[strongSwan] Error with EAP-PEAP connection

Ygor Amadeo Sartori Regados ygor.regados at yahoo.com.br
Tue May 13 22:28:59 CEST 2014


Hi,

Disabling constraints plugin made the authentication proceed, but there is still something wrong in the client. The server seems to create the CHILD_SA, but the client drops the connection.
It reports something related to "constraint checking failed" after EAP.

If it helps, both server and client use strongSwan 5.1.3.

Thanks,
Ygor

Server log:

May 13 17:07:17 srv1 charon: 10[NET] received packet: from 186.231.147.252[500] to 200.178.219.170[500] (1212 bytes)
May 13 17:07:17 srv1 charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 13 17:07:17 srv1 charon: 10[IKE] 186.231.147.252 is initiating an IKE_SA
May 13 17:07:17 srv1 charon: 10[IKE] remote host is behind NAT
May 13 17:07:17 srv1 charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 13 17:07:17 srv1 charon: 10[NET] sending packet: from 200.178.219.170[500] to 186.231.147.252[500] (440 bytes)
May 13 17:07:18 srv1 charon: 08[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (444 bytes)
May 13 17:07:18 srv1 charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
May 13 17:07:18 srv1 charon: 08[IKE] received cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
May 13 17:07:18 srv1 charon: 08[IKE] received cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
May 13 17:07:18 srv1 charon: 08[CFG] looking for peer configs matching 200.178.219.170[%any]...186.231.147.252[ygor]
May 13 17:07:18 srv1 charon: 08[CFG] selected peer config 'rw-ikev2-eap'
May 13 17:07:18 srv1 charon: 08[IKE] initiating EAP_PEAP method (id 0x77)
May 13 17:07:18 srv1 charon: 08[IKE] peer supports MOBIKE
May 13 17:07:18 srv1 charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/PEAP ]
May 13 17:07:18 srv1 charon: 08[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (204 bytes)
May 13 17:07:18 srv1 charon: 12[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (252 bytes)
May 13 17:07:18 srv1 charon: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/PEAP ]
May 13 17:07:18 srv1 charon: 12[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
May 13 17:07:18 srv1 charon: 12[TLS] sending TLS server certificate 'D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br'
May 13 17:07:18 srv1 charon: 12[TLS] sending TLS intermediate certificate 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA'
May 13 17:07:18 srv1 charon: 12[TLS] sending TLS cert request for 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority'
May 13 17:07:18 srv1 charon: 12[TLS] sending TLS cert request for 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA'
May 13 17:07:18 srv1 charon: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/PEAP ]
May 13 17:07:18 srv1 charon: 12[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (1100 bytes)
May 13 17:07:18 srv1 charon: 13[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (76 bytes)
May 13 17:07:18 srv1 charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/PEAP ]
May 13 17:07:18 srv1 charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/PEAP ]
May 13 17:07:18 srv1 charon: 13[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (1100 bytes)
May 13 17:07:18 srv1 charon: 05[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (76 bytes)
