[strongSwan] Help regarding eap-sim-pcsc plugin of Strongswan

Deepika Agarwal deepi7.agarwal at gmail.com
Tue Jan 10 08:08:37 CET 2012 

Hi Alan,

I was trying to use the eap-sim-pcsc plugin of strongswan and facing some
issues while testing it.I came across one of your threads in strongswan
mailer list where you mentioned that you used this plugin.I am stuck at one
of the parts and getting the following error on the client side:


<<
root at ubuntu5-desktop:/home/ubuntu5# ipsec up android
initiating IKE_SA android[2] to 192.168.1.154
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.8[500] to 192.168.1.154[500]
received packet: from 192.168.1.154[500] to 192.168.1.8[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
sending cert request for "C=UK, CN=nits"
establishing CHILD_SA android
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "C=UK, CN=nits"
  using certificate "C=UK, CN=nits"
  using trusted ca certificate "C=UK, CN=nits"
checking certificate status of "C=UK, CN=nits"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of '192.168.1.154' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending '9404118100734530'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]
parsed IKE_AUTH response 2 [ EAP/FAIL ]
received EAP_FAILURE, EAP authentication failed
root at ubuntu5-desktop:/home/ubuntu5# ipsec up android
initiating IKE_SA android[3] to 192.168.1.154
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.8[500] to 192.168.1.154[500]
received packet: from 192.168.1.154[500] to 192.168.1.8[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
sending cert request for "C=UK, CN=nits"
establishing CHILD_SA android
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "C=UK, CN=nits"
  using certificate "C=UK, CN=nits"
  using trusted ca certificate "C=UK, CN=nits"
checking certificate status of "C=UK, CN=nits"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of '192.168.1.154' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending '9404118100734530'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/SIM ]
server requested EAP_SIM authentication (id 0xCA)
generating IKE_AUTH request 3 [ EAP/RES/SIM ]
sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]
parsed IKE_AUTH response 3 [ EAP/REQ/SIM ]
*EAP_SIM MAC verification failed*
sending client error 'unable to process packet'
generating IKE_AUTH request 4 [ EAP/RES/SIM ]
sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]
parsed IKE_AUTH response 4 [ EAP/FAIL ]
*received EAP_FAILURE, EAP authentication failed*
root at ubuntu5-desktop:/home/ubuntu5#
>>>

I was wondering if you can suggest if I'm missing something while testing
the plugin.My main doubts are:

1) Whether the eap-sim-pcsc plugin supports sim card based authentication.
If yes, then what should be the username and keys format that needs to be
stored on the radius server .
2) Is there any other dependencies for using this plugin?

 Thanks
Deepika
-- 
If you think you can or if you think you can't, you are right.
-Henry Ford
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120110/a680ea05/attachment.html>

More information about the Users mailing list