[strongSwan] Enforcing multiple-authentication locally when the remote does not

Graham Hudspith graham.hudspith at gmail.com
Mon Feb 25 18:20:01 CET 2013


Hi All,

I've been playing about with "multiple-authentication exchanges" (see RFC
4739).

I've configured the local machine to expect to perform certs authentication
followed by EAP-AKA.

If I configure the remote to expect the same, the tunnel comes up just as
expected. Good.

If I then configure the remote to expect certs authentication only, it
rejects the tunnel setup when the local end attempts the EAP-AKA round
("peer requested EAP, config inacceptable"). Also good.

If I then configure the remote to expect certs authentication only *and* to
not advertise that it supports multiple-authentication exchanges (by
setting charon.multiple_authentication to "no" in strongswan.conf), then
the tunnel comes up. Not as expected. Not good.

So, in the second scenario, the remote (by default) sends the "multiple
auth supported" flag in the IKE_SA_INIT response, the local sends both
the "multiple auth supported" and "another auth follows" flags in the first
IKE_AUTH request and after the second IKE_AUTH request (starting the
EAP-AKA round), the remote end rejects the tunnel attempt because it is not
expecting multiple-authentication exchanges.

In the third scenario, the remote no longer sends the "multiple auth
supported" flag in the IKE_SA_INIT response, the local also does not send
the "multiple auth supported" in the first IKE_AUTH request, the remote is
happy with just the certs-only authentication and the local does not object
either.

Is this correct behaviour ?

Is there any way to configure the local end to demand that
multiple-authentication exchanges take place and to reject the tunnel if
the remote does not ?

Regards,


Graham.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130225/90840014/attachment.html>


More information about the Users mailing list