[strongSwan] [Strongswan] Authentication based on X.509 using DN identification has failed and getting errors
saravanan.nagarajan87 at gmail.com
Fri Nov 2 11:15:53 CET 2012
I compared the IKE_AUTH messages of the following topology
"strongswan(Client) - strongswan(server)" and "strongswan(client) -
Netgear(server)" in order to narrow down the problem.
I could see in "strongswan - strongswan" scenario , server is sending IDr
payload in IKE_AUTH message , so Authenticating is success when we have
strongswan as peer with identification as DN.
But in Netgear, its not sending IDr payload, so Authentication fails with
strongswan in case of DN identification.
But according to RFC 4306, IDr payload is optional
" The initiator asserts its identity with the IDi payload, proves
knowledge of the secret corresponding to IDi and integrity protects
the contents of the first message using the AUTH payload (see section
2.15). It might also send its certificate(s) in CERT payload(s) and
a list of its trust anchors in CERTREQ payload(s). If any CERT
payloads are included, the first certificate provided MUST contain
the public key used to verify the AUTH field. The optional payload
IDr enables the initiator to specify which of the responder's
identities it wants to talk to. This is useful when the machine on
which the responder is running is hosting multiple identities at the
same IP address. The initiator begins negotiation of a CHILD_SA"
using the SAi2 payload"
So, I guess negotiation should not fail based on this in Strongswan.
Please provide your inputs on this.
On Thu, Nov 1, 2012 at 3:55 AM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:
> Hi Tobias,
> I have attached decoded IKEV2 AUTH packet for your reference. It seems
> ,Client is sending a valid identity payload with identification data to
> But Strongswan is showing client identification information as NULL in the
> logs and sending authentication failure payload.
> Please help me to solve this problem.
> Saravanan N
> On Thu, Oct 4, 2012 at 5:33 PM, Tobias Brunner <tobias at strongswan.org>wrote:
>> > Oct 1 14:42:26 localhost charon: 13[ENC] parsed IKE_AUTH request 1 [
>> > IDi CERT CERTREQ AUTH SA TSi TSr ]
>> > ...
>> > Oct 1 14:42:26 localhost charon: 13[CFG] looking for peer configs
>> > matching 22.214.171.124[%any]...126.96.36.199
>> Your client seemed have sent an empty IDi payload (seen as  above),
>> which will not match with the config where you configured
>> > conn site-site
>> > ...
>> > rightid="C=CH, O=strongswan, CN=iss"
>> > ...
>> What did you configure on the client?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users