<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Hi,<br><br>I am testing EAP-AKA with strongSwan as the client and FreeRADIUS as the authentication server against a Security Gateway. The SeGW here runs in the pass-through (relaying) mode for all EAP signaling. The EAP-AKA failed because strongSwan sends AKA_AUTHENTICATION_REJECT. I know I have to somehow supply strongSwan with the quintuplets hard-coded in FreeRADIUS, but don't know how. Can someone shed some lights? what I am missing here? Thanks very much in advance<br><br>[etc]# ipsec up eap_aka<br>initiating IKE_SA eap_aka[1] to 192.168.18.102<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from 192.168.18.202[500] to 192.168.18.102[500]<br>received packet: from 192.168.18.102[500] to 192.168.18.202[500]<br>parsed IKE_SA_INIT response 0 [ N(COOKIE) ]<br>initiating IKE_SA eap_aka[1] to
192.168.18.102<br>generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from 192.168.18.202[500] to 192.168.18.102[500]<br>received packet: from 192.168.18.102[500] to 192.168.18.202[500]<br>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]<br>establishing CHILD_SA eap_aka<br>generating IKE_AUTH request 1 [ IDi CERTREQ IDr CP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]<br>sending packet: from 192.168.18.202[4500] to 192.168.18.102[4500]<br>received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]<br>parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]<br>authentication of '192.168.18.102' with pre-shared key successful<br>server requested EAP_IDENTITY, sending '1234567'<br>generating IKE_AUTH request 2 [ EAP/RES/ID ]<br>sending packet: from 192.168.18.202[4500]
to 192.168.18.102[4500]<br>received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]<br>parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]<br>server requested EAP_AKA authentication<br><b>received MAC does not match XMAC<br>tried 2 SIM cards, but none has quintuplets for '1234567'<br>no USIM found with quintuplets for '1234567', sending AKA_AUTHENTICATION_REJECT<br></b>generating IKE_AUTH request 3 [ EAP/RES/AKA ]<br>sending packet: from 192.168.18.202[4500] to 192.168.18.102[4500]<br>received packet: from 192.168.18.102[4500] to 192.168.18.202[4500]<br>parsed IKE_AUTH response 3 [ EAP/FAIL ]<br>received EAP_FAILURE, EAP authentication failed<br>------------------------------------------------------------<br><br>I am running strongSwan 4.5.0 with the following configuration:<br><br>strongswan.conf:<br># strongswan.conf - strongSwan configuration file<br><br>multiple_authentication = yes<br><br>charon {<br> load = curl aes des sha1 sha2 md5 md4
pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw fips-prf eap-identity eap-aka eap-aka-3gpp2<br>}<br><br>ipsec.conf:<br><br>conn eap_aka<br> left=192.168.18.202<br> leftsourceip=%config<br> leftfirewall=no<br> leftauth=eap<br> eap_identity=1234567<br> leftsubnet=192.168.0.0/16<br> right=192.168.18.102<br> rightid=192.168.18.102<br> rightsubnet=172.16.0.0/16<br> rightauth=psk<br> auto=add<br> esp=3des-aes-sha1-md5-modp1024<br> ike=3des-aes-sha1-md5-modp1024<br> pfs=yes<br><br>ipsec.secrets:<br># PSK<br>: PSK ipsecsecrets<br><br># CERT<br>: RSA n.key<br><br># EAP<br>: EAP ipsecsecrets<br><div><br></div><div>My FreeRADIUS has the quintuplet as following:</div><div><div>"1234567" Cleartext-Password := ipsecsecrets</div><div> EAP-Sim-AUTN = 0x30000000000000000000000000000000,</div><div> EAP-Aka-IK
= 0x33333333333333333333333333333333,</div><div> EAP-Aka-CK = 0x34343434343434343434343434343434,</div><div> EAP-Sim-RES = 0x35353535353535353535353535353535,</div><div> EAP-Sim-RAND = 0x30000000000000000000000000000000</div></div><div><br></div></td></tr></table>