Strongswan now supports PAM authentication

November 07, 2012 at 07:40 AM | categories: Centos, Sysadmin, RHEL, Linux, Tips, Security, IPSEC | View Comments

Strongswan release 5.0.1 includes a XAuth PAM plugin which requests username/password XAuth credentials and verifies them against Pluggable Authentication Modules (PAM).

This plugin is not enabled by default to enable it you need to add the following to your ./configure options


You do require the pam development headers and libraries on your build machine to successfully compile.

System Configuration

The plugin is configurable in the strongswan.conf file, you are able to change the pam service that is used for authentication.

By default the login pam service is used for authentication.

I will create a new service called ipsec for demonstration.

charon {
        xauth-pam {
            pam_service = ipsec

The pam service configuration file is as follows.

# /etc/pam.d/ipsec
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        required

account     required
account     sufficient
account     sufficient uid < 500 quiet
account     required

password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

Now to use PAM authentication in your connections you set for XAuth:


Hybrid Authentication:


You are good to go and should be able to use any pam module to authenticate your users to your VPN. The options are endless: SQL, LDAP, RADIUS, LOCAL etc.

Related articles

blog comments powered by Disqus