May 13 17:07:18 srv1 charon: 05[ENC] parsed IKE_AUTH request 4 [ EAP/RES/PEAP ]
May 13 17:07:18 srv1 charon: 05[ENC] generating IKE_AUTH response 4 [ EAP/REQ/PEAP ]
May 13 17:07:18 srv1 charon: 05[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (1100 bytes)
May 13 17:07:18 srv1 charon: 15[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (76 bytes)
May 13 17:07:18 srv1 charon: 15[ENC] parsed IKE_AUTH request 5 [ EAP/RES/PEAP ]
May 13 17:07:18 srv1 charon: 15[ENC] generating IKE_AUTH response 5 [ EAP/REQ/PEAP ]
May 13 17:07:18 srv1 charon: 15[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (1100 bytes)
May 13 17:07:18 srv1 charon: 14[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (76 bytes)
May 13 17:07:18 srv1 charon: 14[ENC] parsed IKE_AUTH request 6 [ EAP/RES/PEAP ]
May 13 17:07:18 srv1 charon: 14[ENC] generating IKE_AUTH response 6 [ EAP/REQ/PEAP ]
May 13 17:07:18 srv1 charon: 14[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (396 bytes)
May 13 17:07:19 srv1 charon: 04[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (428 bytes)
May 13 17:07:19 srv1 charon: 04[ENC] parsed IKE_AUTH request 7 [ EAP/RES/PEAP ]
May 13 17:07:19 srv1 charon: 04[ENC] generating IKE_AUTH response 7 [ EAP/REQ/PEAP ]
May 13 17:07:19 srv1 charon: 04[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (156 bytes)
May 13 17:07:19 srv1 charon: 06[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (76 bytes)
May 13 17:07:19 srv1 charon: 06[ENC] parsed IKE_AUTH request 8 [ EAP/RES/PEAP ]
May 13 17:07:19 srv1 charon: 06[IKE] sending tunneled EAP-PEAP AVP [EAP/REQ/ID]
May 13 17:07:19 srv1 charon: 06[ENC] generating IKE_AUTH response 8 [ EAP/REQ/PEAP ]
May 13 17:07:19 srv1 charon: 06[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (124 bytes)
May 13 17:07:19 srv1 charon: 09[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (124 bytes)
May 13 17:07:19 srv1 charon: 09[ENC] parsed IKE_AUTH request 9 [ EAP/RES/PEAP ]
May 13 17:07:19 srv1 charon: 09[IKE] received tunneled EAP-PEAP AVP [EAP/RES/ID]
May 13 17:07:19 srv1 charon: 09[IKE] received EAP identity 'ygor'
May 13 17:07:19 srv1 charon: 09[IKE] phase2 method EAP_MSCHAPV2 selected
May 13 17:07:19 srv1 charon: 09[IKE] sending tunneled EAP-PEAP AVP [EAP/REQ/MSCHAPV2]
May 13 17:07:19 srv1 charon: 09[ENC] generating IKE_AUTH response 9 [ EAP/REQ/PEAP ]
May 13 17:07:19 srv1 charon: 09[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (156 bytes)
May 13 17:07:19 srv1 charon: 07[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (172 bytes)
May 13 17:07:19 srv1 charon: 07[ENC] parsed IKE_AUTH request 10 [ EAP/RES/PEAP ]
May 13 17:07:19 srv1 charon: 07[IKE] received tunneled EAP-PEAP AVP [EAP/RES/MSCHAPV2]
May 13 17:07:19 srv1 charon: 07[IKE] sending tunneled EAP-PEAP AVP [EAP/REQ/MSCHAPV2]
May 13 17:07:19 srv1 charon: 07[ENC] generating IKE_AUTH response 10 [ EAP/REQ/PEAP ]
May 13 17:07:19 srv1 charon: 07[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (188 bytes)
May 13 17:07:19 srv1 charon: 11[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (124 bytes)
May 13 17:07:19 srv1 charon: 11[ENC] parsed IKE_AUTH request 11 [ EAP/RES/PEAP ]
May 13 17:07:19 srv1 charon: 11[IKE] received tunneled EAP-PEAP AVP [EAP/RES/MSCHAPV2]
May 13 17:07:19 srv1 charon: 11[IKE] EAP_PEAP phase2 authentication of 'ygor' with EAP_MSCHAPV2 successful
