[strongSwan] EAP-AKA authentication without certificate request.
Jessie Liu
iamnotjessie at yahoo.com.tw
Thu Oct 14 12:26:03 CEST 2010
Hi all,
I'm trying to do eap-aka authentication without responder's certificate.
I am acting a client and initiates eap-aka authentication to a server.
I found the CERTREQ in IKE_AUTH request 1 message.
Is there any setting in ipsec.conf or any other configuration files to include or not include
CERTREQ in IKE_AUTH request 1 message?
If CERTREQ is included, and responder does not carry CERT in IKE_AUTH response, some error happened.
I have to set expect_another_auth to FALSE instead of TRUE when initialize in ike_auth_create() because
the error is "responder is not allowed to do EAP" in process_i() in ike_auth.c.
After this, another error "selected peer config 'conn' inacceptable" occurred.
So I remove update_cfg_candidates() in process_i() in ike_auth.c to avoid the problem.
After this, the procedure " generating CREATE_CHILD_SA request 4 [ SA No TSi TSr ]" happened.
Could anyone explain the relationships among all the modifications I made?
Thanks in advance!
Here is the ipsec.conf:
config setup
plutostart=no
charondebug="knl 3, ike 3, lib 3"
conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
dpdaction=restart
conn conn
left=172.23.3.3
leftid="adb at ttt.com"
leftauth=eap
leftsourceip=192.168.1.5
right=172.23.3.4
rightsubnet=0.0.0.0/0
auto=add
More information about the Users
mailing list