[strongSwan] received EAP-AKA client error 'unable to process packet'

qiqi143 qiqi143 at 126.com
Tue Sep 6 10:25:52 CEST 2011 

Hello,

I'm setting up an ikev2/rw-eap-aka-rsa tunnel between gateway and arm development board with linux kernel.
daemon log shows "client error 'unable to process packet'", board side cann't log, it outputs something like 'MAC' error...

the configure files and error log show below,
BTW, i've tried the exact configuration, and it works normally between gateway and another linux laptop.

I used cross-compilation to install strongswan onto the arm board, and didn't enable padlock option, could that be the reason?
however, it's a pity that it'll show error message "impossible constraint in 'asm'" during 'Make' phase if padlock option enabled.

Thanks in advanced for any help.
Best Regards.
Feng

-----------#gateway#
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

strictcrlpolicy=no
plutostart=no

conn %default

ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn rw-eap-aka

left=10.21.1.150
leftsubnet=192.168.1.0/24
leftid="C=CN, O=ict-gw, CN=peer"
leftcert=peerCert.der
leftauth=pubkey
leftfirewall=yes
right=%any
rightid="C=CN, O=ict-gw, CN=peer0"
rightsendcert=never
rightauth=eap-aka
auto=add

-----------#board#
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

plutostart=no

conn %default

ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn home

left=10.21.1.210
leftnexthop=%direct
leftid="C=CN, O=ict-gw, CN=peer0"
leftauth=eap
leftfirewall=yes
right=10.21.1.150
rightid="C=CN, O=ict-gw, CN=peer"
rightsubnet=192.168.1.0/24
rightauth=pubkey
auto=add

-----------#gateway#
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA peerKey.der
: EAP "Ar3etTnp01qlpOgb"


-----------#board#
# /etc/ipsec.secrets - strongSwan IPsec secrets file

 : EAP "Ar3etTnp01qlpOgb"

