<div dir="ltr"><div>Hi,<br><br><p>I am trying to run EAP-TLS client authentication with diameter server. Strongswan is failing EAP-TLS method.</p><p><u><b>Strongswan log:</b></u></p><p>initiating IKE_SA init_nai_v4_v4_tls[1] to 122.122.122.120<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (708 bytes)<br>received packet: from 122.122.122.120[500] to 157.121.121.190[500] (38 bytes)<br>parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]<br>peer didn't accept DH group MODP_2048, it requested MODP_1024<br>initiating IKE_SA init_nai_v4_v4_tls[1] to 122.122.122.120<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (580 bytes)<br>received packet: from 122.122.122.120[500] to 157.121.121.190[500] (349 bytes)<br>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]<br>received cert request for "C=IN, ST=HARYANA, L=GURGAON, O=ARICENT, OU=ARI_CA, CN=CA"<br>received cert request for "CN=quarry0, O=Quarry1, L=Gurgaon, C=IN"<br>sending cert request for "C=IN, ST=HARYANA, L=GURGAON, O=ARICENT, OU=ARI_CA, CN=CA"<br>sending cert request for "CN=quarry0, O=Quarry1, L=Gurgaon, C=IN"<br>sending cert request for "C=IN, ST=Haryana, L=Delhi/NCR, O=Aricent, OU=Datacom, CN=Gagandeep, E=<a href="mailto:Gagan.Taneja@aricent.com">Gagan.Taneja@aricent.com</a>"<br>sending end entity cert "C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN=<a href="mailto:223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org">223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org</a>"<br>establishing CHILD_SA init_nai_v4_v4_tls<br>generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]<br>sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1564 bytes)<br>received packet: from 122.122.122.120[500] to 157.121.121.190[500] (892 bytes)<br>parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TLS ]<br>received end entity cert "CN=quarry0, C=IN, O=Quarry3"<br>  using certificate "CN=quarry0, C=IN, O=Quarry3"<br>  using trusted ca certificate "CN=quarry0, O=Quarry1, L=Gurgaon, C=IN"<br>checking certificate status of "CN=quarry0, C=IN, O=Quarry3"<br>certificate status is not available<br>  reached self-signed root ca with a path length of 0<br>authentication of 'rohit' with RSA signature successful<br>server requested EAP_TLS authentication (id 0x02)<br>sending end entity cert "C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN=<a href="mailto:223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org">223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org</a>"<br>generating IKE_AUTH request 2 [ CERT EAP/RES/TLS ]<br>sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1292 bytes)<br>received packet: from 122.122.122.120[500] to 157.121.121.190[500] (1100 bytes)<br>parsed IKE_AUTH response 2 [ EAP/REQ/TLS ]<br>negotiated TLS 1.2 using suite TLS_RSA_WITH_AES_128_CBC_SHA<br>sending end entity cert "C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN=<a href="mailto:223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org">223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org</a>"<br>generating IKE_AUTH request 3 [ CERT EAP/RES/TLS ]<br>sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1180 bytes)<br>received packet: from 122.122.122.120[500] to 157.121.121.190[500] (316 bytes)<br>parsed IKE_AUTH response 3 [ EAP/REQ/TLS ]<br>received TLS server certificate 'C=IN, ST=HARYANA, O=ARICENT, OU=ARICENT_AAA, CN=<a href="http://aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org">aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org</a>'<br>received TLS cert request for 'C=IN, ST=HARYANA, L=GURGAON, O=ARICENT, OU=ARI_CA, CN=CA<br>no TLS peer certificate found for '<a href="mailto:223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org">223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org</a>', skipping client authentication<br>  using certificate "C=IN, ST=HARYANA, O=ARICENT, OU=ARICENT_AAA, CN=<a href="http://aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org">aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org</a>"<br>  using trusted ca certificate "C=IN, ST=HARYANA, L=GURGAON, O=ARICENT, OU=ARI_CA, CN=CA"<br>checking certificate status of "C=IN, ST=HARYANA, O=ARICENT, OU=ARICENT_AAA, CN=<a href="http://aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org">aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org</a>"<br>certificate status is not available<br>  reached self-signed root ca with a path length of 0<br>sending end entity cert "C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN=<a href="mailto:223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org">223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org</a>"<br>generating IKE_AUTH request 4 [ CERT EAP/RES/TLS ]<br>sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1532 bytes)<br>received packet: from 122.122.122.120[500] to 157.121.121.190[500] (76 bytes)<br>parsed IKE_AUTH response 4 [ EAP/REQ/TLS ]<br>EAP_TLS method failed<br><br></p><p><u><b>ipsec.conf</b></u></p><p>conn init_nai_v4_v4_tls<br>     leftid=<a href="mailto:223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org">223456789123456@nai.epc.mnc213.mcc090.3gppnetwork.org</a><br>     leftauth=eap<br>     left=157.121.121.190<br>     leftsourceip=10.10.10.1<br>     #ike=3des-sha1-modp1024!<br>     #esp = aes-md5-modp1024!<br>     leftcert=fap-tls-10.crt<br>     leftfirewall=yes<br>     right=122.122.122.120<br>     rightsubnet=<a href="http://151.151.151.0/24">151.151.151.0/24</a><br>     rightid=rohit<br>     rightauth=pubkey<br>     auto=add<br></p><p><br></p><p>Kindly let me know if there is any configuration issue or any other issue.
</p><p> </p>
<p class="MsoNormal">Regards,</p>Akash</div></div>