[strongSwan-dev] problem with local authentication method as NONE

Martin Willi martin at strongswan.org
Fri Jul 25 09:24:43 CEST 2014


> Came across a scenario, where remote authentication method is configured
> CERTIFICATE and local authentication method is not configured on GW. In
> this case whenever GW receives valid IKE_AUTH request with valid
> CERTIFICATE , it is responding back with IKE_AUTH response having
> AUTH_PAYLOAD with "auth method" set to "Shared Key Message Integrity Code"
> and the value as "NULL". The value is NULL because GW doesn't have "shared
> secret".

Are both hosts running strongSwan? Can you provide some logs and

> As per my analysis RFC 5996 doesn't talk about how to handle this scenario.
> Please let me know whether this is the accepted way to handle this
> scenario, or any different way is there.

With IKEv2 "local authentication method is not configured" does not
work, as the used method is selected based on the configuration only.
Probably the IKE daemon should implicitly select a default method,
reject such configurations or return AUTHENTICATION_FAILED.


More information about the Dev mailing list