[strongSwan] eap-md5: constraint requires public key authentication, but EAP was used
Michael Schwartzkopff
ms at sys4.de
Fri Jan 16 11:19:42 CET 2015
Hi,
I want to test a TNC setup according to
https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
https://wiki.strongswan.org/projects/strongswan/wiki/TNCC
The authentication should be EAP-MD5, so the first sample on the web site.
I think I did follow the doc quite close, but I am stuck with "ipsec up"
failing. The client log says:
(...)
EAP method EAP_TTLS succeeded, MSK established
authentication of 'CN=client' (myself) with EAP
generating IKE_AUTH request 12 [ AUTH ]
sending packet: from 192.168.57.16[4500] to 192.168.56.25[4500] (92 bytes)
received packet: from 192.168.56.25[4500] to 192.168.57.16[4500] (220 bytes)
parsed IKE_AUTH response 12 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) ]
authentication of 'CN=server' with EAP successful
removed TNCCS Connection ID 1
constraint requires public key authentication, but EAP was used
selected peer config 'test' inacceptable: constraint checking failed
On the server side I have:
conn test
left = 192.168.56.25
leftsubnet=192.168.56.0/24
leftcert=server.crt
leftauth=eap-ttls
#
rightgroups = allow
rightauth=eap-ttls
rightid="CN=client"
right=%any
rightsendcert=never
#
auto = add
and on the client side I have:
conn test
left = 192.168.57.16
leftcert = client.crt
leftid="CN=client"
leftauth=eap
#
right = 192.168.56.25
rightid = "CN=server"
rightsendcert=never
rightsubnet=192.168.56.0/24
#
auto = add
Anybody here who could help me why this authentication is failing?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the Users
mailing list