----------#daemon log#
Sep  5 21:58:39 ubuntu charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
Sep  5 21:58:39 ubuntu charon: 00[LIB] plugin 'curl' failed to load: /usr/local/lib/ipsec/plugins/libstrongswan-curl.so: cannot open shared object file: No such file or directory
Sep  5 21:58:40 ubuntu charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep  5 21:58:40 ubuntu charon: 00[CFG]   loaded ca certificate "C=CN, O=ict, CN=strongSwan CA" from '/usr/local/etc/ipsec.d/cacerts/caCert.pem'
Sep  5 21:58:40 ubuntu charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep  5 21:58:40 ubuntu charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep  5 21:58:40 ubuntu charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep  5 21:58:40 ubuntu charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Sep  5 21:58:40 ubuntu charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Sep  5 21:58:40 ubuntu charon: 00[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/peerKey.pem'
Sep  5 21:58:40 ubuntu charon: 00[CFG]   loaded EAP secret for %any
Sep  5 21:58:40 ubuntu charon: 00[KNL] listening on interfaces:
Sep  5 21:58:40 ubuntu charon: 00[KNL]   eth0
Sep  5 21:58:40 ubuntu charon: 00[KNL]     10.21.1.150
Sep  5 21:58:40 ubuntu charon: 00[KNL]     2001:cc0:2026:3:21e:68ff:fe83:faca
Sep  5 21:58:40 ubuntu charon: 00[KNL]     fe80::21e:68ff:fe83:faca
Sep  5 21:58:40 ubuntu charon: 00[KNL]   wlan0
Sep  5 21:58:40 ubuntu charon: 00[KNL]     192.168.1.102
Sep  5 21:58:40 ubuntu charon: 00[KNL]     fe80::21f:3cff:fe92:9ba6
Sep  5 21:58:40 ubuntu charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown 
Sep  5 21:58:40 ubuntu charon: 00[JOB] spawning 16 worker threads
Sep  5 21:58:40 ubuntu charon: 05[CFG] received stroke: add connection 'rw-eap-aka'
Sep  5 21:58:40 ubuntu charon: 05[CFG]   loaded certificate "C=CN, O=ict-gw, CN=peer" from 'peerCert.pem'
Sep  5 21:58:40 ubuntu charon: 05[CFG] added configuration 'rw-eap-aka'
Sep  5 21:58:40 ubuntu charon: 11[NET] received packet: from 10.21.1.210[500] to 10.21.1.150[500]
Sep  5 21:58:40 ubuntu charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep  5 21:58:40 ubuntu charon: 11[IKE] 10.21.1.210 is initiating an IKE_SA
Sep  5 21:58:40 ubuntu charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep  5 21:58:40 ubuntu charon: 11[NET] sending packet: from 10.21.1.150[500] to 10.21.1.210[500]
Sep  5 21:58:40 ubuntu charon: 12[NET] received packet: from 10.21.1.210[4500] to 10.21.1.150[4500]
Sep  5 21:58:40 ubuntu charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Sep  5 21:58:40 ubuntu charon: 12[IKE] received cert request for "C=CN, O=ict, CN=strongSwan CA"
Sep  5 21:58:40 ubuntu charon: 12[CFG] looking for peer configs matching 10.21.1.150[C=CN, O=ict-gw, CN=peer]...10.21.1.210[C=CN, O=ict-gw, CN=peer0]
Sep  5 21:58:40 ubuntu charon: 12[CFG] selected peer config 'rw-eap-aka'
Sep  5 21:58:40 ubuntu charon: 12[IKE] initiating EAP_AKA method (id 0x87)
Sep  5 21:58:40 ubuntu charon: 12[IKE] peer supports MOBIKE
Sep  5 21:58:40 ubuntu charon: 12[IKE] authentication of 'C=CN, O=ict-gw, CN=peer' (myself) with RSA signature successful
Sep  5 21:58:40 ubuntu charon: 12[IKE] sending end entity cert "C=CN, O=ict-gw, CN=peer"
Sep  5 21:58:40 ubuntu charon: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ]
Sep  5 21:58:40 ubuntu charon: 12[NET] sending packet: from 10.21.1.150[4500] to 10.21.1.210[4500]
Sep  5 21:58:40 ubuntu charon: 13[NET] received packet: from 10.21.1.210[4500] to 10.21.1.150[4500]
Sep  5 21:58:40 ubuntu charon: 13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/AKA ]
Sep  5 21:58:40 ubuntu charon: 13[IKE] '0.1?0???U????CN1?0???U????ict-gw1?0???U????peer0' is not a reauth identity
Sep  5 21:58:40 ubuntu charon: 13[IKE] '0.1?0???U????CN1?0???U????ict-gw1?0???U????peer0' is not a pseudonym
Sep  5 21:58:40 ubuntu charon: 13[IKE] received identity '0.1?0???U????CN1?0???U????ict-gw1?0???U????peer0'
Sep  5 21:58:40 ubuntu charon: 13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/AKA ]
Sep  5 21:58:40 ubuntu charon: 13[NET] sending packet: from 10.21.1.150[4500] to 10.21.1.210[4500]
Sep  5 21:58:40 ubuntu charon: 03[NET] received packet: from 10.21.1.210[4500] to 10.21.1.150[4500]
Sep  5 21:58:40 ubuntu charon: 03[ENC] parsed IKE_AUTH request 3 [ EAP/RES/AKA ]
Sep  5 21:58:40 ubuntu charon: 03[IKE] received EAP-AKA client error 'unable to process packet'
Sep  5 21:58:40 ubuntu charon: 03[IKE] EAP method EAP_AKA failed for peer C=CN, O=ict-gw, CN=peer0
Sep  5 21:58:40 ubuntu charon: 03[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ]
Sep  5 21:58:40 ubuntu charon: 03[NET] sending packet: from 10.21.1.150[4500] to 10.21.1.210[4500]


------------#./configure options for cross-compilation/
./configure --enable-eap-aka --enable-dhcp --enable-coupling --enable-load-tester --enable-nat-transport --with-capabilities=LIBCAP --disable-pluto --enable-eap-aka-3gpp2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110906/9744a880/attachment.html>

More information about the Users mailing list