[strongSwan] trying to configure strongswan to act like a windows7 client

Andreas Steffen andreas.steffen at strongswan.org
Sun Jul 10 21:47:36 CEST 2011


Hello Olivier,

you must enable and load the eap-identity module:

   ./configure --enable-eap-identity --enable-eap-mschapv2

After starting strongSwan the command

   ipsec statusall

should list the eap-identity and eap-mschapv2 plugins.

Regards

Andreas

On 07/10/2011 01:46 PM, Olivier PELERIN wrote:
>
> I'm connecting to a Cisco router which query for the EAP identity
>
> The router sends:
> *Jul 10 11:44:01.237: IKEv2:(SA ID = 1):Building packet for encryption.
> Payload contents:
> VID Next payload: IDr, reserved: 0x0, length: 20
> IDr Next payload: CERT, reserved: 0x0, length: 74
> Id type: DER ASN1 DN, Reserved: 0x0 0x0
> CERT Next payload: AUTH, reserved: 0x0, length: 865
> Cert encoding X.509 Certificate - signature
> AUTH Next payload: EAP, reserved: 0x0, length: 264
> Auth method RSA, reserved: 0x0, reserved 0x0
> EAP Next payload: NONE, reserved: 0x0, length: 10
> Code: request: id: 59, length: 6
> Type: identity
>
> and I get a NAK from the strongswan
>
>
>
> Jul 10 13:32:26 ironmaiden charon: 13[IKE] authentication of
> 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with RSA signature successful
> Jul 10 13:32:26 ironmaiden charon: 13[IKE] server requested
> EAP_IDENTITY, sending 'cisco'
> Jul 10 13:32:26 ironmaiden charon: 13[IKE] EAP_IDENTITY not supported,
> sending EAP_NAK
> Jul 10 13:32:26 ironmaiden charon: 13[IKE] reinitiating already active tasks
> Jul 10 13:32:26 ironmaiden charon: 13[IKE] IKE_AUTHENTICATE task
> Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type
> EXTENSIBLE_AUTHENTICATION to message
> Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type
> EXTENSIBLE_AUTHENTICATION to message
> Jul 10 13:32:26 ironmaiden charon: 13[ENC] generating IKE_AUTH request 2
> [ EAP/RES/NAK ]
> Jul 10 13:32:26 ironmaiden charon: 13[ENC] insert payload
> EXTENSIBLE_AUTHENTICATION to encryption payload
>
>
> conn cisco
> left=10.1.1.1
> right=10.1.1.254
> keyexchange=ikev2
> ike=3des-sha1-modp1024
> esp=aes-sha1
> leftauth=eap-mschapv2
> leftid=10.1.1.1
> eap_identity=cisco
> rightsubnet=0.0.0.0/0
> auto=start
> mobike=no
>
>
>
> This config works well with a true windows7 client.... Why EAP-Identity
> is not supported?
>
>
> ------------------------------------------------------------------------
> From: olivier_pelerin at hotmail.com
> To: users at lists.strongswan.org
> Date: Sun, 10 Jul 2011 13:06:11 +0200
> Subject: Re: [strongSwan] trying to configure strongswan to act like a
> windows7 client
>
> Ok I think I've found it
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/index.html
>
> Let me play a bit
>
>
>
> ------------------------------------------------------------------------
> From: olivier_pelerin at hotmail.com
> To: users at lists.strongswan.org
> Subject: trying to configure strongswan to act like a windows7 client
> Date: Sun, 10 Jul 2011 11:57:57 +0200
>
> Hello,
>
>
> I would like to emulate a windows7 ikev2 client by using strongswan.
> Does anyone have an idea?
>
> Cheers,

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list