[strongSwan] Authentication Payload after succesfull EAP-MD5 authentication

R R ukir85 at hotmail.com
Thu Oct 21 15:11:37 CEST 2010 

Hi Martin

Thanks a lot for your response.

At least I've taken a step to correct direction, byt still the authentication fails. 

Now I calculate the AUTH Payload exactly as in PSK authentication and the
identification data for AUTH payload comes from IDi/r. The authentication-type for AUTH payload is PSK-MIC=0x02

After I get EAP SUCCESS, I send message: [ IKEv2-hdr, SK { AUTH } ].

And for this I get response Notification Invalid Syntax.

The configuration file for ipsec.conf is following:

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
        charonstart=yes
        plutostart=no
        charondebug="ike 4, knl 4, cfg 4, dmn 4, mgr 4, chd 4, job 4, net 4, enc 4, lib 1"

conn %default
        keyingtries=1
        keyexchange=ikev2
        left=192.168.11.2
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
        authby=secret

conn ikev2-test
        rightauth=eap-md5
        auto=add

The log from auth.log:

Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing AUTHENTICATION payload, 28 bytes left
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing payload from => 28 bytes @ 0x8d599c0
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]    0: 00 00 00 1C 00 00 00 00 63 18 DA 7E E6 C0 D9 8B  ........c..~....
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   16: B3 E7 E8 17 9B 89 DC 2D E9 12 B4 62              .......-...b
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 0 U_INT_8
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]    => 0
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 1 FLAG
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]    => 0
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 2 RESERVED_BIT
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 3 RESERVED_BIT
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 4 RESERVED_BIT
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 5 RESERVED_BIT
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 6 RESERVED_BIT
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 7 RESERVED_BIT
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 8 RESERVED_BIT
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 9 PAYLOAD_LENGTH
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]    => 28
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 10 U_INT_8
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]    => 0
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 11 RESERVED_BYTE
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 12 RESERVED_BYTE
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 13 RESERVED_BYTE
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   parsing rule 14 AUTH_DATA
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]    => => 20 bytes @ 0x8d5b4e0
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]    0: 63 18 DA 7E E6 C0 D9 8B B3 E7 E8 17 9B 89 DC 2D  c..~...........-
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC]   16: E9 12 B4 62                                      ...b
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing AUTHENTICATION payload finished
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] AUTHENTICATION verification failed
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] encrypted payload could not be decrypted and parsed
Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] could not decrypt payloads
Oct 20 19:09:33 riku-ubuntu charon: 03[IKE] message parsing failed

Or is this telling that Decrypting the encrypted payload fails? 

Is there a way to increase debug level to find out why it fails? In PSK authentication I get all the debugging 
stuff to auth.log about how AUTH payload is calculated for PSK, but with EAP the above log is all I get.

It
might be that I'm missing some critical part from my code, or I have a
bug somewhere. I have to make some deeper debugging now when I know how
AUTH payload should be calculated, thanks.


> Subject: Re: [strongSwan] Authentication Payload after succesfull EAP-MD5 authentication
> From: martin at strongswan.org
> To: ukir85 at hotmail.com
> CC: users at lists.strongswan.org
> Date: Thu, 21 Oct 2010 13:19:56 +0200
> 
> Hi,
> 
> > How is the IKEv2 AUTH payload calculated after EAP-MD5 authentication?
> 
> As EAP-MD5 does not provide an MSK, SK_p is used instead.
> 
> > it should go exactly as for PSK authentication payload
> 
> Yes, it is exactly the same.
> 
> > except that the paddingstring is "Key Pad for EAP-IKEv2"
> 
> No, the key pad is the same as with PSK authentication.
> 
> Regards
> Martin
>  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101021/24b8d679/attachment.html>

More information about the Users mailing list