[strongSwan] Enforcing multiple-authentication locally when the remote does not

Graham Hudspith graham.hudspith at gmail.com
Wed Feb 27 15:33:03 CET 2013 

Martin,

On 26 February 2013 12:37, Martin Willi <martin at strongswan.org> wrote:

> Hi Graham,
>
> > I've configured the local machine to expect to perform certs
> authentication
> > followed by EAP-AKA.
>
> How did you configure this? I assume the configuration on the initiator
> looks something like:
>
>   rightauth=pubkey
>   leftauth=pubkey
>   leftauth2=eap
>
>
Yes, exactly that.


> > If I then configure the remote to expect certs authentication only *and*
> to
> > not advertise that it supports multiple-authentication exchanges (by
> > setting charon.multiple_authentication to "no" in strongswan.conf), then
> > the tunnel comes up. Not as expected. Not good.
>
> When defining a leftauth, this defines the rule for authenticating
> ourselves to right. It does not imply an constraints for the remote
> side. Beside public key and PSK authentication, this makes sense for
> many EAP methods, where only the client is actually authenticated.
>
> With EAP-AKA (and other mutual EAP methods, such as EAP-SIM or EAP-TLS),
> both peers get actually authenticated with EAP. But just defining
> leftauth does not define such a constraint, and the initiator does not
> insist on the EAP exchange.
>
>
Understood. I think of it as the local (initiator) offering to perform
certs plus additional (eap) authentication and if the remote (i.e. the
SeGW) is happy with just certs only then this is no skin off the local's
nose and the local will happily bring up the tunnel as well. The offer of
an additional authentication round involving eap is only of benefit to the
remote and if the remote chooses to forego that, then who is the local to
argue ?

> Is there any way to configure the local end to demand that
> > multiple-authentication exchanges take place and to reject the tunnel if
> > the remote does not ?
>
> To strictly require the authentication of right with EAP, you can define
> a rightauth2, something like:
>
>   rightauth=pubkey
>   rightauth2=eap
>   leftauth=pubkey
>   leftauth2=eap
>
> This will set up the constraint that the responder first authenticates
> itself with a public key, and then with EAP. If it does not (or a
> non-mutual EAP method is used), the connection attempt fails.
>
>
Hmm, not sure I understand this. What I want is to configure the local to
demand that the remote issue an eap challenge to the local. What I think
you have implemented is that both sides issue eap challenges to each other ?

Graham.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130227/4f881926/attachment.html>

More information about the Users mailing list