[strongSwan] eap-md5: constraint requires public key authentication, but EAP was used

Michael Schwartzkopff ms at sys4.de
Fri Jan 16 11:19:42 CET 2015


Hi,

I want to test a TNC setup according to
https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
https://wiki.strongswan.org/projects/strongswan/wiki/TNCC

The authentication should be EAP-MD5, so the first sample on the web site.

I think I did follow the doc quite close, but I am stuck with "ipsec up" 
failing. The client log says:

(...)
EAP method EAP_TTLS succeeded, MSK established
authentication of 'CN=client' (myself) with EAP
generating IKE_AUTH request 12 [ AUTH ]
sending packet: from 192.168.57.16[4500] to 192.168.56.25[4500] (92 bytes)
received packet: from 192.168.56.25[4500] to 192.168.57.16[4500] (220 bytes)
parsed IKE_AUTH response 12 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) ]
authentication of 'CN=server' with EAP successful
removed TNCCS Connection ID 1
constraint requires public key authentication, but EAP was used
selected peer config 'test' inacceptable: constraint checking failed

On the server side I have:
conn test
        left = 192.168.56.25
        leftsubnet=192.168.56.0/24
        leftcert=server.crt
        leftauth=eap-ttls
        #
        rightgroups = allow
        rightauth=eap-ttls
        rightid="CN=client"
        right=%any
        rightsendcert=never
        #
        auto = add

and on the client side I have:

conn test
        left = 192.168.57.16
        leftcert = client.crt
        leftid="CN=client"
        leftauth=eap
        #
        right = 192.168.56.25
        rightid = "CN=server"
        rightsendcert=never
        rightsubnet=192.168.56.0/24
        #
        auto = add

Anybody here who could help me why this authentication is failing?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


More information about the Users mailing list