[strongSwan-dev] problem with local authentication method as NONE
Martin Willi
martin at strongswan.org
Fri Jul 25 09:24:43 CEST 2014
Hi,
> Came across a scenario, where remote authentication method is configured
> CERTIFICATE and local authentication method is not configured on GW. In
> this case whenever GW receives valid IKE_AUTH request with valid
> CERTIFICATE , it is responding back with IKE_AUTH response having
> AUTH_PAYLOAD with "auth method" set to "Shared Key Message Integrity Code"
> and the value as "NULL". The value is NULL because GW doesn't have "shared
> secret".
Are both hosts running strongSwan? Can you provide some logs and
configurations?
> As per my analysis RFC 5996 doesn't talk about how to handle this scenario.
> Please let me know whether this is the accepted way to handle this
> scenario, or any different way is there.
With IKEv2 "local authentication method is not configured" does not
work, as the used method is selected based on the configuration only.
Probably the IKE daemon should implicitly select a default method,
reject such configurations or return AUTHENTICATION_FAILED.
Regards
Martin
More information about the Dev
mailing list