<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<title>Konsole output</title>
<div>
<tt><span style="color:#000000;background-color:#ffffff;">Dear
all,<br>
<br>
running strongswan as a client carol against our ePDG moon, I
just cannot get the EAP-AKA authentication working. <br>
<br>
The strongswan client rejects the EAP-REQ/AKA-Challenge coming
from moon with an EAP-NAK. This is, what Carol tells me:<br>
<br>
...SNIPP...<br>
parsed IKE_AUTH response 1 [ IDr EAP/REQ/AKA ]
</span></tt><tt><br>
</tt><tt>server requested EAP_AKA authentication (id 0x00)</tt><tt><br>
</tt><tt>
</tt>
<title>Konsole output</title>
<tt>
</tt><tt>
</tt>
<div>
<tt><span style="color:#000000;background-color:#ffffff;">EAP
method not supported, sending EAP_NAK
</span></tt><tt><br>
</tt><tt>allow mutual EAP-only authentication</tt><tt><br>
</tt></div>
<tt>
</tt>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<tt>
</tt><tt>...SNIPP...</tt><tt><br>
</tt><tt><br>
</tt><tt>Is this wanted behavior? Or am I on the wrong track...</tt><tt><br>
</tt><tt>I would be more than happy about a hint, what I am doing
wrong.</tt><tt><br>
</tt><tt><br>
</tt><tt>This is, what I have configured:</tt><tt><br>
</tt><tt><br>
</tt><tt>...SNIPP...</tt><tt><br>
</tt><tt>
</tt>
<title>Konsole output</title>
<tt>
</tt><tt>
</tt>
<div>
<tt><span style="color:#000000;background-color:#ffffff;">conn
home
</span></tt><tt><br>
</tt><tt> left=192.168.122.153
</tt><tt><br>
</tt><tt> <a class="moz-txt-link-abbreviated" href="mailto:leftid=carol@strongswan.org">leftid=carol@strongswan.org</a>
</tt><tt><br>
</tt><tt> leftauth=eap-aka
</tt><tt><br>
</tt><tt> right=192.168.179.174
</tt><tt><br>
</tt><tt> rightikeport=6000
</tt><tt><br>
</tt><tt> <a class="moz-txt-link-abbreviated" href="mailto:rightid=@moon.strongswan.org">rightid=@moon.strongswan.org</a>
</tt><tt><br>
</tt><tt> rightauth=pubkey
</tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt></div>
<tt>
</tt><tt>...SNIPP...</tt><tt><br>
</tt><tt><br>
</tt><tt>And indeed, the eap-aka modules seem to be loaded:</tt><tt><br>
</tt><tt>
</tt>
<title>Konsole output</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<tt><br>
</tt><tt>...SNIPP...</tt><tt><br>
</tt><tt>
</tt>
<title>Konsole output</title>
<tt>
</tt><tt>
</tt>
<div><tt>
</tt><tt><span style="color:#000000;background-color:#ffffff;">
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4
md5 random nonce x509 revocation constraints pkcs1 pkcs7
pkcs8 pkcs12 pem open</span></tt><tt><br>
</tt><tt>ssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink
resolve socket-default stroke updown eap-identity eap-aka
eap-aka-3gpp2 addrblock </tt><tt><br>
</tt><tt>Listening IP addresses:
</tt><tt><br>
</tt><tt> 192.168.122.153
</tt><tt><br>
</tt><tt>Connections:
</tt><tt><br>
</tt><tt> home: 192.168.122.153...192.168.179.174 IKEv2
</tt><tt><br>
</tt><tt> home: local: [<a class="moz-txt-link-abbreviated" href="mailto:carol@strongswan.org">carol@strongswan.org</a>] uses
EAP_AKA authentication
</tt><tt><br>
</tt><tt> home: remote: [moon.strongswan.org] uses
public key authentication</tt><tt><br>
</tt><tt>...SNIPP...</tt><tt><br>
</tt><tt><br>
</tt>
<title>Konsole output</title>
<div>
<tt><span style="color:#000000;background-color:#ffffff;">Linux
strongSwan U5.1.2/K3.16.0-38-generic<br>
<br>
Best regards,<br>
Holger<br>
</span></tt></div>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
</div>
<tt>
</tt><span style="font-family:monospace">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<br>
</span></div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<pre class="moz-signature" cols="72">--
Holger Birkmeyer
Engineering
fon: +49-30-351246-95
fax: +49-30-652185-31
ng4T GmbH
Siemensdamm 50
13629 Berlin
Germany
<a class="moz-txt-link-abbreviated" href="http://www.ng4t.com">www.ng4t.com</a>
Berlin-Charlottenburg, HRB 123546
Geschäftsführer Dr. Andreas Kallmann </pre>
</body>
</html>