[strongSwan] trying to configure strongswan to act like a windows7 client

Olivier PELERIN olivier_pelerin at hotmail.com
Sun Jul 10 13:46:33 CEST 2011 


I'm connecting to a Cisco router  which query for the EAP identity

The router sends:
*Jul 10 11:44:01.237: IKEv2:(SA ID = 1):Building packet for encryption.  
Payload contents: 
 VID  Next payload: IDr, reserved: 0x0, length: 20
 IDr  Next payload: CERT, reserved: 0x0, length: 74
    Id type: DER ASN1 DN, Reserved: 0x0 0x0
 CERT  Next payload: AUTH, reserved: 0x0, length: 865
    Cert encoding X.509 Certificate - signature
 AUTH  Next payload: EAP, reserved: 0x0, length: 264
    Auth method RSA, reserved: 0x0, reserved 0x0
 EAP  Next payload: NONE, reserved: 0x0, length: 10
    Code: request: id: 59, length: 6
    Type: identity
 
and I get a NAK from the strongswan



Jul 10 13:32:26 ironmaiden charon: 13[IKE] authentication of 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with RSA signature successful
Jul 10 13:32:26 ironmaiden charon: 13[IKE] server requested EAP_IDENTITY, sending 'cisco'
Jul 10 13:32:26 ironmaiden charon: 13[IKE] EAP_IDENTITY not supported, sending EAP_NAK
Jul 10 13:32:26 ironmaiden charon: 13[IKE] reinitiating already active tasks
Jul 10 13:32:26 ironmaiden charon: 13[IKE]   IKE_AUTHENTICATE task
Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to message
Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to message
Jul 10 13:32:26 ironmaiden charon: 13[ENC] generating IKE_AUTH request 2 [ EAP/RES/NAK ]
Jul 10 13:32:26 ironmaiden charon: 13[ENC] insert payload EXTENSIBLE_AUTHENTICATION to encryption payload


conn cisco
        left=10.1.1.1
        right=10.1.1.254
        keyexchange=ikev2
        ike=3des-sha1-modp1024
        esp=aes-sha1
        leftauth=eap-mschapv2
        leftid=10.1.1.1
        eap_identity=cisco
        rightsubnet=0.0.0.0/0
        auto=start
        mobike=no



This config works well with a true windows7 client.... Why EAP-Identity is not supported?


From: olivier_pelerin at hotmail.com
To: users at lists.strongswan.org
Date: Sun, 10 Jul 2011 13:06:11 +0200
Subject: Re: [strongSwan] trying to configure strongswan to act like a	windows7 client








Ok I think I've found it

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/index.html

Let me play a bit



From: olivier_pelerin at hotmail.com
To: users at lists.strongswan.org
Subject: trying to configure strongswan to act like a windows7 client
Date: Sun, 10 Jul 2011 11:57:57 +0200








Hello,


I would like to emulate a windows7 ikev2 client by using strongswan. Does anyone have an idea?

Cheers,
 		 	   		   		 	   		  

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110710/c987b299/attachment.html>

More information about the Users mailing list