[strongSwan] IKEv2 Auth Data Calculation

Martin Willi martin at strongswan.org
Wed Nov 21 15:10:10 CET 2012


Hi,

Please try to keep the discussion on the mailing list.

> looking for peer configs matching 10.1.1.20[%any]...10.1.1.50[122.122.122.122]
> no matching peer config found
> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

> Auth Payload is calculated using 122.122.122.122. But. Actual
> configuration in strongswan is for 10.1.1.50(Initiator).

Your configuration does not match to the received ID payload. As no
configuration is available for this peer, AUTH_FAILED is sent.

> No. PSK is only defined for 10.1.1.50.

And of course you need a matching PSK.

> Then what will happen in case NAT? And What purpose the ID payload
> actually serve?

The ID payload is not strictly bound to any IP address, and there are
other forms of ID payloads (email, fqdn, DN). In fact is using an IP
address as ID payload in NAT situations at least confusing. The ID
payload is used to look up entries in the PAD, as discussed in RFC 4301.

> "The recipients of messages 3 and 4 MUST verify that all signatures
> and MACs are computed correctly and that the names in the ID payloads 
> correspond to the keys used to generate the AUTH payload."

This requirement appeared in RFC 4306, but is not included anymore in
RFC 5996. 

The second part of this sentence does not make much sense to me. IDs do
not correspond to keys for generating the AUTH payload. Instead, the key
to generate the AUTH payload is derived from different information,
which includes the exchanged ID payloads.

Regards
Martin






More information about the Users mailing list