[strongSwan] IKEv2 EAP (username/password) authentication failing with strongswan server

Noel Kuntze noel at familie-kuntze.de
Mon Dec 22 18:38:48 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Ravi,

You didn't set "leftauth", so it defaults to "psk". EAP usually uses a certificate on the server side
to authenticate the server against the client. Because your current configuration uses "leftauth=psk",
charon looks for a preshared key. To make your setup work, you need to set "leftauth=pubkey" and generate
a server certificate following the guide at this [1] link. You will need to import your CA into your Android
phone's certificate store after you created your server certificate.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 22.12.2014 um 17:47 schrieb Ravi Kanth Vanapalli:
> Dear All,
>
>  I am trying to do IKEv2 EAP Username/password authentication  between*
> *Dec 22 11:44:59 samsung-600
>
> Client: Strongswan Android google play apk
> Server: Strongswan server runningon my linux machine
>
> Connection is failing with
> *charon: 11[IKE] no shared key found for '10.0.0.35' - 'user1'
>
> *
> *Please find below the snapshot of my configuration files. Please let me know if I missed something.
>
> *
> ipsec.conf
> ---------------
>
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>         # plutodebug=all
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         # nat_traversal=yes
>         charonstart=yes
>         plutostart=yes
> # Add connections here.
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         authby=secret
>
> conn ssandroid
>         left=10.0.0.35
>         leftfirewall=no
>         right=%any
>         rightsourceip = 10.0.0.2
>         rightauth=eap-mschapv2
>         rightsendcert=never
>         eap_identity=%any
>         auto=start
>
> ipsec.secrets
> -------------------
> include /var/lib/strongswan/ipsec.secrets.inc
>  
> user1:EAP "topsecretpassword"
>
>
> _Daemon log for this failure_  i.e tail -f /var/log/syslog
>
> c 22 11:44:58 samsung-600B4B-600B5B charon: 16[NET] received packet: from 10.0.0.29[59701] to 10.0.0.35[500]
> Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
> Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[IKE] 10.0.0.29 is initiating an IKE_SA
> Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[IKE] remote host is behind NAT
> Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[NET] sending packet: from 10.0.0.35[500] to 10.0.0.29[59701]
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[NET] received packet: from 10.0.0.29[49704] to 10.0.0.35[4500]
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[CFG] looking for peer configs matching 10.0.0.35[%any]...10.0.0.29[user1]
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[CFG] selected peer config 'ssandroid'
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] initiating EAP-Identity request
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] peer supports MOBIKE
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] authentication of '10.0.0.35' (myself) with pre-shared key
> *Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] no shared key found for '10.0.0.35' - 'user1'
> *Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[NET] sending packet: from 10.0.0.35[4500] to 10.0.0.29[49704]
>
> Please help me resolve this issue.
>
> --
> Regards,
> RaviKanth
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUmFckAAoJEDg5KY9j7GZYPd8P/jsCHAQyu6ZmUy8BD/wMLc1+
51B+qwzRVLrvqa7omDokPwVy4WucoNYEQRcxt/9uUIkxvqzZtEsLHm5+IfxL8aC5
2h6tWPYBFxnfho/HgmQ3CCHYgAIOMHCAoaTqdnUDFmxxWyJMVMGchn9cEcJtT8ks
bePHr/ttdHuyvW5/NgCJdDkX7RkxJtqPsINpuSoqvSA86g18gMoVF6mGfEtAmmAw
mppG241uid/XYhPXRdIH0IS0s/BHvdCjAbFsB1HX6lTMUG0kN4WjslkyjHAvSoaz
xznkT4HP+jQtu0uXbIasoI1aPFfdXvYtvp4L/xxFj4EwNSdDN34JHmpDh3k8i+Qz
wQsL0Pqu/ykazoPkcEjHMNCmb4wQdKwXuTwFRS08VkQUS6NW+4onmO5YeqFgvfFK
DcRfb5ZZTVXB4Zt6mo3rwsGXX6NPYFAaWein9ql38pZlrFodJvlL9C9GMvOQNI0q
hipvX3Bqwvhjg3jG1+0pDD13bfNIiO8A0/DPRmFvZeDxILqRSYshMgd0satk260i
5+qgIRArxDt2GarPhou/tfbXLdOsAAIqgEO4Rq3ihjkykHy3bHHy9PfeGddqY9gQ
16cKwigYCVTVnFk/0htzsLVDsmV8TrWq37VQILbRcqpy+ppL/s4+i+R3KBXuDAaA
hIOgKodq82zRLnbZkJ8a
=9j/3
-----END PGP SIGNATURE-----

More information about the Users mailing list