May 13 17:07:19 srv1 charon: 11[IKE] sending tunneled EAP-PEAP AVP [EAP/SUCC]
May 13 17:07:19 srv1 charon: 11[ENC] generating IKE_AUTH response 11 [ EAP/REQ/PEAP ]
May 13 17:07:19 srv1 charon: 11[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (124 bytes)
May 13 17:07:19 srv1 charon: 12[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (124 bytes)
May 13 17:07:19 srv1 charon: 12[ENC] parsed IKE_AUTH request 12 [ EAP/RES/PEAP ]
May 13 17:07:19 srv1 charon: 12[IKE] received tunneled EAP-PEAP AVP [EAP/SUCC]
May 13 17:07:19 srv1 charon: 12[TLS] sending TLS close notify
May 13 17:07:19 srv1 charon: 12[ENC] generating IKE_AUTH response 12 [ EAP/REQ/PEAP ]
May 13 17:07:19 srv1 charon: 12[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (124 bytes)
May 13 17:07:19 srv1 charon: 13[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (124 bytes)
May 13 17:07:19 srv1 charon: 13[ENC] parsed IKE_AUTH request 13 [ EAP/RES/PEAP ]
May 13 17:07:19 srv1 charon: 13[IKE] EAP method EAP_PEAP succeeded, MSK established
May 13 17:07:19 srv1 charon: 13[ENC] generating IKE_AUTH response 13 [ EAP/SUCC ]
May 13 17:07:19 srv1 charon: 13[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (76 bytes)
May 13 17:07:19 srv1 charon: 05[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (92 bytes)
May 13 17:07:19 srv1 charon: 05[ENC] parsed IKE_AUTH request 14 [ AUTH ]
May 13 17:07:19 srv1 charon: 05[IKE] authentication of 'ygor' with EAP successful
May 13 17:07:19 srv1 charon: 05[IKE] authentication of 'D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br' (myself) with EAP
May 13 17:07:19 srv1 charon: 05[IKE] IKE_SA rw-ikev2-eap[4] established between 200.178.219.170[D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br]...186.231.147.252[ygor]
May 13 17:07:19 srv1 charon: 05[IKE] scheduling reauthentication in 9846s
May 13 17:07:19 srv1 charon: 05[IKE] maximum IKE_SA lifetime 10386s
May 13 17:07:19 srv1 charon: 05[IKE] peer requested virtual IP %any
May 13 17:07:19 srv1 charon: 05[CFG] reassigning offline lease to 'ygor'
May 13 17:07:19 srv1 charon: 05[IKE] assigning virtual IP 172.16.0.129 to peer 'ygor'
May 13 17:07:19 srv1 charon: 05[IKE] CHILD_SA rw-ikev2-eap{4} established with SPIs ced67f02_i c9e26b75_o and TS 172.16.1.0/29 172.16.2.0/27 172.16.3.0/28 172.16.4.0/24 200.178.219.168/29 === 172.16.0.129/32 
May 13 17:07:19 srv1 charon: 05[ENC] generating IKE_AUTH response 14 [ AUTH CPRP(ADDR) N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
May 13 17:07:19 srv1 charon: 05[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (412 bytes)
May 13 17:07:20 srv1 charon: 14[NET] received packet: from 186.231.147.252[4500] to 200.178.219.170[4500] (76 bytes)
May 13 17:07:20 srv1 charon: 14[ENC] parsed INFORMATIONAL request 15 [ N(AUTH_FAILED) ]
May 13 17:07:20 srv1 charon: 14[IKE] received DELETE for IKE_SA rw-ikev2-eap[4]
May 13 17:07:20 srv1 charon: 14[IKE] deleting IKE_SA rw-ikev2-eap[4] between 200.178.219.170[D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br]...186.231.147.252[ygor]
May 13 17:07:20 srv1 charon: 14[IKE] IKE_SA deleted
May 13 17:07:20 srv1 charon: 14[ENC] generating INFORMATIONAL response 15 [ ]
May 13 17:07:20 srv1 charon: 14[NET] sending packet: from 200.178.219.170[4500] to 186.231.147.252[4500] (76 bytes)
May 13 17:07:20 srv1 charon: 14[CFG] lease 172.16.0.129 by 'ygor' went offline

