[strongSwan] Gateway configuration for strongswan Android setting "IKEv2 Certificate + EAP (Username/Password)"

strongswan.20.apex3 at xoxy.net strongswan.20.apex3 at xoxy.net
Thu Mar 21 01:12:46 CET 2013 

I've been using the strongswan android client and it's been working
great with either IKEv2 EAP *or* IKEv2 certificate.  When I try to use
the combination of both, it fails at the authentication stage.  I
suspect I'm missing something straightforward in my gateway settings.

For my current gateway config:

=================================
config setup

conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=1
      keyexchange=ikev2

conn rw-cert
      left=172.16.254.200
      leftsubnet=0.0.0.0/0
      leftcert=pi-peer.der
      leftid=my-fqdn.example.com
      rightsourceip=172.16.254.0/24
      right=%any
      rightsendcert=always
      auto=add

conn rw-eap
      left=172.16.254.200
      leftsubnet=0.0.0.0/0
      leftcert=pi-peer.der
      leftid=my-fqdn.example.com
      rightsourceip=172.16.254.0/24
      right=%any
      rightid=*
      rightauth=eap-md5
      rightsendcert=never
      auto=add
=================================


And in ipsec.secrets
=================================
: RSA myKey.der
myusername : EAP "password"
=================================


When I tried to do what I expected to support both, I copied "conn
rw-eap" as "conn rw-eap-cert" and changed "rightsendcert=never" to
"rightsendcert=always" it fails to authenticate with this message in
the log:

Mar 20 17:07:54 pi charon: 16[ENC] parsed IKE_AUTH request 2 [ IDi ]
Mar 20 17:07:54 pi charon: 16[IKE] peer requested EAP, config inacceptable
Mar 20 17:07:54 pi charon: 16[CFG] switching to peer config 'rw-eap'
Mar 20 17:07:54 pi charon: 16[CFG] constraint requires EAP_MD5, but
EAP_NAK was used
Mar 20 17:07:54 pi charon: 16[CFG] selected peer config 'rw-eap' inacceptable
Mar 20 17:07:54 pi charon: 16[CFG] switching to peer config 'rw-eap-cert'
Mar 20 17:07:54 pi charon: 16[CFG] constraint requires EAP_MD5, but
EAP_NAK was used
Mar 20 17:07:54 pi charon: 16[CFG] selected peer config 'rw-eap-cert'
inacceptable
Mar 20 17:07:54 pi charon: 16[CFG] no alternative config found
Mar 20 17:07:54 pi charon: 16[ENC] generating IKE_AUTH response 2 [
N(AUTH_FAILED) ]
Mar 20 17:07:54 pi charon: 16[NET] sending packet: from
172.16.254.200[4500] to 192.0.43.10[38026] (76 bytes)



Any thoughts?

More information about the Users mailing list