<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Hi Martin<br><br>Thanks a lot for your response.<br><br>At least I've taken a step to correct direction, byt still the authentication fails. <br><br>Now I calculate the AUTH Payload exactly as in PSK authentication and the<br>identification data for AUTH payload comes from IDi/r. The authentication-type for AUTH payload is PSK-MIC=0x02<br><br>After I get EAP SUCCESS, I send message: [ IKEv2-hdr, SK { AUTH } ].<br><br>And for this I get response Notification Invalid Syntax.<br><br>The configuration file for ipsec.conf is following:<br><br># ipsec.conf - strongSwan IPsec configuration file<br># basic configuration<br><br>config setup<br> charonstart=yes<br> plutostart=no<br> charondebug="ike 4, knl 4, cfg 4, dmn 4, mgr 4, chd 4, job 4, net 4, enc 4, lib 1"<br><br>conn %default<br> keyingtries=1<br> keyexchange=ikev2<br> left=192.168.11.2<br> leftcert=moonCert.pem<br> leftid=@moon.strongswan.org<br> authby=secret<br><br>conn ikev2-test<br> rightauth=eap-md5<br> auto=add<br><br>The log from auth.log:<br><br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing AUTHENTICATION payload, 28 bytes left<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing payload from => 28 bytes @ 0x8d599c0<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] 0: 00 00 00 1C 00 00 00 00 63 18 DA 7E E6 C0 D9 8B ........c..~....<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] 16: B3 E7 E8 17 9B 89 DC 2D E9 12 B4 62 .......-...b<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 0 U_INT_8<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] => 0<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 1 FLAG<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] => 0<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 2 RESERVED_BIT<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 3 RESERVED_BIT<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 4 RESERVED_BIT<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 5 RESERVED_BIT<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 6 RESERVED_BIT<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 7 RESERVED_BIT<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 8 RESERVED_BIT<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 9 PAYLOAD_LENGTH<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] => 28<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 10 U_INT_8<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] => 0<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 11 RESERVED_BYTE<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 12 RESERVED_BYTE<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 13 RESERVED_BYTE<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing rule 14 AUTH_DATA<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] => => 20 bytes @ 0x8d5b4e0<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] 0: 63 18 DA 7E E6 C0 D9 8B B3 E7 E8 17 9B 89 DC 2D c..~...........-<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] 16: E9 12 B4 62 ...b<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] parsing AUTHENTICATION payload finished<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] AUTHENTICATION verification failed<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] encrypted payload could not be decrypted and parsed<br>Oct 20 19:09:33 riku-ubuntu charon: 03[ENC] could not decrypt payloads<br>Oct 20 19:09:33 riku-ubuntu charon: 03[IKE] message parsing failed<br><br>Or is this telling that Decrypting the encrypted payload fails? <br><br>Is there a way to increase debug level to find out why it fails? In PSK authentication I get all the debugging <br>stuff to auth.log about how AUTH payload is calculated for PSK, but with EAP the above log is all I get.<br><br>It
might be that I'm missing some critical part from my code, or I have a
bug somewhere. I have to make some deeper debugging now when I know how
AUTH payload should be calculated, thanks.<br><br><br>> Subject: Re: [strongSwan] Authentication Payload after succesfull EAP-MD5 authentication<br>> From: martin@strongswan.org<br>> To: ukir85@hotmail.com<br>> CC: users@lists.strongswan.org<br>> Date: Thu, 21 Oct 2010 13:19:56 +0200<br>> <br>> Hi,<br>> <br>> > How is the IKEv2 AUTH payload calculated after EAP-MD5 authentication?<br>> <br>> As EAP-MD5 does not provide an MSK, SK_p is used instead.<br>> <br>> > it should go exactly as for PSK authentication payload<br>> <br>> Yes, it is exactly the same.<br>> <br>> > except that the paddingstring is "Key Pad for EAP-IKEv2"<br>> <br>> No, the key pad is the same as with PSK authentication.<br>> <br>> Regards<br>> Martin<br>> </body>
</html>