Client log:

initiating IKE_SA rw-ikev2-eap[2] to 200.178.219.170
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.10[500] to 200.178.219.170[500] (1212 bytes)
received packet: from 200.178.219.170[500] to 192.168.1.10[500] (440 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
establishing CHILD_SA rw-ikev2-eap
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (444 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (204 bytes)
parsed IKE_AUTH response 1 [ IDr EAP/REQ/PEAP ]
server requested EAP_PEAP authentication (id 0x77)
EAP_PEAP version is v0
allow mutual EAP-only authentication
generating IKE_AUTH request 2 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (252 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
generating IKE_AUTH request 3 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]
generating IKE_AUTH request 4 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ]
generating IKE_AUTH request 6 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (396 bytes)
parsed IKE_AUTH response 6 [ EAP/REQ/PEAP ]
negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
received TLS server certificate 'D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br'
received TLS intermediate certificate 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA'
  using certificate "D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br"
  using trusted intermediate ca certificate "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
checking certificate status of "D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br"
  ocsp response correctly signed by "C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer"
  ocsp response is valid: until May 15 17:06:55 2014
  using cached ocsp response
certificate status is good
  using trusted ca certificate "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
checking certificate status of "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
ocsp response verification failed, no signer certificate 'C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer' found
  ocsp response correctly signed by "C=IL, O=StartCom Ltd., CN=StartCom Root OCSP Signer"
  ocsp response is valid: until May 23 12:41:02 2014
  using cached ocsp response
certificate status is good
  reached self-signed root ca with a path length of 1
received TLS cert request for 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
received TLS cert request for 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
no TLS peer certificate found for 'ygor', skipping client authentication
generating IKE_AUTH request 7 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (428 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (156 bytes)
parsed IKE_AUTH response 7 [ EAP/REQ/PEAP ]
generating IKE_AUTH request 8 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (124 bytes)
parsed IKE_AUTH response 8 [ EAP/REQ/PEAP ]
received tunneled EAP-PEAP AVP [EAP/REQ/ID]
server requested EAP_IDENTITY authentication (id 0x7E)
sending tunneled EAP-PEAP AVP [EAP/RES/ID]
generating IKE_AUTH request 9 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (124 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (156 bytes)
parsed IKE_AUTH response 9 [ EAP/REQ/PEAP ]
received tunneled EAP-PEAP AVP [EAP/REQ/MSCHAPV2]
server requested EAP_MSCHAPV2 authentication (id 0x7F)
sending tunneled EAP-PEAP AVP [EAP/RES/MSCHAPV2]
generating IKE_AUTH request 10 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (172 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (188 bytes)
parsed IKE_AUTH response 10 [ EAP/REQ/PEAP ]
received tunneled EAP-PEAP AVP [EAP/REQ/MSCHAPV2]
EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
sending tunneled EAP-PEAP AVP [EAP/RES/MSCHAPV2]
generating IKE_AUTH request 11 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (124 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (124 bytes)
parsed IKE_AUTH response 11 [ EAP/REQ/PEAP ]
received tunneled EAP-PEAP AVP [EAP/SUCC]
sending tunneled EAP-PEAP AVP [EAP/SUCC]
generating IKE_AUTH request 12 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (124 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (124 bytes)
parsed IKE_AUTH response 12 [ EAP/REQ/PEAP ]
received TLS close notify
sending TLS close notify
generating IKE_AUTH request 13 [ EAP/RES/PEAP ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (124 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (76 bytes)
parsed IKE_AUTH response 13 [ EAP/SUCC ]
EAP method EAP_PEAP succeeded, MSK established
authentication of 'ygor' (myself) with EAP
generating IKE_AUTH request 14 [ AUTH ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (92 bytes)
received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (412 bytes)
parsed IKE_AUTH response 14 [ AUTH CPRP(ADDR) N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
authentication of 'D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br' with EAP successful
constraint requires EAP_PEAP, but EAP_NAK was used
selected peer config 'rw-ikev2-eap' inacceptable: constraint checking failed
no alternative config found
generating INFORMATIONAL request 15 [ N(AUTH_FAILED) ]
sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
establishing connection 'rw-ikev2-eap' failed

Em Tue, 13 May 2014 06:37:26 +0200
Andreas Steffen
<andreas.steffen at strongswan.org> escreveu:

> Hi Ygor,
> 
> your CA certificate defines a certificate policy which is not present
> in the end entity certificate. As a workaround you must omit the
> constraints plugin from an explicit load list in strongswan.conf or
> compile strongSwan with the option
> 
>   ./configure --disable-constraints
> 
> Best regards
> 
> Andreas
> 



More information about the Users mailing list