[strongSwan] received EAP-AKA client error 'unable to processpacket'

qiqi143 qiqi143 at 126.com
Tue Sep 6 16:12:26 CEST 2011 

Hi Martin,

Thanks for your timely reply,

>A more complete log from the board would really help. 

I attached the board side log as below, it's not so detailed...
I hope it can do a little help.

--------#bash output#
Starting strongSwan 4.5.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
root at picopc7802:/usr/local/etc/ipsec.d/cacerts# ipsec up home
initiating IKE_SA home[1] to 10.21.1.150
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.21.1.210[500] to 10.21.1.150[500]
received packet: from 10.21.1.150[500] to 10.21.1.210[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
sending cert request for "C=CN, O=ict, CN=strongSwan CA"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.21.1.210[4500] to 10.21.1.150[4500]
received packet: from 10.21.1.150[4500] to 10.21.1.210[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ]
received end entity cert "C=CN, O=ict-gw, CN=peer"
using certificate "C=CN, O=ict-gw, CN=peer"
using trusted ca certificate "C=CN, O=ict, CN=strongSwan CA"
checking certificate status of "C=CN, O=ict-gw, CN=peer"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'C=CN, O=ict-gw, CN=peer' with RSA signature successful
server requested EAP_AKA authentication (id 0xBC)
generating IKE_AUTH request 2 [ EAP/RES/AKA ]
sending packet: from 10.21.1.210[4500] to 10.21.1.150[4500]
received packet: from 10.21.1.150[4500] to 10.21.1.210[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]
EAP_AKA MAC verification failed
sending client error 'unable to process packet'
generating IKE_AUTH request 3 [ EAP/RES/AKA ]
sending packet: from 10.21.1.210[4500] to 10.21.1.150[4500]
received packet: from 10.21.1.150[4500] to 10.21.1.210[4500]
parsed IKE_AUTH response 3 [ EAP/FAIL ]
received EAP_FAILURE, EAP authentication failed

----------#log on board#
Sep 6 19:47:00 picopc7802 authpriv.warn ipsec_starter[426]: chaRnot flush IPsec state/policy database
Sep 6 19:47:00 picopc7802 authpriv.warn ipsec_ authpriv.warn ipsec_starter[451]: !! http://wiki.rongswan.org/projects/strongswan/wiki/PluginLoad
Sep 6 19:47:03 picopc7802 daemon.info charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
Sep 6 19:47:03 picopc7802 daemon.info charon: 00[LIB] plugin 'curl' failed to load: /usr/local/lib/ipsec/plugin '/usr/l/etc/ipsec.d/cacerts/caCert.pem'
Sep 6 19:47:04 picopc7802 daemon.info charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep 6 19:47:04 picopc7802 daemon.info charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.dpts'
Sep 6 19:47:04 picopc7802 daemon.info charon: 00[CFG] loaded EAP secret for %any
Sep 6 19:47:04 picopc7802 daemon s: 19:47:04 picopc7802 daemon.info charon: 00[KNL] eth0
Sep 19:47:04 picopc7802 daemon.info charon: 00[NET] could not open IPv6 socket, IPv6 disabled
Sep 6 19:47:04 picopc7802 daemon.info charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka:06 picopc7802 daemon.info charon: 1 receistroke: initiate 'home'
Sep 6 19:47:06 picopc7802 daemon.info charon: 13[IKE] initiating IKE_SA home[1] to 10.21.1.150
Sep 6 19:47:06 picopc7802 authpriv.info charon: 130.21.500] to 10.21.1.210[500]
Sep 6 19:47:07 picopc7802 daemon.info charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA p07 pico802 .info charon: 15[IKE] sending cert request for "C=CN07 picopc7802 daemon.info charon: 15[NET] sending packet: from 10.21.1.210[4500] to 10.21.1.150[4500]
Sep 6 19:47:07 picopc7802 daemon.info charon: 07[NET] received packet: from 10.21.1.150[4500] to 10.21.1.210[4500]
Sep 6 19:47:07 picopc7802 daemon.info charon: 07[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ]
Sep 6 19:47:07 picop 19:picopc7802 daemon.info charon: 07[CFG] checkingifaCgw, CN=r"
Sep 6 19:47:07 picopc7802 daemon.info charon: 07[CFG] certificate status is not available
Sep 6 19:47:07 picopc7802 daemon.info charon: 07[CFG] reached self-signed root ca with a path length of 0
Seaemon.charon: 07[NET] sending packet: from 10.21.1.2t.21.1.1500] to 10.21.1.210[4500]
7ceived pet: from 10.21.1.150[4500] to 10.21.1.210[4500]
Sep 0802 daemoninfo charon: 12[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
Sep 6 19:47:07 picopc7802 daemon.info charon: 12[IKE] received EAP_FAILURE, EAP authentication failed


2011-09-06 



qiqi143 



发件人: Martin Willi 
发送时间: 2011-09-06  17:19:33 
收件人: qiqi143 
抄送: users 
主题: Re: [strongSwan] received EAP-AKA client error 'unable to processpacket' 
 
Hi,
> daemon log shows "client error 'unable to process packet'", board side
> cann't log, it outputs something like 'MAC' error...
The error condition occurs on your board, probably because the MAC
calculated for authentication does not match. A more complete log from
the board would really help. Either your secrets don't match or maybe
there is a bug in the AKA algorithm on your platform.
> I used cross-compilation to install strongswan onto the arm board, and
> didn't enable padlock option, could that be the reason?
> however, it's a pity that it'll show error message "impossible
> constraint in 'asm'" during 'Make' phase if padlock option enabled.
Padlock is a crypto plugin for VIA x86 processors, it does not work on
ARM.
Regards
Martin
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110906/bd71d6a4/attachment.html>

More information about the Users mailing list