[strongSwan] Anyone got strongSwan working with Aruba Networks (as a Aruba VIA client)?

Martin Willi martin at strongswan.org
Mon Apr 14 13:23:56 CEST 2014

> > The peer rejects authentication, but we can't see why on this end. Maybe
> > the Aruba peer has more information about this failure in its log?
> This gives ERR_IPSEC_NO_MAP.

Hm, hard to say what this error means. Maybe Aruba or its community has
more experience with this?

> > Seems that the peer does not respond to the EAP-TLS message. Again, the
> > Aruba log might have information why it doesn't continue.
> It's very unsure what fails here, we see an authentication error from
> the radius but unsure what fails, if its the ID to certificate map or
> the certificate itself.

> Is there any way to get more debug information out of strongSwan for the
> EAP-TLS authentication?

EAP-TLS and its TLS stack use the tls logging group [1]. Increasing its
level to 2 gives more info on the control flow. But probably you'll need
to debug this on the other end and/or RADIUS.

> Also, if I do not specify an leftid the DN from the certificate is used
> and it fails even faster.

Usually you specify an EAP-Identity to negotiate before EAP-TLS. Using a
DN for it is usually not what you want, its binary encoding does not
work very well inside EAP. E-mail or DNS names usually works better. You
may specify it for both IKE and EAP using leftid, or with the
eap_identity keyword for EAP only, man ipsec.conf for details.

> I have UTF-8 characters in my DN, has there been problems with that in
> strongSwan before? My DN is not displayed correctly in the terminal
> from the strongSwan output but everything looks ok when checking the
> certificate with openssl x509.

We replace any non-ASCII characters with '?' before printing them to
avoid messing up your console/log. DNs are not strings, but raw ASN1 DER
encoding. Hence you should avoid using them in EAP identities.



More information about the Users mailing list