[strongSwan] [Strongswan] Authentication based on X.509 using DN identification has failed and getting errors

SaRaVanAn saravanan.nagarajan87 at gmail.com
Fri Nov 2 11:15:53 CET 2012

Hi Tobias,
    I compared the IKE_AUTH messages of the following topology
"strongswan(Client) - strongswan(server)" and "strongswan(client) -
Netgear(server)" in order to narrow down the problem.

I  could see in "strongswan - strongswan" scenario , server is sending IDr
payload in IKE_AUTH message , so Authenticating is success when we have
strongswan as peer with identification as DN.

But in Netgear, its not sending IDr payload, so Authentication fails with
strongswan in case of DN identification.

But according to RFC 4306, IDr payload is optional

" The initiator asserts its identity with the IDi payload, proves
   knowledge of the secret corresponding to IDi and integrity protects
   the contents of the first message using the AUTH payload (see section
   2.15).  It might also send its certificate(s) in CERT payload(s) and
   a list of its trust anchors in CERTREQ payload(s).  If any CERT
   payloads are included, the first certificate provided MUST contain
   the public key used to verify the AUTH field.  The optional payload
   IDr enables the initiator to specify which of the responder's
   identities it wants to talk to.  This is useful when the machine on
   which the responder is running is hosting multiple identities at the
   same IP address.  The initiator begins negotiation of a CHILD_SA"
   using the SAi2 payload"

So, I guess negotiation should not fail based on this in Strongswan.
Please provide your inputs on this.

Saravanan N

On Thu, Nov 1, 2012 at 3:55 AM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:

> Hi Tobias,
>    I have attached decoded IKEV2 AUTH packet for your reference. It seems
> ,Client is sending a valid identity payload with identification data to
> strongswan.
> But Strongswan is showing client identification information as NULL in the
> logs and sending authentication failure payload.
> Please help me to solve this problem.
> Regards,
> Saravanan N
> On Thu, Oct 4, 2012 at 5:33 PM, Tobias Brunner <tobias at strongswan.org>wrote:
>> Hi,
>> > Oct  1 14:42:26 localhost charon: 13[ENC] parsed IKE_AUTH request 1 [
>> > ...
>> > Oct  1 14:42:26 localhost charon: 13[CFG] looking for peer configs
>> > matching[%any]...[]
>> Your client seemed have sent an empty IDi payload (seen as [] above),
>> which will not match with the config where you configured
>> > conn site-site
>> >     ...
>> >     rightid="C=CH, O=strongswan, CN=iss"
>> >     ...
>> What did you configure on the client?
>> Regards,
>> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121102/49c65465/attachment.html>

More information about the Users mailing list