and select Authentication Groups list entries to optionally filter access based on RADIUS group membership

  • Select EAP-RADIUS for the Authentication method on the Mobile IPsec phase 1 entry


The default settings are OK for this use case. If the defaults do not work, see Using EAP and PEAP with FreeRADIUS

EAP-RADIUS with Windows Network Policy Server (NPS)

To allow strongSwan to authenticate against NPS using EAP-MSCHAPv2, alter the NPS policy as follows:

  • Open Network Policy Server (NPS)

  • Expand Policies

  • Click Network Policies

  • Edit the policy currently in use

  • Click on the Constraints tab

  • Click Authentication Methods

  • Click Add

  • Select Microsoft: Secured Password (EAP-MSCHAP v2)

  • Click OK

  • Click Apply (To restart NPS)

  • Click OK